# Access denied in Samba [SOLVED]

## Coa

I can access my Samba shares (list them) in Windows and create files. However when I try to write, read or execute them i get access denied.

The /var/log/samba/log.HOST file reports no problem:

[2005/10/19 01:33:05, 2] smbd/open.c:open_file(245)

  jessica opened file blaj.txt read=Yes write=No (numopen=1)

[2005/10/19 01:33:05, 2] smbd/close.c:close_normal_file(272)

  jessica closed file blaj.txt (numopen=0)

When I fire up Ethereal, on the other hand, I see that the SMB message to the windows client from the Samba server reports failure

SMB Command: NT Create AndX

NT Status: STATUS_ACCESS_DENIED

The particular file is owned by the correct user and belongs to her group. If I SSH into the Samba server with the very same user name, I have no problem accessing the file.

Also, as a consequence I would assume, my logon.bat never runs.

Help would be extremely appreciated, been stuck at this for several hours now..  :Sad: 

I'm running Samba 3.0.14-r2 on a 2.6.11-r15 hardened kernel

from my smb.conf:

[global]

workgroup = domain

server string = server

netbios name = server

security = user

hosts allow = 192.168.0.0/24 127.

hosts deny = 0.0.0.0/0

interfaces = eth0 lo

bind interfaces only = yes

log file = /var/log/samba/log.%m

max log size = 50

log level = 2

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

passdb backend = tdbsam

unix password sync = no

passwd program = /usr/bin/passwd %u

passwd chat = *New*UNIX*password* %n\n*ReType*new*UNIX*password* %n\n*passwd:*al$

preferred master = yes

domain master = yes

local master = yes

os level = 65

domain logons = yes

logon path =

logon drive = X:

logon script = logon.bat

add machine script = /usr/sbin/useradd -d /dev/null -g smbmachines -s /bin/false$

preserve case = yes

short preserve case = yes

case sensitive = no

keep alive = 30

[Save]

path = /mnt/Save

read only = no

browseable = yes

create mode = 0777

directory mode = 0777

force group = +usersLast edited by Coa on Thu Oct 20, 2005 7:55 pm; edited 1 time in total

----------

## slam_head

First things first you have your smb.conf set to be a Domain Controller but your security is set to user.  How do you want your server set up?  Do you want it to be a Domain Controller, or a stand alone server?  The parts I'm referring to are:

```
 

security = user 

preferred master = yes 

domain master = yes 

local master = yes 

domain logons = yes

```

I suggest you take a look at the The Official Samba Howto And Reference Guide and Samba-3 by Example.

----------

## Coa

Thank you for the resources. I want the Samba Server to be a PDC but I don't see, though, how setting security to USER prevents it from assuming the role of a PDC. In fact, I thought it HAD to be set to USER in order to perfrom the authentication itselft (and still be a PDC). From the man:

SECURITY=DOMAIN

"...Samba will try to validate the username/password by passing it to a PDC or BDC"

SECURITY=SERVER

"...Samba will try to validate the username/password by passing it to another SMB server"

SECURITY=ADS

"...Samba will act as a domain member"

----------

## slam_head

Sorry you are absolutely correct.  Security should be set to user.  Now to debug your problem.  I would try using smbclient to access the share.

```
smbclient //server/share -U"DOMAIN\user"
```

This should give you an interface similar to ftp.  If that doesn't work I would try increasing the logging verbosity.  A good way to do that is to add this line to your smb.conf

```
include /etc/samba/include/%m.smb.conf
```

then create the /etc/samba/include directory.  You now want to create a file in the directory with the same name as the Netbios name of the client trying to connect.  I.E. windows-client.smb.conf.  In that file put the following lines:

```
log level =5

max log size = 0

```

This will increase the logging for just that client, otherwise the logging can become overwhelming.  After you do that post some of the logs, and we'll see if we can figure out what's going wrong.

----------

## Coa

The smbclient works perfectly. I can log in, create files/directories, list them and remove them. No problem at all.

server ~ # smbclient //server/Save -U"DOMAIN\jessica"

added interface ip=192.168.0.2 bcast=192.168.0.255 nmask=255.255.255.0

added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0

Password:

Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.14a]

smb: \> ls

  .                                   D        0  Thu Oct 20 00:04:33 2005

  ..                                  D        0  Tue Oct 18 16:25:33 2005

  test.bat                            A       23  Wed Oct 19 00:57:33 2005

  tja.txt                                      7  Wed Oct 19 01:11:40 2005

  blaj.txt                            A        6  Wed Oct 19 01:19:07 2005

                36536 blocks of size 524288. 30374 blocks available

smb: \> mkdir tmp

smb: \> ls

  .                                   D        0  Thu Oct 20 00:05:02 2005

  ..                                  D        0  Tue Oct 18 16:25:33 2005

  test.bat                            A       23  Wed Oct 19 00:57:33 2005

  tmp                                 D        0  Thu Oct 20 00:05:02 2005

  tja.txt                                      7  Wed Oct 19 01:11:40 2005

  blaj.txt                            A        6  Wed Oct 19 01:19:07 2005

                36536 blocks of size 524288. 30374 blocks available

smb: \> rmdir tmp

smb: \> ls

  .                                   D        0  Thu Oct 20 00:05:09 2005

  ..                                  D        0  Tue Oct 18 16:25:33 2005

  test.bat                            A       23  Wed Oct 19 00:57:33 2005

  tja.txt                                      7  Wed Oct 19 01:11:40 2005

  blaj.txt                            A        6  Wed Oct 19 01:19:07 2005

                36536 blocks of size 524288. 30374 blocks available

smb: \> quit

server ~ #

I also tried your logging tip, and this is the result (my actions on the windows-client 192.168.0.13 described in CAPS)

