[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
L.P.H. van Belle
belle at bazuin.nl
Fri May 3 13:36:59 UTC 2019
Hai Paul,
Look at this: user=paulg,uid=2381
(from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)
Now, look at this :
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the ONEEXAMPLECA domain
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 10000-999999
What do you notice here. ( the hint is 2381:1000 ) and i would expect to see 10000:10000 or higher.
Do you see what i mean? Your UID/GID is a local users one, not AD-DC users.
Your ranges are out of sync now, and that your denied is completly correct.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul
> Griffith via samba
> Verzonden: donderdag 2 mei 2019 21:24
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] NT_STATUS_ACCESS_DENIED on a directory I
> have permission to access
>
> Hello,
>
> I am testing Samba 4.9.7 before we upgrade our 4.8 domain
> member server.
> I am running into a weird permission error with our test
> server. My home
> directory is NFS mounted. The problem comes from a mail
> directory in my
> home directory. I can't access it over SMB/CIFS, it gives me a
> permission error. From another Linux host that has our home
> directories
> NFS mounted, I can access it fine. Also, from our soon to be
> retired NT
> Domain server, I can access the directory.
>
> Home directory mounted with,
>
> mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o
> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA
>
>
> smbd_dirptr_get_entry mask=[*] found .AndroidStudio3.1
> fname=.AndroidStudio3.1 (.AndroidStudio3.1)
> [2019/05/02 12:28:31.276870, 3, pid=26508, effective(12508, 10513),
> real(12508, 0)]
> ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[STATUS_NO_MORE_FILES] || at
> ../source3/smbd/smb2_query_directory.c:158
> [2019/05/02 12:28:33.578220, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
> unix_mode(mail) inheriting from .
> [2019/05/02 12:28:33.578305, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
> unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.537282, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
> unix_mode(mail) inheriting from .
> [2019/05/02 12:28:36.537361, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
> unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.538662, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
> unix_mode(mail) inheriting from .
> [2019/05/02 12:28:36.538737, 2, pid=26508, effective(12508, 10513),
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
> unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.538956, 3, pid=26508, effective(12508, 10513),
> real(12508, 0)]
> ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at
> ../source3/smbd/smb2_create.c:296
>
> From Linux side of things, it looks good. Permissions are correct.
>
> jazzy 43 % ls -lad mail
> drwx------ 2 paulg tech 62 Sep 21 2018 mail
> jazzy 44 % cd mail
> jazzy 45 % ls -l
> total 0
> -rw------- 1 paulg tech 0 Apr 9 13:54 Drafts
> -rw------- 1 paulg tech 0 Apr 9 13:54 Sent
> -rw------- 1 paulg tech 0 Apr 9 13:54 Templates
> -rw------- 1 paulg tech 0 Apr 9 13:54 Trash
>
> I am at a lost concerning this one, any pointers?
>
>
> Thanks
> Paul
>
> ---- files server ----
> [global]
> security = ADS
> workgroup = ONEEXAMPLECA
> realm = AD.ONE.EXAMPLE.CA
> server string = Samba Server
> hostname lookups = yes
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the ONEEXAMPLECA domain
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 10000-999999
>
> winbind use default domain = yes
> local master = No
>
> #log files
> debug timestamp = yes
> debug uid = yes
> debug pid = yes
> debug level = 3
> max log size = 0
>
> username map = /xconf/samba/usermap
>
> #ip networking
> max connections = 0
> interfaces = 127.0.0.1 130.xx.xx.xx
> bind interfaces only = yes
>
> #printing
> load printers = no
> printcap name = /xconf/lprng/printcap
> printing = bsd
> print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
> lpq command = /xsys/bin/lpq -P%p
> lprm command = /xsys/bin/lprm -P%p %j
> use client driver = yes
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /eecs/home/%U
>
> # security settings
> guest account = nobody
> invalid users = root
> nt acl support = yes
> inherit permissions = yes
> client lanman auth = no
> client ntlmv2 auth = yes
> wide links = no
> unix extensions = no
>
> [homes]
> comment = Home Directories
> browseable = yes
> read only = no
> valid users = %S
> csc policy = disable
> invalid users = activ8
> oplocks = no
> level2 oplocks = no
> strict locking = no
> posix locking = no
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list