[Samba] Problem with access to shares on 4.9.5 after upgrade DC to 4.17.12

Tomasz Majewski tmajewski at gmail.com
Fri Jan 10 09:44:28 UTC 2025


Hi,
I have domain controled by samba.

I have updated my two DC's from 4.9.5 -> 4.13.13 -> 4.17.12. After
that my win10 clients dont have access to shares served by two file
servers joned to the domain. There were no problems before.

Clients are joined to the domain too. Users can login on machines
without problem. Only shares from file servers are unavaible.

File servers have samba 4.9.5 and are not updated yet! Could this be the cause?

Strange, but when I updated some of my win10 clients to 22H2, updated
machines and others win10 client without updates restored access to
shares. Maybe updates or time is a cure?

##############
My DC1 config:
[global]
        netbios name = DC1
        realm = MYDOMAIN.NET
        workgroup = MYDOMAIN
        dns forwarder = 10.10.10.10
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        interfaces = lo ens161
        bind interfaces only = yes
        log level = 1

[netlogon]
        path = /var/lib/samba/sysvol/mydomain.net/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

##############
My DC2 config:
[global]
        netbios name = DC2
        realm = MYDOMAIN.NET
        workgroup = MYDOMAIN
        dns forwarder = 10.10.10.10
        server role = active directory domain controller
        idmap_ldb:use rfc2307  = yes

[netlogon]
        path = /var/lib/samba/sysvol/mydomain.net/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


##############
My file server (SMB2) config:
[global]
    security = ADS
    workgroup = MYDOMAIN
    realm = MYDOMAIN.NET
    username map = /etc/samba/user.map
    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config MYDOMAIN: backend = ad
    idmap config MYDOMAIN: schema_mode = rfc2307
    idmap config MYDOMAIN: range = 10000-999999

    winbind use default domain = yes

    winbind nss info = template
    template shell = /bin/bash
    template homedir = /mnt/samba/MYDOMAIN/%U

    winbind enum users = yes
    winbind enum groups = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    wins support = yes
    local master = yes
    preferred master = yes
    domain master = yes

[users]
    path = /mnt/samba/MYDOMAIN
    read only = no
    veto oplock files = /*.lock/*.tmp/*.TMP/

[tmp]
    path = /mnt/samba/tmp
    read only = no

[public]
    path = /mnt/samba/public
    read only = no

[apps]
    path = /mnt/samba/apps
    read only = no

[common]
    path = /mnt/samba/common
    read only = no


##############
Logs from one of my machines, which can't access to shares after login:

[2025/01/10 08:12:44.367442,  2] ../source3/lib/interface.c:345(add_interface)
  added interface ens192 ip=192.168.223.11 bcast=192.168.223.255
netmask=255.255.255.0
[2025/01/10 08:13:39.377068,  3] ../source3/smbd/oplock.c:1389(init_oplocks)
  init_oplocks: initializing messages.
[2025/01/10 08:13:39.377222,  3] ../source3/smbd/process.c:1956(process_smb)
  Transaction 0 of length 73 (0 toread)
[2025/01/10 08:13:39.377306,  3] ../source3/smbd/process.c:1543(switch_message)
  switch message SMBnegprot (pid 8685) conn 0x0
[2025/01/10 08:13:39.378245,  3] ../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [NT LM 0.12]
[2025/01/10 08:13:39.378299,  3] ../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.002]
[2025/01/10 08:13:39.378391,  3] ../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.???]
[2025/01/10 08:13:39.378527,  3]
../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2025/01/10 08:13:39.379225,  3] ../source3/smbd/negprot.c:771(reply_negprot)
  Selected protocol SMB 2.???
[2025/01/10 08:13:39.379614,  3]
../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2025/01/10 08:13:39.389582,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: OPS2B$ []
[2025/01/10 08:13:39.389656,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [OPS2B$@MYDOMAIN.NET]
[2025/01/10 08:13:39.390061,  3] ../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2025/01/10 08:13:39.390173,  3] ../source3/param/loadparm.c:548(init_globals)
  Initialising global parameters
[2025/01/10 08:13:39.390291,  3] ../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
[2025/01/10 08:13:39.390529,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[users]"
[2025/01/10 08:13:39.390608,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[tmp]"
[2025/01/10 08:13:39.390661,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[public]"
[2025/01/10 08:13:39.390733,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[apps]"
[2025/01/10 08:13:39.390821,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[common]"
[2025/01/10 08:13:39.390918,  3] ../source3/param/loadparm.c:1621(lp_add_ipc)
  adding IPC service
[2025/01/10 08:13:39.392271,  3]
../source3/smbd/password.c:133(register_homes_share)
  Adding homes service for user 'MYDOMAIN\ops2b$' using home
directory: '/mnt/samba/MYDOMAIN/ops2b_'
[2025/01/10 08:13:39.393155,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.393265,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2025/01/10 08:13:39.393357,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.393433,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.393480,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.395430,  3]
../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module
'/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2025/01/10 08:13:39.395523,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2025/01/10 08:13:39.395663,  3]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$
initially as user MYDOMAIN\ops2b$ (uid=20045, gid=10006) (pid 8685)
[2025/01/10 08:13:39.396450,  3] ../source3/smbd/msdfs.c:1063(get_referred_path)
  get_referred_path: |users| in dfs path \smb2\users is not a dfs root.
[2025/01/10 08:13:39.396502,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.472453,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: myuser [My User]
[2025/01/10 08:13:39.472521,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at MYDOMAIN.NET]
[2025/01/10 08:13:39.472824,  3] ../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2025/01/10 08:13:39.472904,  3] ../source3/param/loadparm.c:548(init_globals)
  Initialising global parameters
[2025/01/10 08:13:39.472990,  3] ../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
[2025/01/10 08:13:39.473174,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[users]"
[2025/01/10 08:13:39.473227,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[tmp]"
[2025/01/10 08:13:39.473290,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[public]"
[2025/01/10 08:13:39.473334,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[apps]"
[2025/01/10 08:13:39.473394,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[common]"
[2025/01/10 08:13:39.473458,  3] ../source3/param/loadparm.c:1621(lp_add_ipc)
  adding IPC service
[2025/01/10 08:13:39.474652,  3]
../source3/smbd/password.c:133(register_homes_share)
  Adding homes service for user 'MYDOMAIN\myuser' using home
directory: '/mnt/samba/MYDOMAIN/myuser'
[2025/01/10 08:13:39.475429,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.475526,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/MYDOMAIN' for
service [users]
[2025/01/10 08:13:39.475585,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.475625,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.475670,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.475714,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service users
[2025/01/10 08:13:39.475834,  2]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service
users initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid
8685)
[2025/01/10 08:13:39.477054,  3]
../source3/smbd/filename.c:1425(get_real_filename_full_scan)
  scan dir didn't open dir [OPS]
[2025/01/10 08:13:39.477114,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:296
[2025/01/10 08:13:39.480321,  3]
../source3/smbd/filename.c:1425(get_real_filename_full_scan)
  scan dir didn't open dir [OPS]

