Home shares on backup AD result in NT_STATUS_ACCESS_DENIED

Hi

We have a our straightforward setup.

srvr1 - primary AD
srvr2 - backup AD
srvr3 - member server, file server

File shares created by us work fine.
System diagnostic finds no problems on srvr1, srvr2 and srvr3. All 3 machines are 5.0-8 errata1068.

Home folders on //srvr1 and //srvr3 work fine too.

A problem: trying to map a home folder on //srvr2 (backup AD) on Windows 11 domain joined client results in e.g. “you don’t have permissions to access //srvr2/tomasz” error. This happens for all users.

We have changed samba/debug/level to “3” and this is what smb log shows when attempt to map this share is made:

root@srvr2:~# tail -f /var/log/samba/log.smbd
[2024/06/25 15:00:49.704488,  0, pid=3034] ../../source3/smbd/server.c:1746(main)
  smbd version 4.18.3-Univention started.
  Copyright Andrew Tridgell and the Samba Team 1992-2023
[2024/06/25 15:00:49.708662,  1, pid=3034] ../../source3/profile/profile.c:54(set_profile_level)
  INFO: Profiling turned OFF from pid 3034
[2024/06/25 16:44:42.610789,  0, pid=21067] ../../source3/printing/printer_list.c:58(get_printer_list_db)
  get_printer_list_db: Failed to open printer_list.tdb
[2024/06/26 10:18:22.324718,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[netlogon]"
[2024/06/26 10:18:22.324891,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[sysvol]"
[2024/06/26 10:18:22.324996,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[homes]"
[2024/06/26 10:18:22.325092,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[printers]"
[2024/06/26 10:18:22.325177,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[print$]"
[2024/06/26 10:18:22.325314,  2, pid=1934] ../../source3/param/loadparm.c:2915(lp_do_section)
  Processing section "[general-2]"
[2024/06/26 10:18:22.325732,  3, pid=1934] ../../source3/param/loadparm.c:1682(lp_add_ipc)
  adding IPC service
  added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
  added interface eno1 ip=192.168.222.9 bcast=192.168.222.255 netmask=255.255.255.0
[2024/06/26 10:18:22.326708,  3, pid=1934] ../../source3/smbd/smb2_oplock.c:1408(init_oplocks)
  init_oplocks: initializing messages.
[2024/06/26 10:18:22.326941,  3, pid=1934] ../../source3/smbd/smb2_negprot.c:342(smbd_smb2_request_process_negpr                                                                                    ot)
  Selected protocol SMB3_11
[2024/06/26 10:18:22.333052,  3, pid=1934] ../../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/auth/samba4.so' loaded
[2024/06/26 10:18:22.334551,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2024/06/26 10:18:22.334559,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2024/06/26 10:18:22.334562,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2024/06/26 10:18:22.334565,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'spnego' registered
[2024/06/26 10:18:22.334567,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'schannel' registered
[2024/06/26 10:18:22.334569,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'ncalrpc_as_system' registered
[2024/06/26 10:18:22.334580,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2024/06/26 10:18:22.334583,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2024/06/26 10:18:22.334585,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2024/06/26 10:18:22.334588,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'http_basic' registered
[2024/06/26 10:18:22.334590,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2024/06/26 10:18:22.334593,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2024/06/26 10:18:22.334596,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'krb5' registered
[2024/06/26 10:18:22.334598,  3, pid=1934] ../../auth/gensec/gensec_start.c:1084(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2024/06/26 10:18:22.334981,  3, pid=1934] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2024/06/26 10:18:22.336790,  3, pid=1934] ../../source4/auth/ntlm/auth.c:804(auth_register)
  AUTH backend 'sam' registered
[2024/06/26 10:18:22.336800,  3, pid=1934] ../../source4/auth/ntlm/auth.c:804(auth_register)
  AUTH backend 'sam_ignoredomain' registered
[2024/06/26 10:18:22.336803,  3, pid=1934] ../../source4/auth/ntlm/auth.c:804(auth_register)
  AUTH backend 'anonymous' registered
[2024/06/26 10:18:22.336805,  3, pid=1934] ../../source4/auth/ntlm/auth.c:804(auth_register)
  AUTH backend 'winbind' registered
[2024/06/26 10:18:22.465383,  3, pid=1934] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2024/06/26 10:18:22.480218,  3, pid=1934] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of privilege.ldb
[2024/06/26 10:18:22.483027,  3, pid=1934] ../../source3/smbd/password.c:72(register_homes_share)
  No home directory defined for user 'CITIZEN+tomasz'
[2024/06/26 10:18:22.654167,  3, pid=1934] ../../source3/param/service.c:163(find_service)
  checking for home directory tomasz gave /home/tomasz
[2024/06/26 10:18:22.654332,  3, pid=1934] ../../source3/param/loadparm.c:1633(lp_add_home)
  adding home's share [tomasz] for user 'tomasz' at '/home/tomasz'
[2024/06/26 10:18:22.654485,  3, pid=1934] ../../lib/util/access.c:374(allow_access)
  Allowed connection from 192.168.222.61 (192.168.222.61)
[2024/06/26 10:18:22.654595,  3, pid=1934] ../../source3/smbd/smb2_service.c:585(make_connection_snum)
  make_connection_snum: Connect path is '/home/tomasz' for service [tomasz]
