File Server Samba AD doesnt allow access to shared folders

alpha_842 · July 19, 2021, 5:36pm

NethServer Version: 7.9.2009
Module: File Server, AD

Hello,

I’m having some problems with File Server on Nethserver.
The server is fully updated, was working without any problem.
Today, we lost access to the shared folders, everything else is working correctly.
Not even admin can login to the shared folders.
The error on neth log is: “…/source3/smbd/uid.c:448(change_to_user_internal)”

Already checked permissions, reset permissions on all folders but it doesn’t fix the issue.
Tryed several solutions proposed on other threads but with no success.
After rebooting nethserver shared folders work for up to 5 minutes but returns to not working after that.
Tryed with every folder and every user, always with the same result.

I’m stuck at this point, any help would be awesome

dnutan · July 19, 2021, 9:22pm

Do the related services keep running when access is not allowed?

systemctl status -l smb nmb winbind
ls -hal /var/lib/nethserver/ibay/

davidep · July 19, 2021, 9:28pm

Let’s check also sssd!

systemctl status sssd

alpha_842 · July 20, 2021, 8:42pm

sssd status all nominal altough there is a warning "Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing.

alpha_842 · July 20, 2021, 8:45pm

I do get an error

winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-07-20 21:38:01 WEST; 12s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 1217 (winbindd)
Status: “winbindd: ready to serve connections…”
CGroup: /system.slice/winbind.service
├─1217 /usr/sbin/winbindd --foreground --no-process-group
└─1219 /usr/sbin/winbindd --foreground --no-process-group

Jul 20 21:38:01 server.domain.com systemd[1]: Starting Samba Winbind Daemon…
Jul 20 21:38:01 server.domain.com winbindd[1217]: [2021/07/20 21:38:01.464516, 0] …/…/source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache)
Jul 20 21:38:01 server.domain.com winbindd[1217]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jul 20 21:38:01 server.domain.com winbindd[1217]: [2021/07/20 21:38:01.493430, 0] …/…/lib/util/become_daemon.c:136(daemon_ready)
Jul 20 21:38:01 server.domain.com winbindd[1217]: daemon_ready: daemon ‘winbindd’ finished starting up and ready to serve connections
Jul 20 21:38:01 server.domain.com systemd[1]: Started Samba Winbind Daemon.

dnutan · July 20, 2021, 9:10pm

I don’t see it.

alpha_842 · July 20, 2021, 9:15pm

Sorry you’re right,

At this point any red lettering i identify as an error

its really weird behavior, keep getting this on the logs but can’t really understand why is happening

[2021/07/20 22:07:36.490699, 0] …/…/source3/smbd/uid.c:448(change_to_user_internal)
PRIORITY 3
SYSLOG_FACILITY 3
SYSLOG_IDENTIFIER smbd
SYSLOG_PID 7425
_BOOT_ID 51707200932846adb24293cea4cdc9e7
_CAP_EFFECTIVE 0
_CMDLINE /usr/sbin/smbd --foreground --no-process-group
_COMM smbd
_EXE /usr/sbin/smbd
_GID 0
_HOSTNAME server.domain.com
_MACHINE_ID dfdd62ba98f74fd7b8881d7820af0fc7
_PID 7425
_SOURCE_REALTIME_TIMESTAMP 1626815256490794
_SYSTEMD_CGROUP /user.slice/user-1526201112.slice/session-c1231.scope
_SYSTEMD_OWNER_UID 1526201112
_SYSTEMD_SESSION c1231
_SYSTEMD_SLICE user-1526201112.slice
_SYSTEMD_UNIT session-c1231.scope
_TRANSPORT syslog
_UID 1526201112
__CURSOR s=b06ad3e2655d421b8eddd485d75edc11;i=399d9;b=51707200932846adb24293cea4cdc9e7;m=189c8ded79;t=5c794717a7540;x=ae6870845580e542
__MONOTONIC_TIMESTAMP 105705762169
__REALTIME_TIMESTAMP 1626815256491328

mrmarkuz · July 20, 2021, 9:31pm

Please also check the status of the NethServer DC:

