After update: partially no access to home shares

Hi,
yesterday I updated our domain to 4.4-8 errata1111. Since then, access to our home shares is not working as it should.

Home shares on all DCs are fully accessible. Home shares on member/file servers are only accessible if accessed through Windows. The problem is access via Ubuntu/Linux. In that case it is possible to login into the share/ mount it, but access to the content of the share will be denied.

I tried to access it by mounting a cifs partition and by using smbclient. In both cases access will work initially. For example, If I want to list all files, smbclient will give me the message

NT_STATUS_ACCESS_DENIED listing *

The faulty shares have the same access rights and the same ACLs as the working shares on the DCs.
The Samba log file shows that logging into the server worked, but I could not see any error that could explain the problem.

[2021/11/29 15:33:31.825020,  4] ../../source3/auth/pampass.c:586(smb_pam_account)
  smb_pam_account: PAM: Account OK for User: domuser
[2021/11/29 15:33:31.825527,  4] ../../source3/auth/pampass.c:465(smb_pam_end)
  smb_pam_end: PAM: PAM_END OK.
[2021/11/29 15:33:31.825542,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825549,  5] ../../source3/auth/auth.c:283(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [domuser] succeeded
[2021/11/29 15:33:31.825565,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [DOM1]\[domuser] at [Mo, 29 Nov 2021 15:33:31.825555 CET] with [NTLMv2] status [NT_STATUS_OK] workstation [WS1] remote host [ipv4:10.41.1.5:48998] became [DOM1]\[domuser] [S-1-5-21-1586173969-466029875-1045404465-1482]. local host [ipv4:172.16.0.20:445] 
  {"timestamp": "2021-11-29T15:33:31.825635+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4624, "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:172.16.0.20:445", "remoteAddress": "ipv4:10.41.1.5:48998", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOM1", "clientAccount": "domuser", "workstation": "WS1", "becameAccount": "domuser", "becameDomain": "DOM1", "becameSid": "S-1-5-21-1586173969-466029875-1045404465-1482", "mappedAccount": "domuser", "mappedDomain": "DOM1", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 159817}}
[2021/11/29 15:33:31.825677,  2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [domuser] -> [domuser] -> [domuser] succeeded
[2021/11/29 15:33:31.825696,  4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825702,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825707,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825711,  5] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/11/29 15:33:31.825716,  5] ../../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/11/29 15:33:31.825765,  4] ../../source3/passdb/pdb_tdb.c:558(tdbsam_open)
  tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
[2021/11/29 15:33:31.825775,  5] ../../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_domuser
[2021/11/29 15:33:31.825785,  4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825791,  4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825796,  4] ../../source3/smbd/uid.c:576(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825800,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825804,  5] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
  

[.....]


[2021/11/29 15:33:31.828737,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [DOM1]\[domuser] [S-1-22-1-2347] at [Mo, 29 Nov 2021 15:33:31.828732 CET] R
emote host [ipv4:10.41.1.5:48998] local host [ipv4:172.16.0.20:445]
  {"timestamp": "2021-11-29T15:33:31.828752+0100", "type": "Authorization", "Authorization": {"version": {"major":
 1, "minor": 1}, "localAddress": "ipv4:172.16.0.20:445", "remoteAddress": "ipv4:10.41.1.5:48998", "serviceDescript
ion": "SMB2", "authType": "NTLMSSP", "domain": "DOM1", "account": "domuser", "sid": "S-1-22-1-2347", "sessionId": "
bb35b8c7-b600-40f3-adf2-3477071ad447", "logonServer": "SCOTTY", "transportProtection": "SMB", "accountFlags": "0x0
0000010"}}
[2021/11/29 15:33:31.828800,  5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user domuser
[2021/11/29 15:33:31.828806,  5] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is domuser
[2021/11/29 15:33:31.828812,  5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [domuser]!
[2021/11/29 15:33:31.828820,  3] ../../source3/smbd/password.c:140(register_homes_share)
  Adding homes service for user 'domuser' using home directory: '/mnt/samba/domuser'
[2021/11/29 15:33:31.828849,  3] ../../source3/param/loadparm.c:1579(lp_add_home)
  adding home's share [domuser] for user 'domuser' at '/mnt/samba/domuser'
[2021/11/29 15:33:31.828859,  5] ../../lib/util/debug.c:800(debug_dump_status)
  INFO: Current debug levels:
    all: 5
    
    
[....]


