[Samba] Problem with access to shares on 4.9.5 after upgrade DC to 4.17.12
Tomasz Majewski
tmajewski at gmail.com
Fri Jan 10 09:44:28 UTC 2025
Hi,
I have domain controled by samba.
I have updated my two DC's from 4.9.5 -> 4.13.13 -> 4.17.12. After
that my win10 clients dont have access to shares served by two file
servers joned to the domain. There were no problems before.
Clients are joined to the domain too. Users can login on machines
without problem. Only shares from file servers are unavaible.
File servers have samba 4.9.5 and are not updated yet! Could this be the cause?
Strange, but when I updated some of my win10 clients to 22H2, updated
machines and others win10 client without updates restored access to
shares. Maybe updates or time is a cure?
##############
My DC1 config:
[global]
netbios name = DC1
realm = MYDOMAIN.NET
workgroup = MYDOMAIN
dns forwarder = 10.10.10.10
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = lo ens161
bind interfaces only = yes
log level = 1
[netlogon]
path = /var/lib/samba/sysvol/mydomain.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
##############
My DC2 config:
[global]
netbios name = DC2
realm = MYDOMAIN.NET
workgroup = MYDOMAIN
dns forwarder = 10.10.10.10
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/mydomain.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
##############
My file server (SMB2) config:
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.NET
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN: backend = ad
idmap config MYDOMAIN: schema_mode = rfc2307
idmap config MYDOMAIN: range = 10000-999999
winbind use default domain = yes
winbind nss info = template
template shell = /bin/bash
template homedir = /mnt/samba/MYDOMAIN/%U
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
wins support = yes
local master = yes
preferred master = yes
domain master = yes
[users]
path = /mnt/samba/MYDOMAIN
read only = no
veto oplock files = /*.lock/*.tmp/*.TMP/
[tmp]
path = /mnt/samba/tmp
read only = no
[public]
path = /mnt/samba/public
read only = no
[apps]
path = /mnt/samba/apps
read only = no
[common]
path = /mnt/samba/common
read only = no
##############
Logs from one of my machines, which can't access to shares after login:
[2025/01/10 08:12:44.367442, 2] ../source3/lib/interface.c:345(add_interface)
added interface ens192 ip=192.168.223.11 bcast=192.168.223.255
netmask=255.255.255.0
[2025/01/10 08:13:39.377068, 3] ../source3/smbd/oplock.c:1389(init_oplocks)
init_oplocks: initializing messages.
[2025/01/10 08:13:39.377222, 3] ../source3/smbd/process.c:1956(process_smb)
Transaction 0 of length 73 (0 toread)
[2025/01/10 08:13:39.377306, 3] ../source3/smbd/process.c:1543(switch_message)
switch message SMBnegprot (pid 8685) conn 0x0
[2025/01/10 08:13:39.378245, 3] ../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [NT LM 0.12]
[2025/01/10 08:13:39.378299, 3] ../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.002]
[2025/01/10 08:13:39.378391, 3] ../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.???]
[2025/01/10 08:13:39.378527, 3]
../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2025/01/10 08:13:39.379225, 3] ../source3/smbd/negprot.c:771(reply_negprot)
Selected protocol SMB 2.???
[2025/01/10 08:13:39.379614, 3]
../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2025/01/10 08:13:39.389582, 3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: OPS2B$ []
[2025/01/10 08:13:39.389656, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [OPS2B$@MYDOMAIN.NET]
[2025/01/10 08:13:39.390061, 3] ../source3/param/loadparm.c:3872(lp_load_ex)
lp_load_ex: refreshing parameters
[2025/01/10 08:13:39.390173, 3] ../source3/param/loadparm.c:548(init_globals)
Initialising global parameters
[2025/01/10 08:13:39.390291, 3] ../source3/param/loadparm.c:2786(lp_do_section)
Processing section "[global]"
[2025/01/10 08:13:39.390529, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[users]"
[2025/01/10 08:13:39.390608, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[tmp]"
[2025/01/10 08:13:39.390661, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[public]"
[2025/01/10 08:13:39.390733, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[apps]"
[2025/01/10 08:13:39.390821, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[common]"
[2025/01/10 08:13:39.390918, 3] ../source3/param/loadparm.c:1621(lp_add_ipc)
adding IPC service
[2025/01/10 08:13:39.392271, 3]
../source3/smbd/password.c:133(register_homes_share)
Adding homes service for user 'MYDOMAIN\ops2b$' using home
directory: '/mnt/samba/MYDOMAIN/ops2b_'
[2025/01/10 08:13:39.393155, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.393265, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2025/01/10 08:13:39.393357, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.393433, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.393480, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.395430, 3]
../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2025/01/10 08:13:39.395523, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2025/01/10 08:13:39.395663, 3]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$
initially as user MYDOMAIN\ops2b$ (uid=20045, gid=10006) (pid 8685)
[2025/01/10 08:13:39.396450, 3] ../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |users| in dfs path \smb2\users is not a dfs root.
