[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED

Chris Olive chris at technologease.com
Thu Sep 24 19:06:33 UTC 2020 

No real "standalone" or domains explicitly specified in the smb.conf file.

This is a host with containers on it, but at this level, this is the
smb.conf file for the host itself. Ironically when I install SMB in a
container and spin it up it works fine. At the machine level it does not.
All these issues took place before I tried it in a container, so the log I
originally sent was when Samba was installed at the host level and not in a
container. Still beats the heck out of me. I've never had any issue with
Samba.

[global]
        add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
        cups options = raw
        ## encrypt passwords = yes
        load printers = yes
        local master = no
        log level = 3 passdb:5 auth:5
        name resolve order = wins lmhosts bcast
        netbios name = LXD1
        os level = 65
        passdb backend = tdbsam
        ## passdb backend = smbpasswd
        passwd chat = "*New Password:*" %n\n "*Reenter New Password:*" %n\n
"*Password changed.*"
        passwd program = /usr/bin/passwd %u
        printcap cache time = 750
        printcap name = cups
        printing = cups
        server string = LXD Containers
        unix password sync = yes
        wins support = Yes
        workgroup = LXD1

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = Yes
        read only = No
        inherit acls = Yes
        create mask = 0755
        directory mask = 0750

On Thu, Sep 24, 2020 at 2:43 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 24/09/2020 03:23, Chris Olive via samba wrote:
> > Been using Samba since the early days and it's always worked
> terrifically.
> > Install it from RPM or apt or yum, make a few tweaks to the smb.conf and
> > I'm off and running without fail.
> >
> > So to run into a situation where I'm getting denied has really stumped
> me.
> > I dialed up logging to try and get a peek into what's failing and things
> > start falling apart around NT_STATUS_ACCESS_DENIED and then my connection
> > gets shut down. I can see Samba authenticating me just fine, mapping my
> > username to the correct /home directory, the right UID and GID (first
> line
> > in attached log)... Everything is going swimmingly and then PLONK.
> >
> > I have no idea what it's borking on. SELinux dialed down to permissive.
> > I've tried swapping tdbsam database for swbpasswd... nothing seems to
> work.
> > Even with this logging, I'm still shooting in the dark.
> >
> > I'm connecting from a Mac to a Samba server running on a CentOS 8 VM
> under
> > VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm
> > wondering about that part of it, but in fiddling with the firewall on the
> > CentOS 8 VM itself, I can change the behavior enough to see it's getting
> > through properly. All necessary ports are open (137-139, 445).
> >
> > I'm stuck at this point. Makes zero sense to me. I have a very similar
> set
> > up in another CentOS 8 box that works flawlessly as every other
> > installation I've done in 20 years.
> >
> > [Snipped lines above that show successful AuthN, forced mapping to
> "Domain
> > Users", etc. all correct]
> >    colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$
> initially
> > as user chris (uid=1000, gid=1000) (pid 98051)
> > [2020/09/23 19:03:37.024156,  3]
> > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)
> >    api_pipe_bind_req: lsarpc -> lsarpc rpc service
> > [2020/09/23 19:03:37.024174,  3]
> > ../../source3/rpc_server/srv_pipe.c:356(check_bind_req)
> >    check_bind_req for lsarpc context_id=0
> > [2020/09/23 19:03:37.024184,  3]
> > ../../source3/rpc_server/srv_pipe.c:399(check_bind_req)
> >    check_bind_req: lsarpc -> lsarpc rpc service
> > [2020/09/23 19:03:37.024199,  5]
> > ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm)
> >    Making default auth method list for server role = 'standalone server',
> > encrypt passwords = yes
> > [2020/09/23 19:03:37.024208,  5]
> > ../../source3/auth/auth.c:423(load_auth_module)
> >    load_auth_module: Attempting to find an auth method to match anonymous
> > [2020/09/23 19:03:37.024214,  5]
> > ../../source3/auth/auth.c:448(load_auth_module)
> >    load_auth_module: auth method anonymous has a valid init
> > [2020/09/23 19:03:37.024217,  5]
> > ../../source3/auth/auth.c:423(load_auth_module)
> >    load_auth_module: Attempting to find an auth method to match
> > sam_ignoredomain
> > [2020/09/23 19:03:37.024220,  5]
> > ../../source3/auth/auth.c:448(load_auth_module)
> >    load_auth_module: auth method sam_ignoredomain has a valid init
> > [2020/09/23 19:03:37.024760,  3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> >    api_rpcTNP: rpc command: LSA_GETUSERNAME
> > [2020/09/23 19:03:37.025554,  3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> >    api_rpcTNP: rpc command: LSA_OPENPOLICY2
> > [2020/09/23 19:03:37.026233,  3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> >    api_rpcTNP: rpc command: LSA_LOOKUPNAMES
> > [2020/09/23 19:03:37.026401,  3]
> > ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid)
> >    Forcing Primary Group to 'Domain Users' for chris
> > [2020/09/23 19:03:37.027169,  3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> >    api_rpcTNP: rpc command: LSA_CLOSE
> > [2020/09/23 19:03:37.028187,  3]
> > ../../source3/smbd/service.c:1131(close_cnum)
> >    colive-12867 (ipv4:172.16.112.1:56106) closed connection to service
> IPC$
> > [2020/09/23 19:03:37.029241,  3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> >    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_create.c:296
> > [2020/09/23 19:03:37.029259,  3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> >    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
> > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
> > [2020/09/23 19:03:37.029266,  3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> >    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9]
> > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633
> > [2020/09/23 19:03:37.029554,  2]
> > ../../source3/smbd/service.c:1131(close_cnum)
> >    colive-12867 (ipv4:172.16.112.1:56106) closed connection to service
> chris
> >
> > Chris
> > --
> > Chris Olive | chris at TechnologEase.com
>
> I think you need to post your smb.conf file, your log says this:
>
> Making default auth method list for server role = 'standalone server'
>
> and then goes on to say:
>
> Forcing Primary Group to 'Domain Users' for chris
>
> The two are a bit mutually exclusive, a standalone server cannot be a
> member of a domain.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list