[Samba] Intermittent permission denied when accessing share

Lorenzo Milesi maxxer at yetopen.it
Mon May 18 21:14:39 UTC 2020

> trying again.

here's the output. 

Config collected --- 2020-05-18-23:08 -----------

Hostname:   fileserver
DNS Domain: wdc.mydomain.it
FQDN:       fileserver.wdc.mydomain.it


This computer is running Ubuntu 18.04.4 LTS x86_64


running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:7a:3c:11 brd ff:ff:ff:ff:ff:ff
    inet brd scope global ens160
    inet6 fe80::20c:29ff:fe7a:3c11/64 scope link


Checking file: /etc/hosts localhost
# fileserver fileserver.wdc.mydomain.it fileserver mail.mydomain.it mail

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback localhost
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Checking file: /etc/resolv.conf

search wdc.mydomain.it


Kerberos SRV _kerberos._tcp.wdc.mydomain.it record(s) verified ok, sample output:

_kerberos._tcp.wdc.mydomain.it	service = 0 100 88 fileserver.wdc.mydomain.it.


'kinit Administrator' checked successfully.


Samba is running as an AD DC


Checking file: /etc/krb5.conf

	default_realm = WDC.MYDOMAIN.IT
	dns_lookup_realm = false
	dns_lookup_kdc = true

	default_domain = wdc.mydomain.it

	fileserver = WDC.MYDOMAIN.IT


Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd winbind
group:          compat systemd winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Checking file: /usr/local/samba/etc/smb.conf

# Global parameters
	netbios name = FILESERVER
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = WDC
	netbios aliases = serverx3
	idmap_ldb:use rfc2307 = yes
	# https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
#	template shell = /bin/bash
	template homedir = /home/%U
	hide unreadable = yes

	# I due parametri sotto abbassano il protocollo minimo di comunicazione, messi per consentire le join dei PC con XP
	server min protocol = NT1
	client min protocol = NT1

	log level = 8

	path = /usr/local/samba/var/locks/sysvol
	read only = No
	browseable = No

	path = /usr/local/samba/var/locks/sysvol/wdc.mydomain.it/scripts
	read only = No
	browseable = No

        path = /home/CONDIVISI/personali
	include = /usr/local/samba/etc/cestino.conf
	read only = No

        path = /home/CONDIVISI/BACHECA
	include = /usr/local/samba/etc/cestino.conf
	read only = No


This DC is being used as a fileserver

Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


Checking file: /etc/bind/named.conf.options

# 2020.04.21 yetopen
acl internals {;; };
# 2020.04.21 yetopen - fine

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	// forwarders {
	// };

	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
#	dnssec-validation auto;

#	auth-nxdomain no;    # conform to RFC1035

	# 2020.04.21 yetopen https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Setting_up_the_named.conf_files
	listen-on-v6 { none; };
	forwarders {;; };
	version "Go Away 0.0.7";
	notify no;
	empty-zones-enable no;
	auth-nxdomain yes;
	allow-transfer { none; };
	dnssec-validation no;
	dnssec-enable no;
	dnssec-lookaside no;
	// Added Per Debian buster Bind9.
	// Due to : resolver: info: resolver priming query complete messages in the logs.
	// See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
	minimal-responses yes;

	//  Add any subnets or hosts you want to allow to use this DNS server
	allow-query { "internals";  };
	allow-query-cache { "internals"; };

	//  Add any subnets or hosts you want to allow to use recursive queries
	recursion yes;
	allow-recursion {  "internals"; };

	// https://wiki.samba.org/index.php/Dns-backend_bind
	// DNS dynamic updates via Kerberos (optional, but recommended)
	// ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz
	// or AFTER upgrading your dns from internal to bind9_dlz
	// Before Samba 4.9.0
	// tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
	// From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. )
	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
	# 2020.04.21 yetopen - fine


Checking file: /etc/bind/named.conf.local

// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

include "/usr/local/samba/bind-dns/named.conf";


Checking file: /etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";


Samba DNS zone list check :



This is the DC with the PDC Emulator role and time is: 2020-05-18T23:09:04


Installed packages:
ii  acl                                       2.2.52-3build1                                                      amd64        Access control list utilities
ii  attr                                      1:2.4.47-2build1                                                    amd64        Utilities for manipulating filesystem extended attributes
ii  bind9                                     1:9.11.3+dfsg-1ubuntu1.11                                           amd64        Internet Domain Name Server
ii  bind9-host                                1:9.11.3+dfsg-1ubuntu1.11                                           amd64        DNS lookup utility (deprecated)
ii  bind9utils                                1:9.11.3+dfsg-1ubuntu1.11                                           amd64        Utilities for BIND
ii  krb5-config                               2.6                                                                 all          Configuration files for Kerberos Version 5
ii  krb5-kdc                                  1.16-2ubuntu0.1                                                     amd64        MIT Kerberos key server (KDC)
ii  krb5-locales                              1.16-2ubuntu0.1                                                     all          internationalization support for MIT Kerberos
ii  krb5-multidev:amd64                       1.16-2ubuntu0.1                                                     amd64        development files for MIT Kerberos without Heimdal conflict
ii  krb5-user                                 1.16-2ubuntu0.1                                                     amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                             2.2.52-3build1                                                      amd64        Access control list shared library
ii  libacl1-dev                               2.2.52-3build1                                                      amd64        Access control list static libraries and headers
ii  libattr1:amd64                            1:2.4.47-2build1                                                    amd64        Extended attribute shared library
ii  libattr1-dev:amd64                        1:2.4.47-2build1                                                    amd64        Extended attribute static libraries and headers
ii  libbind9-160:amd64                        1:9.11.3+dfsg-1ubuntu1.11                                           amd64        BIND9 Shared Library used by BIND
ii  libgssapi-krb5-2:amd64                    1.16-2ubuntu0.1                                                     amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64                  7.5.0+dfsg-1                                                        amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                           1.16-2ubuntu0.1                                                     amd64        MIT Kerberos runtime libraries
ii  libkrb5-dev:amd64                         1.16-2ubuntu0.1                                                     amd64        headers and development libraries for MIT Kerberos
ii  libkrb5support0:amd64                     1.16-2ubuntu0.1                                                     amd64        MIT Kerberos runtime libraries - Support library
ii  python3-attr                              17.4.0-2                                                            all          Attributes without boilerplate (Python 3)
ii  zimbra-common-mbox-conf-attrs                                                amd64        Zimbra Core Mailbox Attributes Configuration


Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list