Access denied in Samba [SOLVED]

[Coa]

I can access my Samba shares (list them) in Windows and create files. However when I try to write, read or execute them i get access denied.

The /var/log/samba/log.HOST file reports no problem:

[2005/10/19 01:33:05, 2] smbd/open.c:open_file(245)
jessica opened file blaj.txt read=Yes write=No (numopen=1)
[2005/10/19 01:33:05, 2] smbd/close.c:close_normal_file(272)
jessica closed file blaj.txt (numopen=0)


When I fire up Ethereal, on the other hand, I see that the SMB message to the windows client from the Samba server reports failure

SMB Command: NT Create AndX
NT Status: STATUS_ACCESS_DENIED

The particular file is owned by the correct user and belongs to her group. If I SSH into the Samba server with the very same user name, I have no problem accessing the file.

Also, as a consequence I would assume, my logon.bat never runs.
Help would be extremely appreciated, been stuck at this for several hours now..

I'm running Samba 3.0.14-r2 on a 2.6.11-r15 hardened kernel

from my smb.conf:

[global]
workgroup = domain
server string = server
netbios name = server

security = user
hosts allow = 192.168.0.0/24 127.
hosts deny = 0.0.0.0/0
interfaces = eth0 lo
bind interfaces only = yes

log file = /var/log/samba/log.%m
max log size = 50
log level = 2

encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
passdb backend = tdbsam
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n*ReType*new*UNIX*password* %n\n*passwd:*al$

preferred master = yes
domain master = yes
local master = yes
os level = 65

domain logons = yes
logon path =
logon drive = X:
logon script = logon.bat

add machine script = /usr/sbin/useradd -d /dev/null -g smbmachines -s /bin/false$

preserve case = yes
short preserve case = yes
case sensitive = no
keep alive = 30


[Save]
path = /mnt/Save
read only = no
browseable = yes
create mode = 0777
directory mode = 0777
force group = +users

[slam_head]

First things first you have your smb.conf set to be a Domain Controller but your security is set to user. How do you want your server set up? Do you want it to be a Domain Controller, or a stand alone server? The parts I'm referring to are:

[Coa]

Thank you for the resources. I want the Samba Server to be a PDC but I don't see, though, how setting security to USER prevents it from assuming the role of a PDC. In fact, I thought it HAD to be set to USER in order to perfrom the authentication itselft (and still be a PDC). From the man:

SECURITY=DOMAIN
"...Samba will try to validate the username/password by passing it to a PDC or BDC"

SECURITY=SERVER
"...Samba will try to validate the username/password by passing it to another SMB server"

SECURITY=ADS
"...Samba will act as a domain member"

[slam_head]

Sorry you are absolutely correct. Security should be set to user. Now to debug your problem. I would try using smbclient to access the share.

[Coa]

The smbclient works perfectly. I can log in, create files/directories, list them and remove them. No problem at all.

server ~ # smbclient //server/Save -U"DOMAIN\jessica"
added interface ip=192.168.0.2 bcast=192.168.0.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.14a]
smb: \> ls
. D 0 Thu Oct 20 00:04:33 2005
.. D 0 Tue Oct 18 16:25:33 2005
test.bat A 23 Wed Oct 19 00:57:33 2005
tja.txt 7 Wed Oct 19 01:11:40 2005
blaj.txt A 6 Wed Oct 19 01:19:07 2005

36536 blocks of size 524288. 30374 blocks available
smb: \> mkdir tmp
smb: \> ls
. D 0 Thu Oct 20 00:05:02 2005
.. D 0 Tue Oct 18 16:25:33 2005
test.bat A 23 Wed Oct 19 00:57:33 2005
tmp D 0 Thu Oct 20 00:05:02 2005
tja.txt 7 Wed Oct 19 01:11:40 2005
blaj.txt A 6 Wed Oct 19 01:19:07 2005

36536 blocks of size 524288. 30374 blocks available
smb: \> rmdir tmp
smb: \> ls
. D 0 Thu Oct 20 00:05:09 2005
.. D 0 Tue Oct 18 16:25:33 2005
test.bat A 23 Wed Oct 19 00:57:33 2005
tja.txt 7 Wed Oct 19 01:11:40 2005
blaj.txt A 6 Wed Oct 19 01:19:07 2005

