[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED

Chris Olive chris at technologease.com
Thu Sep 24 02:23:14 UTC 2020 

Been using Samba since the early days and it's always worked terrifically.
Install it from RPM or apt or yum, make a few tweaks to the smb.conf and
I'm off and running without fail.

So to run into a situation where I'm getting denied has really stumped me.
I dialed up logging to try and get a peek into what's failing and things
start falling apart around NT_STATUS_ACCESS_DENIED and then my connection
gets shut down. I can see Samba authenticating me just fine, mapping my
username to the correct /home directory, the right UID and GID (first line
in attached log)... Everything is going swimmingly and then PLONK.

I have no idea what it's borking on. SELinux dialed down to permissive.
I've tried swapping tdbsam database for swbpasswd... nothing seems to work.
Even with this logging, I'm still shooting in the dark.

I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under
VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm
wondering about that part of it, but in fiddling with the firewall on the
CentOS 8 VM itself, I can change the behavior enough to see it's getting
through properly. All necessary ports are open (137-139, 445).

I'm stuck at this point. Makes zero sense to me. I have a very similar set
up in another CentOS 8 box that works flawlessly as every other
installation I've done in 20 years.

[Snipped lines above that show successful AuthN, forced mapping to "Domain
Users", etc. all correct]
  colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially
as user chris (uid=1000, gid=1000) (pid 98051)
[2020/09/23 19:03:37.024156,  3]
../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)
  api_pipe_bind_req: lsarpc -> lsarpc rpc service
[2020/09/23 19:03:37.024174,  3]
../../source3/rpc_server/srv_pipe.c:356(check_bind_req)
  check_bind_req for lsarpc context_id=0
[2020/09/23 19:03:37.024184,  3]
../../source3/rpc_server/srv_pipe.c:399(check_bind_req)
  check_bind_req: lsarpc -> lsarpc rpc service
[2020/09/23 19:03:37.024199,  5]
../../source3/auth/auth.c:547(make_auth3_context_for_ntlm)
  Making default auth method list for server role = 'standalone server',
encrypt passwords = yes
[2020/09/23 19:03:37.024208,  5]
../../source3/auth/auth.c:423(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2020/09/23 19:03:37.024214,  5]
../../source3/auth/auth.c:448(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2020/09/23 19:03:37.024217,  5]
../../source3/auth/auth.c:423(load_auth_module)
  load_auth_module: Attempting to find an auth method to match
sam_ignoredomain
[2020/09/23 19:03:37.024220,  5]
../../source3/auth/auth.c:448(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2020/09/23 19:03:37.024760,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
  api_rpcTNP: rpc command: LSA_GETUSERNAME
[2020/09/23 19:03:37.025554,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
  api_rpcTNP: rpc command: LSA_OPENPOLICY2
[2020/09/23 19:03:37.026233,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
  api_rpcTNP: rpc command: LSA_LOOKUPNAMES
[2020/09/23 19:03:37.026401,  3]
../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for chris
[2020/09/23 19:03:37.027169,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
  api_rpcTNP: rpc command: LSA_CLOSE
[2020/09/23 19:03:37.028187,  3]
../../source3/smbd/service.c:1131(close_cnum)
  colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$
[2020/09/23 19:03:37.029241,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296
[2020/09/23 19:03:37.029259,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
[2020/09/23 19:03:37.029266,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9]
status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
[2020/09/23 19:03:37.029554,  2]
../../source3/smbd/service.c:1131(close_cnum)
  colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris

Chris
--
Chris Olive | chris at TechnologEase.com

More information about the samba mailing list