Hi,
yesterday I updated our domain to 4.4-8 errata1111. Since then, access to our home shares is not working as it should.
Home shares on all DCs are fully accessible. Home shares on member/file servers are only accessible if accessed through Windows. The problem is access via Ubuntu/Linux. In that case it is possible to login into the share/ mount it, but access to the content of the share will be denied.
I tried to access it by mounting a cifs partition and by using smbclient. In both cases access will work initially. For example, If I want to list all files, smbclient will give me the message
NT_STATUS_ACCESS_DENIED listing *
The faulty shares have the same access rights and the same ACLs as the working shares on the DCs.
The Samba log file shows that logging into the server worked, but I could not see any error that could explain the problem.
[2021/11/29 15:33:31.825020, 4] ../../source3/auth/pampass.c:586(smb_pam_account)
smb_pam_account: PAM: Account OK for User: domuser
[2021/11/29 15:33:31.825527, 4] ../../source3/auth/pampass.c:465(smb_pam_end)
smb_pam_end: PAM: PAM_END OK.
[2021/11/29 15:33:31.825542, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825549, 5] ../../source3/auth/auth.c:283(auth_check_ntlm_password)
check_ntlm_password: PAM Account for user [domuser] succeeded
[2021/11/29 15:33:31.825565, 3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [DOM1]\[domuser] at [Mo, 29 Nov 2021 15:33:31.825555 CET] with [NTLMv2] status [NT_STATUS_OK] workstation [WS1] remote host [ipv4:10.41.1.5:48998] became [DOM1]\[domuser] [S-1-5-21-1586173969-466029875-1045404465-1482]. local host [ipv4:172.16.0.20:445]
{"timestamp": "2021-11-29T15:33:31.825635+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4624, "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:172.16.0.20:445", "remoteAddress": "ipv4:10.41.1.5:48998", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOM1", "clientAccount": "domuser", "workstation": "WS1", "becameAccount": "domuser", "becameDomain": "DOM1", "becameSid": "S-1-5-21-1586173969-466029875-1045404465-1482", "mappedAccount": "domuser", "mappedDomain": "DOM1", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 159817}}
[2021/11/29 15:33:31.825677, 2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
check_ntlm_password: authentication for user [domuser] -> [domuser] -> [domuser] succeeded
[2021/11/29 15:33:31.825696, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825702, 4] ../../source3/smbd/uid.c:576(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825707, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825711, 5] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/11/29 15:33:31.825716, 5] ../../source3/auth/token_util.c:866(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/11/29 15:33:31.825765, 4] ../../source3/passdb/pdb_tdb.c:558(tdbsam_open)
tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
[2021/11/29 15:33:31.825775, 5] ../../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_domuser
[2021/11/29 15:33:31.825785, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825791, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825796, 4] ../../source3/smbd/uid.c:576(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2021/11/29 15:33:31.825800, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/11/29 15:33:31.825804, 5] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[.....]
[2021/11/29 15:33:31.828737, 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
Successful AuthZ: [SMB2,NTLMSSP] user [DOM1]\[domuser] [S-1-22-1-2347] at [Mo, 29 Nov 2021 15:33:31.828732 CET] R
emote host [ipv4:10.41.1.5:48998] local host [ipv4:172.16.0.20:445]
{"timestamp": "2021-11-29T15:33:31.828752+0100", "type": "Authorization", "Authorization": {"version": {"major":
1, "minor": 1}, "localAddress": "ipv4:172.16.0.20:445", "remoteAddress": "ipv4:10.41.1.5:48998", "serviceDescript
ion": "SMB2", "authType": "NTLMSSP", "domain": "DOM1", "account": "domuser", "sid": "S-1-22-1-2347", "sessionId": "
bb35b8c7-b600-40f3-adf2-3477071ad447", "logonServer": "SCOTTY", "transportProtection": "SMB", "accountFlags": "0x0
0000010"}}
[2021/11/29 15:33:31.828800, 5] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user domuser
[2021/11/29 15:33:31.828806, 5] ../../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is domuser
[2021/11/29 15:33:31.828812, 5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals did find user [domuser]!
[2021/11/29 15:33:31.828820, 3] ../../source3/smbd/password.c:140(register_homes_share)
Adding homes service for user 'domuser' using home directory: '/mnt/samba/domuser'
[2021/11/29 15:33:31.828849, 3] ../../source3/param/loadparm.c:1579(lp_add_home)
adding home's share [domuser] for user 'domuser' at '/mnt/samba/domuser'
[2021/11/29 15:33:31.828859, 5] ../../lib/util/debug.c:800(debug_dump_status)
INFO: Current debug levels:
all: 5
[....]
