Problem
When attempting to access a share using smbclient like this:
smbclient //$(hostname -f)/share -U Administrator
the following error is returned:
NT_STATUS_UNSUCCESSFUL
Investigation
We can trigger the same command with a higher debug level to get more output:
smbclient //$(hostname -f)/share -U Administrator -d 11
and raise the debug level like this (remember to revert that change to not flood the logfiles):
ucr set samba/debug/level='11' && /etc/init.d/samba restart
Relevant logs from /var/log/samba/log.smb.x.x.x.x now show the following entries after issueing the smbclient command with a higher debug level:
[2024/11/04 07:46:16.256878, 3, pid=1490] ../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
Successfully loaded vfs module [acl_xattr] with the new modules system
[2024/11/04 07:46:16.256907, 0, pid=1490] ../../source3/modules/vfs_full_audit.c:564(init_bitmap)
init_bitmap: Could not find opname mkdir
[2024/11/04 07:46:16.256912, 0, pid=1490] ../../source3/modules/vfs_full_audit.c:753(smb_full_audit_connect)
smb_full_audit_connect: Invalid success operations list. Failing connect
[2024/11/04 07:46:16.256917, 1, pid=1490] ../../source3/smbd/smb2_service.c:630(make_connection_snum)
make_connection_snum: SMB_VFS_CONNECT for service 'my_share' at '/var/shares/my_share' failed: Erfolg
The issue is caused by the full_audit VFS module in the share configuration. Specifically, the success operations list is invalid, due to an unrecognized operation (mkdir), which causes the connection to fail.
The share configuration for the affected share (my_share) includes the following VFS settings:
[my_share]
path = /var/shares/my_share
vfs objects = acl_xattr full_audit
But the success operations list is not in the share configuration. So we take a quick look where to find more information:
$ rgrep success /etc/samba
/etc/samba/local.config.d/global.local.config.conf:full_audit:success = rmdir write pwrite rename unlink
There we found the file /etc/samba/local.config.d/global.local.config.conf, which gets included by /etc/samba/smb.conf, and we can see the relevant operations list. These settings are actually configured via UCR variables:
$ ucr search --brief audit
samba/global/options/full_audit:success: rmdir write pwrite rename unlink
Solution
According to the current Samba version on the system and its manpage:
man vfs_full_audit
we can see that most of the operations (rmdir write pwrite rename unlink) are not available or named differently, for example rename is actually called renameat. So we have to make the changes accordingly to the global.local.config.conf by adjusting the UCR variable. In our case we simply used all:
ucr set samba/global/options/full_audit:success='all'