Samba Shares: NT_STATUS_ACCESS_DENIED

English Network/Internet
#1

On my openSuSE 11.4 laptop, I use dual boot with Win 7. I also use VMplayer 3.1.4 to run a business critical WinXP set of apps while using my openSuSE host.

There is one partition ( /dev/sda6 - FAT32) which has much commonly accessed stuff.

I can access /dev/sda6 in host linux as /windows/D.

I can access /dev/sda6 as D: while booted in Win 7.

I can access the drive mostly in VMplayer as VMware shared folders - EXCEPT that MSOffice apps can’t save to it. I’ve gone through all the VMware KB to only find that “yes it is a problem - use Samba”. I have setup Samba 3.5.7 (using lotsa Swerdna references amongst others)

Here’s the challenge - when Samba share points to a ext4 partition - no problem. When it points to vfat or ntfs partition - can’t see a thing (see listing below). I’ve googled/tested/tried every little bit - I’ve even Read The Manual (actually RTFM) many times. Nowhere have I seen on the net in any forum a description/solution for this combo.

As an example (first share is vfat on /windows/D - second is ext4 on /home):



forest5:/var/log/samba # df
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                61931384  10704132  48081320  19% /
devtmpfs               1964104       240   1963864   1% /dev
tmpfs                  1971472      2456   1969016   1% /dev/shm
/dev/sda2             61931384  10704132  48081320  19% /
/dev/sda7            259830036  55678100 190953344  23% /home
/dev/sda1             61443912  45714864  15729048  75% /windows/C
/dev/sda6             31438832   8654032  22784800  28% /windows/D

forest5:/var/log/samba # mount
/dev/sda2 on / type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
/dev/sda7 on /home type ext4 (rw,relatime,user_xattr,acl,barrier=1,data=ordered)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
/dev/sda1 on /windows/C type fuseblk (rw,nosuid,nodev,noexec,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096)
/dev/sda6 on /windows/D type vfat (rw,nosuid,nodev,noexec,relatime,uid=1000,gid=100,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
forest5:/var/log/samba # smbclient -U kisaacs \\\\forest5\\F
Enter kisaacs's password:
Domain=[UPTIME] OS=[Unix] Server=[Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-x86_64]
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*

                61403 blocks of size 524288. 44501 blocks available
smb: \> quit
forest5:/var/log/samba # smbclient -U kisaacs \\\\forest5\\kisaacs
Enter kisaacs's password:
Domain=[UPTIME] OS=[Unix] Server=[Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-x86_64]
smb: \> dir
  .                                   D        0  Wed Oct 12 11:14:29 2011
  ..                                  D        0  Tue Aug 30 23:43:36 2011
  .gstreamer-0.10                    DH        0  Fri Oct  7 18:29:05 2011

The SMB.CONF sections contain:


[global]
        workgroup = UPTIME
        netbios name = forestx
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        log level = 3
        interfaces = vmnet0 vmnet1 vmnet8
        usershare allow guests = Yes
        server string = Kens Laptop

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[F]
        comment = Windows D drive
        guest ok = Yes
        inherit acls = Yes
        path = /windows/D
        read only = No
        valid users = kisaacs
        force user = kisaacs

Ideas/hints…?

#2

I would modify your fstab file for the /dev/sda6 entry so that it simply uses defaults. I would do the same for any ntfs partition as well. I don’t know the disk by id for sda6, but you don’t need to change that. Only use defaults option instead of the long string you have there now.

/dev/sda6 /windows/D vfat **defaults** 0 0

Make the change and then restart openSUSE and see what you get.

Thank You,

#3

Tried changing it and restarting. No difference.

#4

So I use VirtualBox, which is as close to your setup as I can get. I have no problems with MSOffice 2007 with reading My Windows Drive shared by Samba from the Linux host to the Windows 7 VM. Here is a copy of the share section should you want to duplicate it. I have setup the partition in my fstab for the ntfs partition as I have suggested to you.

[Windows]
    path = /Windows
    read only = No
    acl check permissions = No
    inherit acls = Yes
    guest ok = Yes
    profile acls = Yes
    use sendfile = yes

It shows up as Network > JAMES-PC > Windows when viewed in Windows 7.

Thank You,

#5

I suggest you turn off the internal VMware “shared folders” and map using SMB protocols in Samba and windows, maybe like this:

Maybe you need to use “bridged” networking setting in VM controls, can’t really remember.

Mount the fat partition with permissions drwxrwxrwx and ownership owner=kissacs group=users
[fstab: /dev/sda6 /windows/D vfat uid=kissacs,gid=users,umask=0000,utf8 0 0 ]

Then I would share it over the network using samba and guest access, like this
[winshare]
path = /windows/D
read only = no
force user = kissacs
guest ok = yes

Then in VMpalyer I would mount the share as a mapped drive, Z: (or whatever) and with no need to authenticate (depending on the OS) and to reconnect each time it boots. Then open/close/edit the docs directly in the mapped Z: drive.