[2025/01/10 08:13:39.396502, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.472453, 3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: myuser [My User]
[2025/01/10 08:13:39.472521, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [myuser at MYDOMAIN.NET]
[2025/01/10 08:13:39.472824, 3] ../source3/param/loadparm.c:3872(lp_load_ex)
lp_load_ex: refreshing parameters
[2025/01/10 08:13:39.472904, 3] ../source3/param/loadparm.c:548(init_globals)
Initialising global parameters
[2025/01/10 08:13:39.472990, 3] ../source3/param/loadparm.c:2786(lp_do_section)
Processing section "[global]"
[2025/01/10 08:13:39.473174, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[users]"
[2025/01/10 08:13:39.473227, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[tmp]"
[2025/01/10 08:13:39.473290, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[public]"
[2025/01/10 08:13:39.473334, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[apps]"
[2025/01/10 08:13:39.473394, 2] ../source3/param/loadparm.c:2803(lp_do_section)
Processing section "[common]"
[2025/01/10 08:13:39.473458, 3] ../source3/param/loadparm.c:1621(lp_add_ipc)
adding IPC service
[2025/01/10 08:13:39.474652, 3]
../source3/smbd/password.c:133(register_homes_share)
Adding homes service for user 'MYDOMAIN\myuser' using home
directory: '/mnt/samba/MYDOMAIN/myuser'
[2025/01/10 08:13:39.475429, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.475526, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/MYDOMAIN' for
service [users]
[2025/01/10 08:13:39.475585, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.475625, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.475670, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.475714, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service users
[2025/01/10 08:13:39.475834, 2]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service
users initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid
8685)
[2025/01/10 08:13:39.477054, 3]
../source3/smbd/filename.c:1425(get_real_filename_full_scan)
scan dir didn't open dir [OPS]
[2025/01/10 08:13:39.477114, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:296
[2025/01/10 08:13:39.480321, 3]
../source3/smbd/filename.c:1425(get_real_filename_full_scan)
scan dir didn't open dir [OPS]
[...]
[2025/01/10 08:13:39.916912, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:296
[2025/01/10 08:13:39.916936, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_FILE_CLOSED] || at ../source3/smbd/smb2_server.c:2599
[2025/01/10 08:13:39.917715, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.917776, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2025/01/10 08:13:39.917798, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.917806, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.917813, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.917823, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2025/01/10 08:13:39.917895, 3]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.921999, 3] ../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |public| in dfs path \SMB2\public is not a dfs root.
[2025/01/10 08:13:39.922017, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.937889, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.937924, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/public' for service [public]
[2025/01/10 08:13:39.937943, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.937951, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.937962, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.937971, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service public
[2025/01/10 08:13:39.938036, 2]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service
public initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid
8685)
[2025/01/10 08:13:39.942636, 3] ../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |apps| in dfs path \SMB2\apps is not a dfs root.
[2025/01/10 08:13:39.942657, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.952389, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.952424, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps]
[2025/01/10 08:13:39.952449, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.952458, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.952465, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.952476, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service apps
[2025/01/10 08:13:39.952543, 2]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.960794, 3]
../source3/smbd/service.c:156(chdir_current_service)
chdir (/mnt/samba/apps) failed, reason: Brak dostępu
[2025/01/10 08:13:39.960851, 0]
../source3/smbd/uid.c:453(change_to_user_internal)
change_to_user_internal: chdir_current_service() failed!
[2025/01/10 08:13:39.960890, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.960905, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_NETWORK_NAME_DELETED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.961440, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.961486, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps]
[2025/01/10 08:13:39.961506, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2025/01/10 08:13:39.961513, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.961520, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.961528, 2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service apps
[2025/01/10 08:13:39.961602, 2]
../source3/smbd/service.c:849(make_connection_snum)
192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.962052, 3]
../source3/smbd/service.c:156(chdir_current_service)
chdir (/mnt/samba/apps) failed, reason: Brak dostępu
[2025/01/10 08:13:39.962069, 0]
../source3/smbd/uid.c:453(change_to_user_internal)
change_to_user_internal: chdir_current_service() failed!
[2025/01/10 08:13:39.962090, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.966997, 3] ../source3/smbd/msdfs.c:1063(get_referred_path)
get_referred_path: |tmp| in dfs path \SMB2\tmp is not a dfs root.
[2025/01/10 08:13:39.967017, 3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.995888, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.995937, 3]
../source3/smbd/service.c:603(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/tmp' for service [tmp]
[...]
More information about the samba
mailing list