[2021/11/29 15:33:31.828977, 4] ../../source3/auth/pampass.c:483(smb_pam_start)
smb_pam_start: PAM: Init user: domuser
[2021/11/29 15:33:31.837272, 4] ../../source3/auth/pampass.c:492(smb_pam_start)
smb_pam_start: PAM: setting rhost to: 10.41.1.5
[2021/11/29 15:33:31.837283, 4] ../../source3/auth/pampass.c:501(smb_pam_start)
smb_pam_start: PAM: setting tty
[2021/11/29 15:33:31.837288, 4] ../../source3/auth/pampass.c:509(smb_pam_start)
smb_pam_start: PAM: Init passed for user: domuser
[2021/11/29 15:33:31.837292, 4] ../../source3/auth/pampass.c:646(smb_internal_pam_session)
smb_internal_pam_session: PAM: tty set to: smb/568379371
[2021/11/29 15:33:31.880218, 5] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
change_to_user_impersonate: Skipping user change - already user
[2021/11/29 15:33:31.880260, 5] ../../source3/smbd/uid.c:300(print_impersonation_info)
print_impersonation_info: Impersonated user: uid=(3532,3532), gid=(0,5001), cwd=[/mnt/samba/public]
[2021/11/29 15:33:31.880276, 5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb
[2021/11/29 15:33:31.880341, 5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb
[.....]
[2021/11/29 15:33:31.979581, 5] ../../source3/smbd/uid.c:300(print_impersonation_info)
print_impersonation_info: Impersonated user: uid=(2347,2347), gid=(0,5001), cwd=[/mnt/samba/domuser]
[2021/11/29 15:33:31.979597, 3] ../../source3/smbd/smb2_notify.c:253(smbd_smb2_notify_send)
smbd_smb2_notify_send: notify change called on ., filter = FILE_NAME|ATTRIBUTES|LAST_WRITE, recursive = 0
[2021/11/29 15:33:32.017535, 4] ../../source3/auth/pampass.c:465(smb_pam_end)
smb_pam_end: PAM: PAM_END OK.
[2021/11/29 15:33:32.017580, 5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.017640, 5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.017661, 5] ../../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
signed SMB2 message
[2021/11/29 15:33:32.039238, 5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.039268, 5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2021/11/29 15:33:32.039277, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2021/11/29 15:33:32.039290, 5] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2021/11/29 15:33:32.039296, 5] ../../source3/auth/token_util.c:866(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2021/11/29 15:33:32.039313, 5] ../../source3/smbd/uid.c:504(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2021/11/29 15:33:32.039337, 5] ../../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb
[2021/11/29 15:33:32.039368, 5] ../../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock)
dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb
[2021/11/29 15:33:32.039380, 3] ../../lib/util/access.c:365(allow_access)
Allowed connection from 10.41.1.5 (10.41.1.5)
[2021/11/29 15:33:32.039422, 3] ../../source3/smbd/service.c:605(make_connection_snum)
make_connection_snum: Connect path is '/mnt/samba/domuser' for service [domuser]
[2021/11/29 15:33:32.039462, 3] ../../source3/smbd/vfs.c:114(vfs_init_default)
Initialising default vfs hooks
[2021/11/29 15:33:32.039474, 5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
Successfully added vfs backend '/[Default VFS]/'
[2021/11/29 15:33:32.039482, 5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
Successfully added vfs backend 'vfs_not_implemented'
[2021/11/29 15:33:32.039487, 5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
Successfully added vfs backend 'posixacl'
[2021/11/29 15:33:32.039491, 3] ../../source3/smbd/vfs.c:140(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
Successfully loaded vfs module [/[Default VFS]/] with the new modules system
[2021/11/29 15:33:32.039498, 3] ../../source3/smbd/vfs.c:140(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2021/11/29 15:33:32.039503, 5] ../../source3/smbd/vfs.c:180(vfs_init_custom)
vfs module [acl_xattr] not loaded - trying to load...
[2021/11/29 15:33:32.039509, 5] ../../lib/util/modules.c:160(load_module_absolute_path)
load_module_absolute_path: Loading module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so'
[2021/11/29 15:33:32.046980, 3] ../../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2021/11/29 15:33:32.046991, 5] ../../source3/smbd/vfs.c:104(smb_register_vfs)
Successfully added vfs backend 'acl_xattr'
Successfully loaded vfs module [acl_xattr] with the new modules system
[2021/11/29 15:33:32.047007, 2] ../../source3/modules/vfs_acl_xattr.c:233(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service domuser
Any tips on how I can isolate and fix the problem?