Might help, or it might be something else that’s a problem.

#6

swerdna,

Actually, what you suggested, is my starting point of this post. However, to make absolutely sure, I repeated and checked all the settings listed. In the WinXP guest in VMplayer, I get X: is not accessible. In linux using smbclient, I get the same error noted on the first post.

jdmcdaniel3,

I also modified the share to match yours (specifically using profile acls = yes)

Still open for more ideas and suggestions.

#7

swerdna,

Actually, what you suggested, is my starting point of this post. However, to make absolutely sure, I repeated and checked all the settings listed. In the WinXP guest in VMplayer, I get X: is not accessible. In linux using smbclient, I get the same error noted on the first post.

jdmcdaniel3,

I also modified the share to match yours (specifically using profile acls = yes)

Still open for more ideas and suggestions.

So I went back and re-read what you had said and I guess I missed the fact that you are running WinXP in the VM. I guess I would ask if you have tried to map a drive letter to the Samba share over using the full network name. Such things could be an issue under WinXP. What version of MS Office are you trying to use? Have you considered using a different VM? If you went with VirtualBox, do you have a WinXP disk you can install from?

Thank You,

#8

A bit more info please.
Run this and return the result: ls -l /windows
And this: ls -l /windows/D (but just a couple of lines if there are many in the reply)

And now a hunch:
change this:

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

temporarily to this:

#[homes]

comment = Home Directories

valid users = %S, %D%w%S

browseable = No

read only = No

inherit acls = Yes

And reboot, and see if it makes access available to the vfat share (just a hunch).

#9

Oh and another hunch: check that a current 11.4 bug is not a problem for you. You run this command:

su -c "rcnmb status;rcsmb status"

and hope to see two instances of “running” as the response.

#10

I will attempt to answer the questions in order:

  1. I have tried to map using the full network name - no success
  2. MSOffice 2003 is installed
  3. Tried VirtualBox several months ago - cannot use it in that I have a number of sites that I support having VMware products
  4. Listing of /windows

forest5:~ # ls -l /windows
total 28
drwxrwxrwx 1 kisaacs users 12288 Oct 14 11:42 C
drwxrwxrwx 5 kisaacs users 16384 Dec 31  1969 D
  1. Disabling [homes] = no change
  2. Both services smb/nmb are active

kisaacs@forest5:~> su -c "rcsmb status;rcnmb status"
Password: 
Checking for Samba SMB daemon                                                                                            running
Checking for Samba NMB daemon                                                                                            running

Over to you maestro

#11

Are you still using “valid users = kissacs” ?

(maybe show the current smb.conf please)

#12

Current listing of smb.conf


# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2011-03-01
[global]
        workgroup = UPTIME
        netbios name = forestx
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        log level = 3
        server string = Kens Laptop

## Share disabled by YaST
# [homes]
#       comment = Home Directories
#       valid users = %S, %D%w%S
#       browseable = No
#       read only = No
#       inherit acls = Yes

## Share disabled by YaST
# [profiles]
#       comment = Network Profiles Service
#       path = %H
#       read only = No
#       store dos attributes = Yes
#       create mask = 0600
#       directory mask = 0700

## Share disabled by YaST
# [users]
#       comment = All users
#       path = /home
#       guest only = Yes
#       read only = No
#       inherit acls = Yes
#       veto files = /aquota.user/groups/shares/

## Share disabled by YaST
# [groups]
#       comment = All groups
#       path = /home/groups
#       read only = No
#       inherit acls = Yes

## Share disabled by YaST
# [printers]
#       comment = All Printers
#       path = /var/tmp
#       printable = Yes
#       create mask = 0600
#       browseable = No

## Share disabled by YaST
# [print$]
#       comment = Printer Drivers
#       path = /var/lib/samba/drivers
#       write list = @ntadmin root
#       force group = ntadmin
#       create mask = 0664
#       directory mask = 0775

[C]
        comment = Windows C drive
        guest ok = Yes
        inherit acls = Yes
        path = /windows/C
        read only = No
        valid users = kisaacs
        force user = kisaacs

[F]
        comment = Windows D drive
        guest ok = Yes
        inherit acls = Yes
        path = /windows/D
        read only = No
        valid users = kisaacs
        force user = kisaacs

Current fstab


/dev/disk/by-id/ata-ST9500420AS_5VJDSMRV-part5 swap                 swap       defaults              0 0
/dev/disk/by-id/ata-ST9500420AS_5VJDSMRV-part2 /                    ext4       acl,user_xattr        1 1
/dev/disk/by-id/ata-ST9500420AS_5VJDSMRV-part7 /home                ext4       acl,user_xattr        1 2
/dev/disk/by-id/ata-ST9500420AS_5VJDSMRV-part1 /windows/C           ntfs-3g    uid=kisaacs,gid=users,locale=en_US.UTF-8 0 0
/dev/disk/by-id/ata-ST9500420AS_5VJDSMRV-part6 /windows/D           vfat       users,uid=kisaacs,gid=users,dmask=000,fmask=00,utf8=true 0 0
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
usbfs                /proc/bus/usb        usbfs      noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0

Did a complete reboot of ALL and still getting same results. Also, made sure that Samba Server ports open in firewall, using VMware bridged network.