36536 blocks of size 524288. 30374 blocks available
smb: \> quit
server ~ #


I also tried your logging tip, and this is the result (my actions on the windows-client 192.168.0.13 described in CAPS)

LOGIN:

[2005/10/20 00:12:47, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/10/20 00:12:47, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/10/20 00:12:47, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:12:47, 2] lib/module.c:do_smb_load_module(66)
Module '/usr/lib/samba/vfs/vscan-clamav.so' loaded
[2005/10/20 00:12:59, 2] smbd/server.c:exit_server(609)
Closing connections
[2005/10/20 00:13:09, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:09, 2] lib/module.c:do_smb_load_module(66)
Module '/usr/lib/samba/vfs/vscan-clamav.so' loaded
[2005/10/20 00:13:09, 2] rpc_parse/parse_prs.c:netsec_decode(1594)
netsec_decode: FAILED: packet sequence number:
[2005/10/20 00:13:09, 2] lib/util.c:dump_data(1995)
[000] 92 09 EB AA 3A 4F E1 0F ....:O..
[2005/10/20 00:13:09, 2] rpc_parse/parse_prs.c:netsec_decode(1596)
should be:
[2005/10/20 00:13:09, 2] lib/util.c:dump_data(1995)
[000] 00 00 00 00 80 00 00 00 ........
[2005/10/20 00:13:09, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:09, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [jessica] -> [jessica] -> [jessica] succeeded
[2005/10/20 00:13:10, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)
Returning domain sid for domain DOMAIN -> S-1-5-21-1938012472-4114057500-2894880638
[2005/10/20 00:13:10, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [jessica] -> [jessica] -> [jessica] succeeded
[2005/10/20 00:13:10, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:10, 1] smbd/service.c:make_connection_snum(642)
kotipaj (192.168.0.13) connect to service netlogon initially as user jessica (uid=1003, gid=100) (pid 10360)
[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)
kotipaj (192.168.0.13) connect to service jessica initially as user jessica (uid=1003, gid=100) (pid 10360)
[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)
kotipaj (192.168.0.13) connect to service desktops initially as user jessica (uid=1003, gid=100) (pid 10360)
[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:13:11, 1] smbd/service.c:make_connection_snum(642)
kotipaj (192.168.0.13) connect to service jessica initially as user jessica (uid=1003, gid=100) (pid 10360)
[2005/10/20 00:13:11, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)



OPEN EXPLORER AND GOTO '\\server\Save

[2005/10/20 00:15:14, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:15:32, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:15:32, 1] smbd/service.c:make_connection_snum(642)
kotipaj (192.168.0.13) connect to service Save initially as user jessica (uid=1003, gid=100) (pid 10360)
[2005/10/20 00:15:36, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:15:36, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)



TRY TO OPEN FILE 'tja.txt' - FAILURE

[2005/10/20 00:16:03, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:16:04, 2] smbd/open.c:open_file(245)
jessica opened file tja.txt read=Yes write=No (numopen=2)
[2005/10/20 00:16:04, 2] smbd/close.c:close_normal_file(272)
jessica closed file tja.txt (numopen=1)
[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)
[2005/10/20 00:16:04, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.13)


LOG OUT

[2005/10/20 00:17:33, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)
Returning domain sid for domain DOMAIN -> S-1-5-21-1938012472-4114057500-2894880638
[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)
kotipaj (192.168.0.13) closed connection to service netlogon
[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)
kotipaj (192.168.0.13) closed connection to service jessica
[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)
kotipaj (192.168.0.13) closed connection to service jessica
[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)
kotipaj (192.168.0.13) closed connection to service Save
[2005/10/20 00:17:36, 1] smbd/service.c:close_cnum(830)
kotipaj (192.168.0.13) closed connection to service desktops
[2005/10/20 00:17:36, 2] smbd/server.c:exit_server(609)
Closing connections


As you can see, there is no sign of failure in the samba log (that i can see anyway)

[Coa]

any ideas? anyone?

[Coa]

Ah! I found the solution at last...

After at least 20h of debugging I realized that I had accidentally deleted the '#' in front of the line that enabled my un-configured clamav in the smb.conf

It was clamav who was blocking the files - and I didn't even realize that it was enabled... phew

Thanks for your time though, slam_head!

[slam_head]

Glad that your up and running. It's funny how often thing end up being something simple that was overlooked.