Linux samba access denied

My debug notes

Troubleshooting NT_STATUS_ACCESS_DENIED from Samba on Manjaro Linux

A few months ago, I switched my main desktop to Manjaro, and I’m glad about it. Manjaro Linux is a polished and well-designed Linux distribution. As I like simplicity and a minimalistic approach, I chose the XFCE Desktop edition. Switching to Linux did not make me abandon the Windows platform completely. I spend lots of my work and hobby time on this OS. But I run it in QEMU-KVM VMs, configured through the Virtual Manager. As I experiment with various system settings, I have a base VM image and clone it when necessary for new projects/research. Thanks to this configuration, I finally stopped breaking my main system 🙂 One thing I needed to figure out was a way to share files between my Linux host and Windows VMs. I picked Samba as I wanted something which would look native in Windows. And here my troubleshooting story begins 🙂 I could summarize it in one sentence: “always check the system journald log,” but if you’re interested in a more extended and convoluted approach, please read on 🙂

When Samba returns NT_STATUS_ACCESS_DENIED

My smb.conf file looks as follows:

[global] browse list = yes config backend = file debug pid = yes debug timestamp = yes debug uid = yes dns proxy = no follow symlinks = no guest account = nobody load printers = no log file = /var/log/samba/%m.log log level = 2 logging = systemd file map to guest = Bad User max log size = 1000 name resolve order = lmhosts bcast host wins passdb backend = tdbsam security = user server role = standalone server usershare path = /var/lib/samba/usershare usershare allow guests = yes usershare max shares = 100 usershare owner only = yes workgroup = WORKGROUP [homes] browseable = no comment = Home Directories create mask = 0660 directory mask = 0770 guest ok = no read only = no valid users = %S [winshare] browseable = yes comment = Share directory guest ok = no path = /mnt/data/winshare read only = no force group = +winshare valid users = me,ssolnica [symbols] browseable = yes comment = Symbols guest ok = no path = /mnt/data/symbols read only = no valid users = me

I created the Windows user ( smbpasswd -a me ) and enabled smb and nmb services ( systemctl enable nmb && systemctl enable smb ). I configured Samba in Server Standalone mode as I did not need any of the AD features (by the way, it’s incredible that you may set up the whole AD in Linux!). When I tried my shares in Windows, the \\mypc.local\me share was working fine, but \\mypc.local\winshare was returning NT_STATUS_ACCESS_DENIED . I stopped the Samba service and ran it manually with debug level set to 3 (alternatively, you could specify debug level in the smb.conf file):

# systemctl stop smb # smbd --no-process-group --foreground -d 3 --debug-stdout

Then, I tried the share in smbclient:

$ smbclient -U me //mypc/winshare Password for [WORKGROUP\me]: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \*

The error reported by Samba pointed to the file system. So I restarted the service and attached strace to it. You need to make sure to trace the child processes (-f/-ff) as the primary Samba server launches a child server for each client session:

strace -p 4350 -ff -o smbd.strace

Here is some interesting content from the output file:

. readlink("/mnt/data/winshare", 0x7ffe77011d00, 1023) = -1 EINVAL (Invalid argument) setgroups(12, [956, 1000, 998, 991, 3, 90, 98, 1001, 962, 961, 150, 1002]) = 0 setresgid(-1, 1000, -1) = 0 getegid() = 1000 setresuid(1000, 1000, -1) = 0 geteuid() = 1000 chdir("/mnt/data/winshare") = 0 newfstatat(AT_FDCWD, ".", , 0) = 0 getcwd("/mnt/data/winshare", 4096) = 19 getcwd("/mnt/data/winshare", 1024) = 19 openat(AT_FDCWD, ".", O_RDONLY|O_NOFOLLOW|O_PATH) = 12 newfstatat(12, "", , AT_EMPTY_PATH) = 0 openat(12, ".", O_RDONLY|O_NOFOLLOW|O_PATH) = 26 newfstatat(26, "", , AT_EMPTY_PATH) = 0 newfstatat(25, "", , AT_EMPTY_PATH) = 0 munmap(0x7f4b82f0c000, 696) = 0 mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_SHARED, 25, 0x2000) = 0x7f4b82e63000 openat(AT_FDCWD, "/proc/self/fd/26", O_RDONLY|O_DIRECTORY) = -1 EACCES (Permission denied) close(26) = 0 . 

