[Samba] Intermittent permission denied when accessing share

Lorenzo Milesi maxxer at yetopen.it
Wed May 20 14:50:21 UTC 2020 

About the root problem of the thread, it seems a permission problem, but again I need some help on how to investigate further. I've just been reported a share wasn't accessible, I checked on another client and I was able to enter the folder but NOT to see the content, looked like empty. I have "hide unreadable" enabled, and while entering the share several times I noticed the file list gets populated but then disappears, so it's like when samba realizes the user doesn't have access to the files it hides them. But... Why is it happening?
Restarting samba-ad-dc and refreshing the folder shows all the files. No filesystem change, no permission change.
The problem usually happens before entering the share, but it seems to me the cause could be the same.

I double checked the filesystem has acl support. 

Side note: as I enabled recycle I have
vfs objects = dfs_samba4 acl_xattr recycle
on every share, as indicated in the wiki.

Another test I made was about the netbios alias: when the share is not working it won't help accessing it with \\fileserver, instead of using \\alias, it won't work anyway.


> I did the CNAME, but when I remove the netbios alias I can see the shares list
> when accessing \\aliasname, but then I'm not allowed into any of them. I tried
> rebooting the client but same result, and I also don't see anything in the logs
> :(

Small update on the alias "thing".
I did a new alias, partly to make a test. So I added the cname, added spn entries host/fqdn and host/hostname to fileserver$. Result: unable to access the server with the new alias. I get prompted for credentials (first issue), and even if I enter valid domain u/p I get rejected.
After restarting Samba I'm able to browse the shares but not to enter them. I get this in logs:
[2020/05/20 16:42:23.869228,  5] ../../source3/smbd/uid.c:298(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp]
[2020/05/20 16:42:23.869262,  8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals)
  dfs_samba4: Requested DFS name: \server\SHARE1 utf16-length: 26
[2020/05/20 16:42:23.869276,  8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals)
  Requested DFS name: \server\SHARE1 length: 26
[2020/05/20 16:42:23.869296,  3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312
[2020/05/20 16:42:23.869317,  5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu)
  signed SMB2 message
[2020/05/20 16:42:23.869547,  5] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/05/20 16:42:23.869573,  5] ../../source3/smbd/uid.c:298(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp]
[2020/05/20 16:42:23.869592,  8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals)
  dfs_samba4: Requested DFS name: \server\SHARE1 utf16-length: 26
[2020/05/20 16:42:23.869604,  8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals)
  Requested DFS name: \server\SHARE1 length: 26
[2020/05/20 16:42:23.869621,  3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312
[2020/05/20 16:42:23.869645,  5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu)
  signed SMB2 message
[2020/05/20 16:42:32.887052,  5] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/05/20 16:42:32.887148,  5] ../../source3/smbd/uid.c:298(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp]
[2020/05/20 16:42:32.887177,  8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals)
  dfs_samba4: Requested DFS name: \server\SHARE2 utf16-length: 34
[2020/05/20 16:42:32.887195,  8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals)
  Requested DFS name: \server\SHARE2 length: 34
[2020/05/20 16:42:32.887223,  3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312
[2020/05/20 16:42:32.887248,  5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu)
  signed SMB2 message
[2020/05/20 16:42:32.888615,  5] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/05/20 16:42:32.888649,  5] ../../source3/smbd/uid.c:298(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp]

I didn't try adding netbios alias to smb.conf.


-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list