Samba - access denied / zugriff verweigert

Max1 · April 19, 2018, 1:14pm

Hello,

I’ve stumpled upon a problem I can’t solve myself.

Today I added a second network adapter and deleted it again to test something, after that most of the samba connections get denied with the message “Access Denied”

Some connections still work, it seems like it doesn’t accept new connections anymore


root@INNOVAUNI2:/etc/samba# netstat -tapn | grep smbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      50900/smbd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      50900/smbd
tcp       32      0 10.10.0.33:39696        10.10.0.30:7389         CLOSE_WAIT  50944/smbd
tcp        0      0 10.10.0.33:445          10.10.5.14:49262        VERBUNDEN   50913/smbd
tcp        0      0 10.10.0.33:445          10.10.5.56:51794        VERBUNDEN   50944/smbd
tcp        0      0 10.10.0.33:445          10.10.3.42:52375        VERBUNDEN   51033/smbd
tcp       32      0 10.10.0.33:39710        10.10.0.30:7389         CLOSE_WAIT  50937/smbd
tcp       32      0 10.10.0.33:39634        10.10.0.30:7389         CLOSE_WAIT  50906/smbd
tcp        0      0 10.10.0.33:445          10.10.5.9:58640         VERBUNDEN   50937/smbd
tcp       32      0 10.10.0.33:39668        10.10.0.30:7389         CLOSE_WAIT  50938/smbd
tcp        0      0 10.10.0.33:445          10.10.5.65:55499        VERBUNDEN   50941/smbd
tcp       32      0 10.10.0.33:39700        10.10.0.30:7389         CLOSE_WAIT  50942/smbd
tcp        0      0 10.10.0.33:445          10.10.5.32:51558        VERBUNDEN   50939/smbd
tcp        0      0 10.10.0.33:445          10.10.0.34:58830        VERBUNDEN   51416/smbd
tcp        0      0 10.10.0.33:445          10.10.5.66:51643        VERBUNDEN   50927/smbd
tcp        0      0 10.10.0.33:445          10.10.5.110:52634       VERBUNDEN   50943/smbd
tcp       32      0 10.10.0.33:39636        10.10.0.30:7389         CLOSE_WAIT  50907/smbd
tcp       32      0 10.10.0.33:39646        10.10.0.30:7389         CLOSE_WAIT  50913/smbd
tcp        0      0 10.10.0.33:445          10.10.5.27:53324        VERBUNDEN   50907/smbd
tcp       32      0 10.10.0.33:39642        10.10.0.30:7389         CLOSE_WAIT  50908/smbd
tcp        0      0 10.10.0.33:445          10.10.5.41:58862        VERBUNDEN   50942/smbd
tcp       32      0 10.10.0.33:39726        10.10.0.30:7389         CLOSE_WAIT  51033/smbd
tcp        0      0 10.10.0.33:445          10.10.3.82:51076        VERBUNDEN   50908/smbd
tcp        0      0 10.10.0.33:445          10.10.5.8:52421         VERBUNDEN   50938/smbd
tcp        0      0 10.10.0.33:445          10.10.5.2:49274         VERBUNDEN   51393/smbd
tcp        0      0 10.10.0.33:445          10.10.3.22:50010        VERBUNDEN   50906/smbd
tcp       32      0 10.10.0.33:39690        10.10.0.30:7389         CLOSE_WAIT  50943/smbd
tcp       32      0 10.10.0.33:39712        10.10.0.30:7389         CLOSE_WAIT  50939/smbd
tcp       32      0 10.10.0.33:39682        10.10.0.30:7389         CLOSE_WAIT  50941/smbd
tcp        0      0 10.10.0.33:39774        10.10.0.30:7389         VERBUNDEN   51393/smbd
tcp       32      0 10.10.0.33:39654        10.10.0.30:7389         CLOSE_WAIT  50927/smbd
tcp6       0      0 :::139                  :::*                    LISTEN      50900/smbd
tcp6       0      0 :::445                  :::*                    LISTEN      50900/smbd

root@INNOVAUNI2:/mnt/shares# getfacl /mnt/shares/inno-files
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: mnt/shares/inno-files
# owner: root
# group: Domain\040Users
user::rwx
group::rwx
other::---

root@INNOVAUNI2:/mnt/shares# ps -aux |grep smbd
root      50900  0.0  0.0 320972 17948 ?        Ss   14:36   0:00 /usr/sbin/smbd -D
root      50901  0.0  0.0 308440  5920 ?        S    14:36   0:00 /usr/sbin/smbd -D
root      50902  0.0  0.0 308636  7532 ?        S    14:36   0:00 /usr/sbin/smbd -D
root      50904  0.0  0.0 320956  6740 ?        S    14:36   0:00 /usr/sbin/smbd -D
root      50906  0.0  0.0 331644 21536 ?        S    14:36   0:00 /usr/sbin/smbd -D
dan1lüb   50907  0.0  0.0 330900 20872 ?        S    14:36   0:00 /usr/sbin/smbd -D
mur1ali   50908  0.3  0.0 331148 21732 ?        S    14:36   0:05 /usr/sbin/smbd -D
flo1dei   50913  0.1  0.0 330756 20676 ?        S    14:36   0:02 /usr/sbin/smbd -D
root      50927  0.1  0.0 454832 25440 ?        S    14:36   0:02 /usr/sbin/smbd -D
root      50937  0.2  0.0 455372 24528 ?        S    14:36   0:05 /usr/sbin/smbd -D
root      50938  0.5  0.0 455120 26028 ?        S    14:36   0:08 /usr/sbin/smbd -D
root      50939  0.0  0.0 454444 24028 ?        S    14:36   0:00 /usr/sbin/smbd -D
root      50941  0.0  0.0 453544 23416 ?        S    14:36   0:00 /usr/sbin/smbd -D
root      50942  0.3  0.0 455752 26676 ?        S    14:36   0:05 /usr/sbin/smbd -D
root      50944  0.3  0.0 454952 25816 ?        S    14:36   0:05 /usr/sbin/smbd -D
root      51033  0.0  0.0 330804 20480 ?        S    14:38   0:00 /usr/sbin/smbd -D
root      51393  0.0  0.0 452648 22468 ?        S    14:51   0:00 /usr/sbin/smbd -D
root      51491  0.0  0.0 452648 22468 ?        S    14:58   0:00 /usr/sbin/smbd -D
root      51804  0.1  0.0 323576 18564 ?        S    15:04   0:00 /usr/sbin/smbd -D
root      51850  0.1  0.0 325288 16340 ?        S    15:05   0:00 /usr/sbin/smbd -D
root      51864  0.0  0.0  14216  2248 pts/0    S+   15:05   0:00 grep smbd