One interesting note - the “server string” in smb.conf - only appears when I map using the host IP. It is the default Samba version string if I map to the netbios name.

#13

Two things:

One: what do you get as a return to this command on the server: sudo pdbedit -L

Two: There’s a logical inconsistency with these two lines on the server

    guest ok = Yes
    valid users = kisaacs

Remove valid users and then reboot and try again. [doesn’t matter if you eventually want to have valid users = someone, let’s just see what happens if you remove it]

#14

pdbedit -L returns


kisaacs:1000:Ken Isaacs
admin-winxip$:1001:
root:0:root

Have removed "valid users = " - was just a legacy from another attempt to resolve the issue - don’t actually need it.

Rebooted - same issue - still inaccessible.

#15

Well it’s not the samba password file and it’s not the logical inconsistency. What a puzzle.

My next thought is the locale settings: I recall that if one sets the wrong locale in the mount point, one can end up with seeing nada in the mount directory.

  • Can you see the files when you are on the server looking in the directories /windows/C and /windows/D ? (I’m assuming that’s a yes, but thought I’d check).

Another thought is: is it the server or is it the client that’s at fault? So try this:

  • Can you see and access the files in the vfat share from the network browser using Samba in the openSUSE server?
  • Can you see and access the files in the vfat share from withing a real windows machine (if you have one on your LAN) ?
#16

Followed all the sanity checks.

From the actual linux server (forest5) in this case:


forest5:~ # l /windows/D/
$RECYCLE.BIN/         eula.1033.txt         eula.3082.txt         install.res.1033.dll  install.res.3082.dll
Filing/               eula.1036.txt         globdata.ini          install.res.1036.dll  vcredist.bmp
VC_RED.MSI            eula.1040.txt         install.exe           install.res.1040.dll  winxp/
VC_RED.cab            eula.1041.txt         install.ini           install.res.1041.dll  
eula.1028.txt         eula.1042.txt         install.res.1028.dll  install.res.1042.dll  
eula.1031.txt         eula.2052.txt         install.res.1031.dll  install.res.2052.dll

From another linux box using Samba - can list shares - but not see the actual content of the directory


kisaacs@kandu4:~> smbclient -L //192.168.32.129
Enter kisaacs's password: 
Domain=[UPTIME] OS=[Unix] Server=[Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-x86_64]

        Sharename       Type      Comment
        ---------       ----      -------
        users           Disk      All users
        C               Disk      Windows C drive
        F               Disk      Windows D drive
        IPC$            IPC       IPC Service (Kens Laptop)
        kisaacs         Disk      Home Directories
Domain=[UPTIME] OS=[Unix] Server=[Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-x86_64]

        Server               Comment
        ---------            -------
        ADMIN-WINXIP         
        FOREST5              Kens Laptop
        KANDU4               User Shares

        Workgroup            Master
        ---------            -------
        UPTIME               KANDU4
kisaacs@kandu4:~> smbclient //192.168.32.129/f
Enter kisaacs's password: 
Domain=[UPTIME] OS=[Unix] Server=[Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-x86_64]
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*

                61403 blocks of size 524288. 44359 blocks available
smb: \> quit

From Windows 7 - can see the node and shares on forest5 - just cannot see the files on \c or \f - but the shares from the ext4 partition - no problem.

#17

These aren’t used, you should comment them out or remove them.

    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:

Are you sure you applied the fix/workaround for AppArmor?

This should not show if you have [homes] disabled as per your latest smb.conf:

kisaacs Disk Home Directories
The presence of that share can give NT status access denied etc etc

#18

Commented out the bits about login path/home. The [homes] had been re-enabled - not shown - my oversight.

The question that you asked: “Are you sure you applied the fix/workaround for AppArmor?” - has triggered a big question in my mind. I know nothing about AppArmor. It is on my long list of deferred learning. I have not activated/deactivated/changed/set anything related to it.

So I went into YAST and disabled it to see if that be the problem. It were. With AppArmor disabled, I can see the folders no problem.

Since I do not like the idea of having AppArmor permanently disabled, what needs setting to allow Samba to play with the files on /windows/C and /windows/D?

Over to you, maestro.

#19

I omitted to mention the AppArmor bug, sheesh! Turn AppArmor back on again. After that go to Yast → apparmor and enter the Control Panel → configure profiles area. Highlight usr.sbin.smbd and use the ToggleMode button to flip it to “complain” Similarly flip usr.sbin.nmbd to “complain”. Click Done to exit. Then reboot to reinit Samba.

You will then have most of the AppArmor functionality intact and you will bypass the AppArmor/Samba bug.

#20

Done.

Solved.

Many thanks!