LOGIN:

[2005/10/20 00:12:47, 2] smbd/sesssetup.c:setup_new_vc_session(608)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                              resources.

[2005/10/20 00:12:47, 2] smbd/sesssetup.c:setup_new_vc_session(608)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                              resources.

[2005/10/20 00:12:47, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:12:47, 2] lib/module.c:do_smb_load_module(66)

  Module '/usr/lib/samba/vfs/vscan-clamav.so' loaded

[2005/10/20 00:12:59, 2] smbd/server.c:exit_server(609)

  Closing connections

[2005/10/20 00:13:09, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:09, 2] lib/module.c:do_smb_load_module(66)

  Module '/usr/lib/samba/vfs/vscan-clamav.so' loaded

[2005/10/20 00:13:09, 2] rpc_parse/parse_prs.c:netsec_decode(1594)

  netsec_decode: FAILED: packet sequence number:

[2005/10/20 00:13:09, 2] lib/util.c:dump_data(1995)

  [000] 92 09 EB AA 3A 4F E1 0F                           ....:O..

[2005/10/20 00:13:09, 2] rpc_parse/parse_prs.c:netsec_decode(1596)

  should be:

[2005/10/20 00:13:09, 2] lib/util.c:dump_data(1995)

  [000] 00 00 00 00 80 00 00 00                           ........

[2005/10/20 00:13:09, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:09, 2] auth/auth.c:check_ntlm_password(305)

  check_ntlm_password:  authentication for user [jessica] -> [jessica] -> [jessica] succeeded

[2005/10/20 00:13:10, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)

  Returning domain sid for domain DOMAIN -> S-1-5-21-1938012472-4114057500-2894880638

[2005/10/20 00:13:10, 2] auth/auth.c:check_ntlm_password(305)

  check_ntlm_password:  authentication for user [jessica] -> [jessica] -> [jessica] succeeded

[2005/10/20 00:13:10, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:10, 1] smbd/service.c:make_connection_snum(642)

  kotipaj (192.168.0.13) connect to service netlogon initially as user jessica (uid=1003, gid=100) (pid 10360)

[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)

  kotipaj (192.168.0.13) connect to service jessica initially as user jessica (uid=1003, gid=100) (pid 10360)

[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)

  kotipaj (192.168.0.13) connect to service desktops initially as user jessica (uid=1003, gid=100) (pid 10360)

[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)

  kotipaj (192.168.0.13) connect to service jessica initially as user jessica (uid=1003, gid=100) (pid 10360)

[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

OPEN EXPLORER AND GOTO '\\server\Save

[2005/10/20 00:15:14, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:15:32, 1] smbd/service.c:make_connection_snum(642)

  kotipaj (192.168.0.13) connect to service Save initially as user jessica (uid=1003, gid=100) (pid 10360)

[2005/10/20 00:15:36, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:15:36, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

TRY TO OPEN FILE 'tja.txt' - FAILURE

[2005/10/20 00:16:03, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:16:04, 2] smbd/open.c:open_file(245)

  jessica opened file tja.txt read=Yes write=No (numopen=2)

[2005/10/20 00:16:04, 2] smbd/close.c:close_normal_file(272)

  jessica closed file tja.txt (numopen=1)

[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.13)

LOG OUT

[2005/10/20 00:17:33, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)

  Returning domain sid for domain DOMAIN -> S-1-5-21-1938012472-4114057500-2894880638

[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)

  kotipaj (192.168.0.13) closed connection to service netlogon

[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)

  kotipaj (192.168.0.13) closed connection to service jessica

[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)

  kotipaj (192.168.0.13) closed connection to service jessica

[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)

  kotipaj (192.168.0.13) closed connection to service Save

[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)

  kotipaj (192.168.0.13) closed connection to service desktops

[2005/10/20 00:17:36, 2] smbd/server.c:exit_server(609)

  Closing connections

As you can see, there is no sign of failure in the samba log (that i can see anyway)

----------

## Coa

any ideas? anyone?

----------

## Coa

Ah! I found the solution at last...

After at least 20h of debugging I realized that I had accidentally deleted the '#' in front of the line that enabled my un-configured clamav in the smb.conf

It was clamav who was blocking the files - and I didn't even realize that it was enabled... phew

Thanks for your time though, slam_head!

----------

## slam_head

Glad that your up and running.  It's funny how often thing end up being something simple that was overlooked.

----------