root@INNOVAUNI2:/mnt/shares# univention-app info
UCS: 4.2-3 errata315
App Center compatibility: 4
Installed: samba-memberserver=4.6
Upgradable:

[2018/04/19 15:12:05.459907,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [innova.maxx]\[user123]@[] with the new password interface
[2018/04/19 15:12:05.459942,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [INNOVAUNI2]\[user123]@[]
[2018/04/19 15:12:05.459979,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/04/19 15:12:05.459996,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/04/19 15:12:05.460011,  4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/04/19 15:12:05.460071,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/04/19 15:12:05.460087,  3] ../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'user123' in passdb.
[2018/04/19 15:12:05.460105,  3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [INNOVAUNI2] was for this SAM.
[2018/04/19 15:12:05.460119,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [user123] -> [user123] FAILED with error NT_STATUS_NO_SUCH_USER
[2018/04/19 15:12:05.460154,  3] ../source3/auth/auth_util.c:1610(do_map_to_guest_server_info)
  No such user user123 [innova.maxx] - using guest account

I hope someone can help me with this information! Thanks in advance!

Kind Regards

Max1 · April 19, 2018, 1:57pm

adding “map untrusted to domain = yes” to the smb.conf seems to helped a bit, it fixed it for me, but did not fix for other users. It seems like the connection between the domain controller(also UCS) and the member server is sometimes breaking down big time even though the link and physical connection should be stable as pings don’t get lost. I’m really struggeling to troubleshoot stuff that works sometimes and sometimes not, for certain users, for other certain users with the same permissions not…

Moritz_Bunkus · April 19, 2018, 2:05pm

Hey,

it’s possible that due to adding and configuring a separate network card that IP may have been added to your server’s DNS entries. Then when a client resolves the server’s name, which address is returned is random (that’s how DNS with multiple addresses per record works).

Kind regards,
mosu

Max1 · April 19, 2018, 2:37pm

Hey,

Unrelated to DNS but forgot the smb.conf:

[global]
        bind interfaces only = Yes
        interfaces = lo eth1
        realm = server.com
        server string = %h univention corporate server
        workgroup = server
        domain master = No
        local master = No
        os level = 65
        preferred master = No
        machine password timeout = 0
        ldap admin dn = "cn=INNOVAUNI2,cn=memberserver,cn=computers,dc=innova,dc=maxx"
        ldap idmap suffix = cn=idmap,cn=univention
        ldap suffix = dc=server,dc=com
        logging = file
        max log size = 0
        usershare max shares = 0
        max xmit = 65535
        time server = Yes
        check password script = /usr/share/univention-samba/password_check %u
        map to guest = Bad User
        ntlm auth = Yes
        obey pam restrictions = Yes
        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
        passwd chat timeout = 60
        security = ADS
        deadtime = 15
        max open files = 32808
        host msdfs = No
        set quota command = /usr/sbin/univention-setquota
        template homedir = /home/%D-%U
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max clients = 500
        winbind nested groups = No
        winbind separator = +
        spoolss: architecture = Windows x64
        idmap config innova : range = 1000-54999
        idmap config innova : backend = nss
        idmap config * : ldap_user_dn = cn=SERVER2,cn=memberserver,cn=computers,dc=innova,dc=maxx
        idmap config * : ldap_url = ldap://SERVER1.innova.maxx:7389
        idmap config * : range = 55000-64000
        idmap config * : backend = ldap
        store dos attributes = Yes
        kernel oplocks = Yes
        include = /etc/samba/base.conf
        acl allow execute always = Yes
        admin users = administrator join-backup

The dns server is still the same


root@SERVER2:~# host SERVER1
SERVER1.server.com has address 10.10.0.30
root@SERVER2:~# host SERVER2
SERVER2.server.com has address 10.10.0.33
root@SERVER2:~#

i get the correct returns on these tests multiple times too, I have not set another DNS server anywere.

On innovauni1 (wich is the DNS server) innovauni2 still only got 1 IP address.

Is there further ways to troubleshoot the dns settings?

How does UCS behave when just adding another interface (e.g. eth0) without touching the primary network interface below?

resolv.conf:

domain	server.com
nameserver  10.10.0.30
options timeout:2

When trying to lookup the innovauni2 server it seems not to work though, could that be the problem?

CMD:

C:\Users\Max>nslookup SERVER1
Server:  SERVER1.server.com
Address:  10.10.0.30

*** SERVER2 wurde von SERVER1.server.com nicht gefunden: Non-existent domain.

C:\Users\Max>

Max1 · April 27, 2018, 5:08pm

So basically I solved it by just reinstalling univention on that server and remounting the volume. That way was probably much faster than trying around alot.