systemctl status nsdc -l

alpha_842 · July 20, 2021, 9:40pm

Everything looks fine

[root@server ~]# systemctl status nsdc -l
● nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-07-20 21:51:17 WEST; 45min ago
Docs: man:systemd-nspawn(1)
Main PID: 6429 (systemd-nspawn)
Status: “Container running.”
CGroup: /machine.slice/nsdc.service
├─6429 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-b ridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─6478 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─ 6582 /usr/sbin/samba -i --debug-stderr
│ ├─ 6695 /usr/sbin/samba -i --debug-stderr
│ ├─ 6697 /usr/sbin/samba -i --debug-stderr
│ ├─ 6698 /usr/sbin/samba -i --debug-stderr
│ ├─ 6699 /usr/sbin/samba -i --debug-stderr
│ ├─ 6700 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 6702 /usr/sbin/samba -i --debug-stderr
│ ├─ 6703 /usr/sbin/samba -i --debug-stderr
│ ├─ 6704 /usr/sbin/samba -i --debug-stderr
│ ├─ 6706 /usr/sbin/samba -i --debug-stderr
│ ├─ 6707 /usr/sbin/samba -i --debug-stderr
│ ├─ 6709 /usr/sbin/samba -i --debug-stderr
│ ├─ 6710 /usr/sbin/samba -i --debug-stderr
│ ├─ 6711 /usr/sbin/samba -i --debug-stderr
│ ├─ 6714 /usr/sbin/samba -i --debug-stderr
│ ├─ 6715 /usr/sbin/winbindd -D --option=server role check:inhibit= yes --foreground
│ ├─ 6716 /usr/sbin/samba -i --debug-stderr
│ ├─ 6718 /usr/sbin/samba -i --debug-stderr
│ ├─ 6768 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 6769 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 6771 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 7700 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─ 7713 /usr/sbin/samba -i --debug-stderr
│ ├─21282 /usr/sbin/samba -i --debug-stderr
│ └─21287 /usr/sbin/samba -i --debug-stderr
├─console-getty.service
│ └─6570 /sbin/agetty --noclear --keep-baud console 115200,38400,96 00 vt220
├─dbus.service
│ └─6548 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─ntpd.service
│ └─6552 /usr/sbin/ntpd -u ntp:ntp -g
├─systemd-logind.service
│ └─6545 /usr/lib/systemd/systemd-logind
└─systemd-journald.service
└─6494 /usr/lib/systemd/systemd-journald

Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Started Cleanup of Temporary Directories.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Started Login Servi ce.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Reached target Netw ork.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Started Samba domai n controller daemon.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Reached target Mult i-User System.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Reached target Grap hical Interface.
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: Starting Update UTMP about S ystem Runlevel Changes…
Jul 20 21:51:17 server.domain.com systemd-nspawn[6429]: [ OK ] Started Update UTMP about System Runlevel Changes.
Jul 20 21:51:18 server.domain.com systemd-nspawn[6429]: CentOS Linux 7 (Core)
Jul 20 21:51:18 server.domain.com systemd-nspawn[6429]: Kernel 3.10.0-1160.31.1.el7. x86_64 on an x86_64

mrmarkuz · July 20, 2021, 9:53pm

Let’s compare permissions:

[root@server2 ~]# ls -hal /var/lib/nethserver/ibay/
total 8.0K
drwxrwxr-x   4 root root                             34 Mar 30 18:47 .
drwxr-xr-x. 26 root root                           4.0K Sep 10  2020 ..
drwxrws---+  7 root domain admins@domain.com       4.0K Jan 22 02:01 test22