We can see that the Samba process switches the effective user and group to the authenticated user (me) and then performs actions on the file system. We can see in the trace that the openat syscall fails with the EACCESS error. I double-checked all file system permissions and made me the owner of the winshare folder. Still, the EACCESS error persisted. I was so confused that I even wrote a simple app to reproduce the syscalls above:

#include #include #include #include #include #include #include int main(int argc, char* argv[]) < std::cout groups ; if (::setgroups(groups.size(), groups.data()) != 0) < std::cout if (int err = ::setresgid(-1, 1000, -1); err != 0) < std::cout if (int err = ::setresuid(1000, 1000, -1); err != 0) < std::cout std::cout << "euid: " << ::geteuid() << std::endl; std::cout << "egid: " << ::getegid() << std::endl; if (int err = ::chdir("/mnt/data/winshare"); err != 0) < std::cout std::array cwd<>; if (::getcwd(cwd.data(), cwd.size()) == nullptr) < std::cout std::cout ; ss > proc_path; ::close(proc_fd); > else < std::cout ::close(fd); return 0; > else < std::cout >

As you may guess, there was no error when I ran it. I scratched my head, looking online for similar issues, but could find nothing. As I had a lot of pending work, I started using the \\mypc.local\me share. Samba worked fine except for two issues: it was impossible to list the browseable shares from the Windows machines, and, secondly, the initial I/O requests over Samba were often very slow. Still, the initial problem was bugging me the most.

After a few weeks, I finally found some time to give it a second try.

Filesystem security checks are not the only ones

I again struggled with Samba config (I read the whole smb.conf man page! :)), but ended with strace. As I had my sample application working, I started comparing the process properties in the proc file system. And there, I discovered the attr folder, which stores various security-related attributes. The /proc//attr/current file for my sample process contained unconfined while for the smbd process, its content was smbd (enforce) . After searching through manual pages and Arch Linux wiki, I found that those settings come from the AppArmor module. The aa-status command only confirmed that:

# aa-status apparmor module is loaded. 80 profiles are loaded. 77 profiles are in enforce mode. . samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss smbd . 9 processes are in enforce mode. /usr/bin/avahi-daemon (1479) avahi-daemon /usr/bin/avahi-daemon (1489) avahi-daemon /usr/bin/dnsmasq (1698) dnsmasq /usr/bin/dnsmasq (1699) dnsmasq /usr/bin/nmbd (1778) nmbd /usr/bin/smbd (1785) smbd /usr/bin/smbd (1787) smbd /usr/bin/smbd (1788) smbd /usr/bin/smbd (5225) smbd . 

Now, I needed to locate the problematic AppArmor profiles. But how to find their names? Obviously, in the system journal! I should have checked it in the very beginning. I was studying the smb unit logs while all the details were at my fingertips:

# journalctl -fx . lis 06 12:19:14 mypc audit[5535]: AVC apparmor="DENIED" operation="open" profile="smbd" name="/mnt/data/winshare/" pid=5535 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 . 

The smbd profile, defined in /etc/apparmor.d/usr.sbin.smbd , denies access to my target folder. Let’s have a look at it (I left only the essential parts):

abi , include profile smbd /usr//smbd < . /etc/mtab r, /etc/netgroup r, /etc/printcap r, /etc/samba/* rwk, @/@/mounts r, @/sys/kernel/core_pattern r, /usr/lib*/samba/vfs/*.so mr, /usr/lib*/samba/auth/*.so mr, /usr/lib*/samba/charset/*.so mr, /usr/lib*/samba/gensec/*.so mr, /usr/lib*/samba/pdb/*.so mr, /usr/lib*/samba/samba-bgqd Px -> samba-bgqd, /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd, /usr/lib*/samba/.dat r, /usr/lib/@/samba/*.so mr, /usr/lib/@/samba/**/ r, /usr/lib/@/samba/**/*.so mr, /usr/share/samba/** r, /usr//smbd mr, /usr//smbldap-useradd Px, /var/cache/samba/** rwk, /var//samba/printing/printers.tdb mrw, /var/lib/samba/** rwk, /var/lib/sss/pubconf/kdcinfo.* r, @/dbus/system_bus_socket rw, @/smbd.pid rwk, @/samba/** rk, @/samba/ncalrpc/ rw, @/samba/ncalrpc/** rw, @/samba/smbd.pid rw, /var/spool/samba/** rw, @/** lrwk, /var/lib/samba/usershares/ <,**>lrwk, # Permissions for all configured shares (file autogenerated by # update-apparmor-samba-profile on service startup on Debian and openSUSE) include if exists include if exists # Site-specific additions and overrides. See local/README for details. include if exists 

Now, all is clear. AppArmor adds MAC (Mandatory Access Control) to the Samba process and interferes with the file system access checks. My share path ( /mnt/data/winshare ) was not in the AppArmor profile; thus, access was denied. I believe that Debian and openSUSE users might not experience this problem thanks to the update-apparmor-samba-profile script, but I haven’t had a chance to check it. Anyway, the solution for me was to create /etc/apparmor.d/local/usr.sbin.smbd-shares with the missing access rights (I will have more shares from the data drive, so I just gave access to /mnt/data ).

