[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED

Rowland penny rpenny at samba.org
Thu Sep 24 07:43:00 UTC 2020 

On 24/09/2020 03:23, Chris Olive via samba wrote:
> Been using Samba since the early days and it's always worked terrifically.
> Install it from RPM or apt or yum, make a few tweaks to the smb.conf and
> I'm off and running without fail.
>
> So to run into a situation where I'm getting denied has really stumped me.
> I dialed up logging to try and get a peek into what's failing and things
> start falling apart around NT_STATUS_ACCESS_DENIED and then my connection
> gets shut down. I can see Samba authenticating me just fine, mapping my
> username to the correct /home directory, the right UID and GID (first line
> in attached log)... Everything is going swimmingly and then PLONK.
>
> I have no idea what it's borking on. SELinux dialed down to permissive.
> I've tried swapping tdbsam database for swbpasswd... nothing seems to work.
> Even with this logging, I'm still shooting in the dark.
>
> I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under
> VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm
> wondering about that part of it, but in fiddling with the firewall on the
> CentOS 8 VM itself, I can change the behavior enough to see it's getting
> through properly. All necessary ports are open (137-139, 445).
>
> I'm stuck at this point. Makes zero sense to me. I have a very similar set
> up in another CentOS 8 box that works flawlessly as every other
> installation I've done in 20 years.
>
> [Snipped lines above that show successful AuthN, forced mapping to "Domain
> Users", etc. all correct]
>    colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially
> as user chris (uid=1000, gid=1000) (pid 98051)
> [2020/09/23 19:03:37.024156,  3]
> ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)
>    api_pipe_bind_req: lsarpc -> lsarpc rpc service
> [2020/09/23 19:03:37.024174,  3]
> ../../source3/rpc_server/srv_pipe.c:356(check_bind_req)
>    check_bind_req for lsarpc context_id=0
> [2020/09/23 19:03:37.024184,  3]
> ../../source3/rpc_server/srv_pipe.c:399(check_bind_req)
>    check_bind_req: lsarpc -> lsarpc rpc service
> [2020/09/23 19:03:37.024199,  5]
> ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm)
>    Making default auth method list for server role = 'standalone server',
> encrypt passwords = yes
> [2020/09/23 19:03:37.024208,  5]
> ../../source3/auth/auth.c:423(load_auth_module)
>    load_auth_module: Attempting to find an auth method to match anonymous
> [2020/09/23 19:03:37.024214,  5]
> ../../source3/auth/auth.c:448(load_auth_module)
>    load_auth_module: auth method anonymous has a valid init
> [2020/09/23 19:03:37.024217,  5]
> ../../source3/auth/auth.c:423(load_auth_module)
>    load_auth_module: Attempting to find an auth method to match
> sam_ignoredomain
> [2020/09/23 19:03:37.024220,  5]
> ../../source3/auth/auth.c:448(load_auth_module)
>    load_auth_module: auth method sam_ignoredomain has a valid init
> [2020/09/23 19:03:37.024760,  3]
> ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
>    api_rpcTNP: rpc command: LSA_GETUSERNAME
> [2020/09/23 19:03:37.025554,  3]
> ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
>    api_rpcTNP: rpc command: LSA_OPENPOLICY2
> [2020/09/23 19:03:37.026233,  3]
> ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
>    api_rpcTNP: rpc command: LSA_LOOKUPNAMES
> [2020/09/23 19:03:37.026401,  3]
> ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid)
>    Forcing Primary Group to 'Domain Users' for chris
> [2020/09/23 19:03:37.027169,  3]
> ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
>    api_rpcTNP: rpc command: LSA_CLOSE
> [2020/09/23 19:03:37.028187,  3]
> ../../source3/smbd/service.c:1131(close_cnum)
>    colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$
> [2020/09/23 19:03:37.029241,  3]
> ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296
> [2020/09/23 19:03:37.029259,  3]
> ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
> status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
> [2020/09/23 19:03:37.029266,  3]
> ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9]
> status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
> [2020/09/23 19:03:37.029554,  2]
> ../../source3/smbd/service.c:1131(close_cnum)
>    colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris
>
> Chris
> --
> Chris Olive | chris at TechnologEase.com

I think you need to post your smb.conf file, your log says this:

Making default auth method list for server role = 'standalone server'

and then goes on to say:

Forcing Primary Group to 'Domain Users' for chris

The two are a bit mutually exclusive, a standalone server cannot be a 
member of a domain.

Rowland

More information about the samba mailing list