alpha_842 · July 20, 2021, 9:58pm

Also look ok

total 200K
drwxrwxr-x  27 root root                 4.0K Jul 19 17:08 .
drwxr-xr-x. 18 root root                 4.0K Dec 15  2020 ..
drwxrws---+ 13 root domain admins@lcr.pt 4.0K Jun 24 12:24 Arquivo PHC
drwxrwsr-x+  2 root domain admins@lcr.pt   10 Nov 30  2017 backups
drwxrws---+  9 root tecnica@lcr.pt        191 Feb 27 14:49 BACKUPS PCS
drwxrws---+  3 root domain users@lcr.pt    47 Oct 29  2019 COBLEX ARQUIVO
drwxrws---+  3 root domain users@lcr.pt   135 Jul 20 15:12 COBLEX ENCOMENDAS CLI                                                                 ENTES
drwxrws---+ 11 root domain users@lcr.pt  4.0K Nov 20  2020 COBLEX GERAL
drwxrws---+  4 root domain users@lcr.pt  4.0K Apr  8 10:19 COBLEX LOGÍSTICA
drwxrwsr-x+  5 root tecnica@lcr.pt         76 Jan 22 17:40 Documentos
drwxrwsr-x+  3 root domain admins@lcr.pt   29 Nov 15  2017 emails
drwxrws---+  7 root domain users@lcr.pt  4.0K Apr 22 10:56 GERENCIA
drwxrwsr-x+  6 root domain users@lcr.pt  4.0K Jul 16 15:48 IDI
drwxrwsr-x+  6 root domain users@lcr.pt  4.0K Jul 17 16:05 LABORATORIO COBLEX
drwxrwsr-x+ 16 root domain users@lcr.pt  4.0K Jul 14 10:50 LCR ETIQUETAS
drwxrwsr-x+  9 root domain users@lcr.pt  4.0K Jul  6 14:25 LCR GERAL
drwxrwsr-x+  2 root tecnica@lcr.pt       4.0K Jun 28 17:33 LOGISTICA
drwxrwsrwx   8 root domain users@lcr.pt  4.0K Apr 28 17:51 LOGOTIPOS
drwxrwsr-x+  2 root domain users@lcr.pt   40K Aug 19  2017 ORDENS FABRICO PVC CO                                                                 BLEX
drwxrws---+  4 root domain users@lcr.pt    89 Jul 14 09:58 Produção TR
drwxrwsr-x+  4 root coblex_users@lcr.pt  4.0K Jul  7 16:30 SCANNER COBLEX
drwxrwsr-x+  2 root lcr_users@lcr.pt     4.0K Jul 19 12:32 SCANNER LCR
drwxrwsr-x+  9 root domain users@lcr.pt  4.0K Jun 21 17:55 SISTEMA GESTAO QUALID                                                                 ADE
drwxrwsr-x   6 root coblex_users@lcr.pt   110 Mar 16  2020 SUSANA
drwxrwsr-x+ 46 root domain users@lcr.pt  8.0K Jul 13 16:35 TC_JP
drwxrwsr-x+ 34 root domain users@lcr.pt  4.0K Oct 20  2020 VEDANTES
drwxrwsr-x+  2 root domain users@lcr.pt   20K Jul 13 11:33 VEDANTES 2

mrmarkuz · July 20, 2021, 10:07pm

Is it possible to connect locally with smbclient?

smbclient //localhost/backups -U admin -c ls

alpha_842 · July 20, 2021, 10:12pm

locally i can connect without problem,

I will try to use another linux machine on the network to see if its only windows related

smbclient //localhost/backups -U admin -c ls
Enter DOMAIN\admin’s password:
. D 0 Thu Nov 30 11:35:19 2017
… D 0 Tue Jul 20 23:01:10 2021

            2162434304 blocks of size 1024. 1754221816 blocks available

mrmarkuz · July 20, 2021, 10:29pm

Remote you may need to add the domain:

smbclient //<YOUR_NETH_IP>/backups -U admin@lcr.pt -c ls

alpha_842 · July 20, 2021, 10:57pm

As i expected, even with a ubuntu live vm, everything works as expected.
Tried to force a windows machine to use samba v1.5, i can list the folders but still no joy on accessing the files.

how can i check the version that nethserver-samba protocol is using?

mrmarkuz · July 20, 2021, 11:10pm

You can check protocols with

testparm -v -s | grep proto

Do you use Windows 10 machines with latest updates?

Andy_Wismer · July 20, 2021, 11:14pm

@alpha_842

Hi

NethServer Samba works out of the box with the latest Win10 (and older versions.) Win7 also has no issues accessing NethServer / AD shares.

With AD issues in the past, I’ve had good success with removing the complete Account Provider configuration, then running a config backup to restore AD back to a working state…

Make sure you have a working backup AND a config backup first!

My 2 cents
Andy