[2021/11/29 15:33:31.828977,  4] ../../source3/auth/pampass.c:483(smb_pam_start)
  smb_pam_start: PAM: Init user: domuser
[2021/11/29 15:33:31.837272,  4] ../../source3/auth/pampass.c:492(smb_pam_start)
  smb_pam_start: PAM: setting rhost to: 10.41.1.5
[2021/11/29 15:33:31.837283,  4] ../../source3/auth/pampass.c:501(smb_pam_start)
  smb_pam_start: PAM: setting tty
[2021/11/29 15:33:31.837288,  4] ../../source3/auth/pampass.c:509(smb_pam_start)
  smb_pam_start: PAM: Init passed for user: domuser
[2021/11/29 15:33:31.837292,  4] ../../source3/auth/pampass.c:646(smb_internal_pam_session)
  smb_internal_pam_session: PAM: tty set to: smb/568379371
[2021/11/29 15:33:31.880218,  5] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2021/11/29 15:33:31.880260,  5] ../../source3/smbd/uid.c:300(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(3532,3532), gid=(0,5001), cwd=[/mnt/samba/public]
[2021/11/29 15:33:31.880276,  5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb
[2021/11/29 15:33:31.880341,  5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb
  
  
[.....]



[2021/11/29 15:33:31.979581,  5] ../../source3/smbd/uid.c:300(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(2347,2347), gid=(0,5001), cwd=[/mnt/samba/domuser]
[2021/11/29 15:33:31.979597,  3] ../../source3/smbd/smb2_notify.c:253(smbd_smb2_notify_send)
  smbd_smb2_notify_send: notify change called on ., filter = FILE_NAME|ATTRIBUTES|LAST_WRITE, recursive = 0
[2021/11/29 15:33:32.017535,  4] ../../source3/auth/pampass.c:465(smb_pam_end)
  smb_pam_end: PAM: PAM_END OK.
[2021/11/29 15:33:32.017580,  5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.017640,  5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.017661,  5] ../../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message
[2021/11/29 15:33:32.039238,  5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.039268,  5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.039277,  4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/11/29 15:33:32.039290,  5] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/11/29 15:33:32.039296,  5] ../../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/11/29 15:33:32.039313,  5] ../../source3/smbd/uid.c:504(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2021/11/29 15:33:32.039337,  5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
  dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb
[2021/11/29 15:33:32.039368,  5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
  dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb
[2021/11/29 15:33:32.039380,  3] ../../lib/util/access.c:365(allow_access)
  Allowed connection from 10.41.1.5 (10.41.1.5)
[2021/11/29 15:33:32.039422,  3] ../../source3/smbd/service.c:605(make_connection_snum)
  make_connection_snum: Connect path is '/mnt/samba/domuser' for service [domuser]
[2021/11/29 15:33:32.039462,  3] ../../source3/smbd/vfs.c:114(vfs_init_default)
  Initialising default vfs hooks
[2021/11/29 15:33:32.039474,  5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
  Successfully added vfs backend '/[Default VFS]/'
[2021/11/29 15:33:32.039482,  5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
  Successfully added vfs backend 'vfs_not_implemented'
[2021/11/29 15:33:32.039487,  5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
  Successfully added vfs backend 'posixacl'
[2021/11/29 15:33:32.039491,  3] ../../source3/smbd/vfs.c:140(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
  Successfully loaded vfs module [/[Default VFS]/] with the new modules system
[2021/11/29 15:33:32.039498,  3] ../../source3/smbd/vfs.c:140(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2021/11/29 15:33:32.039503,  5] ../../source3/smbd/vfs.c:180(vfs_init_custom)
  vfs module [acl_xattr] not loaded - trying to load...
[2021/11/29 15:33:32.039509,  5] ../../lib/util/modules.c:160(load_module_absolute_path)
  load_module_absolute_path: Loading module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so'
[2021/11/29 15:33:32.046980,  3] ../../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2021/11/29 15:33:32.046991,  5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
  Successfully added vfs backend 'acl_xattr'
  Successfully loaded vfs module [acl_xattr] with the new modules system
[2021/11/29 15:33:32.047007,  2] ../../source3/modules/vfs_acl_xattr.c:233(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service domuser

Any tips on how I can isolate and fix the problem?

We often have similar problems after updates of Samba packages and modified our update script to do a full reboot after they are updated (though /etc/init.d/samba restart also helped if I remember correctly). Did you try this already?

Yes, I usually reboot my UCS servers after updating. Samba is restarted again after that. I have now restarted the service again on an affected member server (to be sure), but it did not help.

I have to add group read permissions to home shares, thats the only way to open these shares. But then everybody else can open these shares, too.

It seems like memberserver cannot open shares that belong to a specific user. For testing purposes I created shares that did belong to my user and the group Domain Users. Domain Controller set correct share permissions. Only my user could access the share with rights 711. On member servers I had to set the rights on the share to 751 and then everybody was able to open the share.

And like before: The problem doesn’t appear if I access the share in Windows.

Hello,

yesterday I have updated my fileserver to UCS4.4-8 erata 1118. All domain users lost access to their home shares. Only users with admin permissions have still access.

Is there no solution until now?

With kind regards
Hendrik Dreyer

look here: Bug 54200 – No access to home share on member servers

echo -e "[global]\n\twinbind use default domain = yes" >> /etc/samba/local.conf
ucr commit /etc/samba/smb.conf

Adding this option on the affected file server worked in my case.

Hello,

because I just came across it. The issue was fixed with Security and bugfix errata for Univention Corporate Server in January 2022.

Best regards,
Nico