[2024/06/26 10:18:22.654664,  3, pid=1934] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/06/26 10:18:22.654680,  3, pid=1934] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/06/26 10:18:22.654694,  3, pid=1934] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2024/06/26 10:18:22.658462,  3, pid=1934] ../../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
[2024/06/26 10:18:22.658546,  2, pid=1934] ../../source3/modules/vfs_acl_xattr.c:209(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for                                                                                     service tomasz
[2024/06/26 10:18:22.658711,  3, pid=1934] ../../source3/smbd/oplock_linux.c:235(linux_init_kernel_oplocks)
  Linux kernel oplocks enabled
[2024/06/26 10:18:22.658772,  3, pid=1934] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
  string_to_sid: SID administrator is not in a valid format
[2024/06/26 10:18:22.660120,  3, pid=1934] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
  string_to_sid: SID join-backup is not in a valid format
[2024/06/26 10:18:22.661202,  2, pid=1934] ../../source3/smbd/smb2_service.c:814(make_connection_snum)
  192.168.222.61 (ipv4:192.168.222.61:64685) signed connect to service tomasz initially as user CITIZEN+toma                                                                                    sz (uid=3000001, gid=5000) (pid 1934)
[2024/06/26 10:18:22.849518,  3, pid=1934] ../../source3/smbd/filename.c:321(get_real_filename_full_scan_at)
  get_real_filename_full_scan_at: scan dir didn't open dir [.]: NT_STATUS_ACCESS_DENIED
[2024/06/26 10:18:22.849607,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.850422,  3, pid=1934] ../../source3/smbd/filename.c:321(get_real_filename_full_scan_at)
  get_real_filename_full_scan_at: scan dir didn't open dir [.]: NT_STATUS_ACCESS_DENIED
[2024/06/26 10:18:22.850467,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.851193,  3, pid=1934] ../../source3/smbd/filename.c:321(get_real_filename_full_scan_at)
  get_real_filename_full_scan_at: scan dir didn't open dir [.]: NT_STATUS_ACCESS_DENIED
[2024/06/26 10:18:22.851268,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.962024,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.964141,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.965687,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.973564,  3, pid=1934] ../../source3/smbd/filename.c:321(get_real_filename_full_scan_at)
  get_real_filename_full_scan_at: scan dir didn't open dir [.]: NT_STATUS_ACCESS_DENIED
[2024/06/26 10:18:22.973629,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.974570,  3, pid=1934] ../../source3/smbd/filename.c:321(get_real_filename_full_scan_at)
  get_real_filename_full_scan_at: scan dir didn't open dir [.]: NT_STATUS_ACCESS_DENIED
[2024/06/26 10:18:22.974636,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:22.975589,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:340
[2024/06/26 10:18:23.433216,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1007
[2024/06/26 10:18:23.437612,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1007
[2024/06/26 10:18:23.440098,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1001
[2024/06/26 10:18:23.440212,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1005
[2024/06/26 10:18:23.808160,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1003
[2024/06/26 10:18:23.859460,  3, pid=1934] ../../source3/smbd/smb2_trans2.c:2151(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1003
[2024/06/26 10:18:38.386318,  3, pid=1934] ../../lib/util/access.c:374(allow_access)
  Allowed connection from 192.168.222.61 (192.168.222.61)
[2024/06/26 10:18:38.386447,  3, pid=1934] ../../source3/smbd/smb2_service.c:585(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/06/26 10:18:38.386489,  3, pid=1934] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/06/26 10:18:38.386505,  3, pid=1934] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/06/26 10:18:38.386521,  3, pid=1934] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2024/06/26 10:18:38.386533,  3, pid=1934] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [dfs_samba4]
[2024/06/26 10:18:38.390574,  3, pid=1934] ../../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/dfs_samba4.so' loaded
[2024/06/26 10:18:38.390651,  2, pid=1934] ../../source3/modules/vfs_acl_xattr.c:209(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
[2024/06/26 10:18:38.393472,  3, pid=1934] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
  string_to_sid: SID administrator is not in a valid format
[2024/06/26 10:18:38.394374,  3, pid=1934] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
  string_to_sid: SID join-backup is not in a valid format
[2024/06/26 10:18:38.395291,  3, pid=1934] ../../source3/smbd/smb2_service.c:814(make_connection_snum)
  192.168.222.61 (ipv4:192.168.222.61:64685) signed connect to service IPC$ initially as user CITIZEN+tomasz (uid=3000001, gid=5000) (pid 1934)
[2024/06/26 10:18:38.397207,  3, pid=1934] ../../source3/smbd/msdfs.c:1283(get_referred_path)
  get_referred_path: |tomasz| in dfs path \srvr2\tomasz is not a dfs root.
[2024/06/26 10:18:38.397255,  3, pid=1934] ../../source3/smbd/smb2_server.c:3964(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/06/26 10:18:38.401352,  3, pid=1934] ../../source3/smbd/smb2_nttrans.c:509(smbd_marshall_security_desc)
  smbd_marshall_security_desc: sd_size = 36.
[2024/06/26 10:18:49.097283,  3, pid=1934] ../../source3/smbd/smb2_service.c:911(close_cnum)
  192.168.222.61 (ipv4:192.168.222.61:64685) closed connection to service IPC$

