[Samba] Intermittent permission denied when accessing share
Lorenzo Milesi
maxxer at yetopen.it
Sat May 16 15:52:29 UTC 2020
I'm having a weird situation with a freshly installed Samba v4.12.1 compiled from source. This is a single server with DC and fileserver, I followed all the guidelines for doing things correctly in this specific situation and I hope I haven't missed anything.
The server works correctly as expected, I'm managing all the permissions from Windows.
Unfortunately users occasionally experience problems in accessing some shares they used to. This happened three times, so far only to two different shares. When the event occur all computers in the domain are unable to access the share, and I'm able to restore functionality by just restarting samba-ad-dc.service. I tried "reload-config" but won't work. After restarting the service everything is back to normal. The first time this happened I had to restart again within 4h, then it didn't happen again for days.
Last time it has been reported to me today, I tried accessing "RESPONSABILI" share few minutes after 16:00 from PC 10.0.0.197 (myuser at CM-WM-W7) and access was prohibited. Restarted around 16:06 and access was restored.
As this happened before I raised log level to 8 and I now have debug logs.
One note: I read in the logs several NT_STATUS_NO_SUCH_USER errors from the above client. Before this Samba server we had a Samba4 installation in workgroup mode, these auths seems to be mapped to the OLD workgroup name, and I suspect these are from Windows' background services trying to authenticate to the old server.
Thanks
** smb.conf
# Global parameters
[global]
netbios name = FILESERVER
realm = WDC.MYDOMAIN.IT
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = WDC
netbios aliases = server3
idmap_ldb:use rfc2307 = yes
template homedir = /home/%U
hide unreadable = yes
# temporary requirements for 2 xp clients
server min protocol = NT1
client min protocol = NT1
log level = 8
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
browseable = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/wdc.mydomain.it/scripts
read only = No
browseable = No
[homes]
path = /home/CONDIVISI/personali
include = /usr/local/samba/etc/cestino.conf
read only = No
[RESPONSABILI]
path = /home/CONDIVISI/RESPONSABILI
read only = No
include = /usr/local/samba/etc/cestino.conf
** cestino.conf:
vfs objects = dfs_samba4 acl_xattr recycle
recycle:repository = .cestino/%U
recycle:keeptree = yes
recycle:touch = yes
recycle:versions= yes
recycle:exclude = *.tmp *.bak ~$*
recycle:exclude_dir = /tmp /temp /cache
recycle:noversions = *.doc *.xls *.ppt
recycle:directory_mode = 770
recycle:touch_mtime = yes
LOG FILES: as I couldn't find the policy for this ML I didn't dare posting 4MB of files in a single message, so they're available on the two links below. If it's not a problem I'll paste them to a new mail in this thread.
https://cloud.ufficyo.com/nc/s/XaSG8GGDFwgPpHf
https://cloud.ufficyo.com/nc/s/jbwFnDDJ7mQnPQM
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the samba
mailing list