While testing my shares with the system journal monitored, I discovered some more rules missing in the default AppArmor profiles. And I found that I wasn’t the only one with this problem. Inglebard reported a very similar issue and provided updates to the rules that worked for him. I added a comment with my findings. Finally, below are the updates that fixed all my problems with Samba.

$ cat /etc/apparmor.d/local/usr.sbin.smbd-shares /mnt/data/** lrwk,
$ cat /etc/apparmor.d/local/samba-dcerpcd # Site-specific additions and overrides for 'samba-dcerpcd' @/samba-dcerpcd.pid lrwk, /var/cache/samba/** rwk, @/** lrwk, /var/lib/samba/usershares/ <,**>lrwk, include if exists include if exists
$ cat /etc/apparmor.d/local/samba-rpcd # Site-specific additions and overrides for 'samba-rpcd' /var/cache/samba/** rwk, @/** lrwk, /var/lib/samba/usershares/ <,**>lrwk, include if exists include if exists
$ cat /etc/apparmor.d/local/samba-rpcd-classic # Site-specific additions and overrides for 'samba-rpcd-classic' /var/cache/samba/** rwk, /dev/urandom rwk, @/** lrwk, /var/lib/samba/usershares/ <,**>lrwk, include if exists include if exists

Источник

Troubleshooting Access Denied on SAMBA

I’m new to SAMBA, but have set up a SAMBA server on an Ubuntu 20.04 desktop, but consistently get Access Denied, when trying to map any SAMBA share from my Windows 11 laptop. How do I troubleshoot the problem? Here’s what I believe to be the relevant parts of smb.conf:

[global] server role = standalone server obey pam restrictions = yes security = user encrypt passwords = true map to guest = bad user guest account = nobody [media] path=/data/media valid users = @media guest ok = no writable = yes browsable = yes [public] path=/data/public valid users = @smbgroup guest ok = no writable = yes browsable = yes [documents] path=/data/documents valid users = @simon guest ok = no writable = yes browsable = yes [downloads] path=/data/downloads valid users = @media guest ok = no writable = yes browsable = yes 
root@KTchia01:/data# ls -l total 100375 drwxrwx--- 8 simon simon 27 Jun 8 2021 documents drwxrwx--- 2 simon simon 6 Jun 8 2021 downloads drwxrwxr-x 16 simon media 17 Jun 10 2021 media -rw-r--r-- 1 chia chia 102672297 Jun 8 2021 oldhome.tgz drwxrwxrwx 2 simon smbgroup 2 Feb 5 21:20 public 

I connect as the user simon from the Windows 11 laptop KTLAPTOP02, and simon is both an ordinary user on the linux box and has set a SMB password. Group memberships for simon:

root@KTchia01:~# grep simon /etc/group adm:x:4:syslog,simon,chia cdrom:x:24:simon sudo:x:27:simon,chia dip:x:30:simon plugdev:x:46:simon lpadmin:x:120:simon lxd:x:131:simon simon:x:1000: sambashare:x:132:simon smbgroup:x:1001:simon plex:x:998:simon,plex media:x:1002:simon,plex chia:x:1003:simon 
root@KTchia01:/var/log/samba# tail -f log.ktlaptop02 [2022/02/05 21:41:36.200402, 2] ../../source3/param/loadparm.c:2864(lp_do_section) Processing section "[public]" [2022/02/05 21:41:36.200454, 2] ../../source3/param/loadparm.c:2864(lp_do_section) Processing section "[documents]" [2022/02/05 21:41:36.200509, 2] ../../source3/param/loadparm.c:2864(lp_do_section) Processing section "[downloads]" [2022/02/05 21:41:36.212158, 1] ../../source3/smbd/service.c:362(create_connection_session_info) create_connection_session_info: user 'simon' (from session setup) not permitted to access this share (IPC$) [2022/02/05 21:41:36.212187, 1] ../../source3/smbd/service.c:543(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED 

Can anyone point me in the right direction of how to further troubleshoot, why I get Access Denied, regardless of which share I try to access?

Источник

Читайте также:  Linux mounting loop device
Оцените статью
Adblock
detector