[Samba] Intermittent permission denied when accessing share

Rowland penny rpenny at samba.org
Sun May 17 08:23:47 UTC 2020 

On 16/05/2020 16:52, Lorenzo Milesi via samba wrote:
> I'm having a weird situation with a freshly installed Samba v4.12.1 compiled from source. This is a single server with DC and fileserver, I followed all the guidelines for doing things correctly in this specific situation and I hope I haven't missed anything.
You missed that using a DC as a fileserver isn't recommended.
> One note: I read in the logs several NT_STATUS_NO_SUCH_USER errors from the above client. Before this Samba server we had a Samba4 installation in workgroup mode, these auths seems to be mapped to the OLD workgroup name, and I suspect these are from Windows' background services trying to authenticate to the old server.
 From reading the samba log, it looks like Samba logons are not working, 
but ldap connections are.
> ** smb.conf
> # Global parameters
> [global]
>          netbios name = FILESERVER
>          realm = WDC.MYDOMAIN.IT
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = WDC
>          netbios aliases = server3
Do not use 'netbios aliases' on a DC, use a dns CNAME instead.
>          idmap_ldb:use rfc2307 = yes
>          template homedir = /home/%U
>          hide unreadable = yes
>          # temporary requirements for 2 xp clients
>          server min protocol = NT1
>          client min protocol = NT1
No, make your XP machines use NTLMv2 instead, better still get rid of 
them if you can.
> [homes]
>          path = /home/CONDIVISI/personali
No, you do not use 'path =' with '[homes]', change '[homes]' to '[home]'
> LOG FILES: as I couldn't find the policy for this ML I didn't dare posting 4MB of files in a single message, so they're available on the two links below. If it's not a problem I'll paste them to a new mail in this thread.
> https://cloud.ufficyo.com/nc/s/XaSG8GGDFwgPpHf
> https://cloud.ufficyo.com/nc/s/jbwFnDDJ7mQnPQM

That is the correct way to do it, if you had attached them, the mailing 
list would have removed them. If you had posted them in the body of the 
email, your post would have been rejected for being too large.

You say that you ran a workgroup, did your clients leave the workgroup 
before joining the domain ?

Rowland

More information about the samba mailing list