Home folder permissions on srvr1, srvr2 and srvr3 are identical e.g.

root@srvr2:~# ls -ld /home/tomasz
drwx–x–x 3 tomasz Domain Admins 4096 Jun 25 15:36 /home/tomasz

Samba configs was not modified by us beyond creating file shares using GUI.

When we change folder permissions to:

root@srvr2:~# ls -ld /home/tomasz
drwxrwx–x 3 tomasz Domain Admins 4096 Jun 25 15:36 /home/tomasz

//srvr2/tomasz maps and works fine.

In this test we found out if we enable Domain Admins group to read and write //srvr2/tomasz folder home share works fine (tomasz user is a member of Domain Admins group).

getfacl /home/tomasz on srvr1, srvr2 and srvr3 results in:

getfacl: Removing leading '/' from absolute path names
# file: home/tomasz
# owner: tomasz
# group: Domain\040Admins
user::rwx
group::--x
other::--x

“id tomasz” on srvr1, srvr2, srvr3 outputs:

uid=2012(tomasz) gid=5000(Domain Admins) groups=5000(Domain Admins),5001(Domain Users),5010(OpenVPN),5051(Denied RODC Password Replication Group),5053(Administrators),5054(Users),5061(Remote Desktop Users),5076(Remote Users),5078(marketing),5079(production),5080(holograms),5081(general),5082(it)

All services are running and smbd, nmbd and winbind were restarted multiple times on srvr2. Why would users get “no permission” error when mapping home shares only on srvr2 (backup ad)? It should work in our opinion. Is this a bug?

Mastodon