[...]

[2025/01/10 08:13:39.916912,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:296
[2025/01/10 08:13:39.916936,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_FILE_CLOSED] || at ../source3/smbd/smb2_server.c:2599
[2025/01/10 08:13:39.917715,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.917776,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2025/01/10 08:13:39.917798,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.917806,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.917813,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.917823,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2025/01/10 08:13:39.917895,  3]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.921999,  3] ../source3/smbd/msdfs.c:1063(get_referred_path)
  get_referred_path: |public| in dfs path \SMB2\public is not a dfs root.
[2025/01/10 08:13:39.922017,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.937889,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.937924,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/public' for service [public]
[2025/01/10 08:13:39.937943,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.937951,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.937962,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.937971,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service public
[2025/01/10 08:13:39.938036,  2]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service
public initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid
8685)
[2025/01/10 08:13:39.942636,  3] ../source3/smbd/msdfs.c:1063(get_referred_path)
  get_referred_path: |apps| in dfs path \SMB2\apps is not a dfs root.
[2025/01/10 08:13:39.942657,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.952389,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.952424,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps]
[2025/01/10 08:13:39.952449,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.952458,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.952465,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.952476,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service apps
[2025/01/10 08:13:39.952543,  2]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.960794,  3]
../source3/smbd/service.c:156(chdir_current_service)
  chdir (/mnt/samba/apps) failed, reason: Brak dostępu
[2025/01/10 08:13:39.960851,  0]
../source3/smbd/uid.c:453(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2025/01/10 08:13:39.960890,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.960905,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_NETWORK_NAME_DELETED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.961440,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.961486,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps]
[2025/01/10 08:13:39.961506,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2025/01/10 08:13:39.961513,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2025/01/10 08:13:39.961520,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2025/01/10 08:13:39.961528,  2]
../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service apps
[2025/01/10 08:13:39.961602,  2]
../source3/smbd/service.c:849(make_connection_snum)
  192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps
initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685)
[2025/01/10 08:13:39.962052,  3]
../source3/smbd/service.c:156(chdir_current_service)
  chdir (/mnt/samba/apps) failed, reason: Brak dostępu
[2025/01/10 08:13:39.962069,  0]
../source3/smbd/uid.c:453(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2025/01/10 08:13:39.962090,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_server.c:2522
[2025/01/10 08:13:39.966997,  3] ../source3/smbd/msdfs.c:1063(get_referred_path)
  get_referred_path: |tmp| in dfs path \SMB2\tmp is not a dfs root.
[2025/01/10 08:13:39.967017,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
[2025/01/10 08:13:39.995888,  3] ../lib/util/access.c:365(allow_access)
  Allowed connection from 192.168.223.239 (192.168.223.239)
[2025/01/10 08:13:39.995937,  3]
../source3/smbd/service.c:603(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/tmp' for service [tmp]
[...]



More information about the samba mailing list