3

I'm new to SAMBA, but have set up a SAMBA server on an Ubuntu 20.04 desktop, but consistently get Access Denied, when trying to map any SAMBA share from my Windows 11 laptop. How do I troubleshoot the problem? Here's what I believe to be the relevant parts of smb.conf:

[global]
server role = standalone server
obey pam restrictions = yes
security = user
encrypt passwords = true
map to guest = bad user
guest account = nobody

[media]
path=/data/media
valid users = @media
  guest ok = no
  writable = yes
  browsable = yes
[public]
path=/data/public
valid users = @smbgroup
  guest ok = no
  writable = yes
  browsable = yes


[documents]
path=/data/documents
valid users = @simon
  guest ok = no
  writable = yes
  browsable = yes
[downloads]
path=/data/downloads
valid users = @media
  guest ok = no
  writable = yes
  browsable = yes

Here are the permissions on the relevant shared folders:

root@KTchia01:/data# ls -l
total 100375
drwxrwx---  8 simon simon           27 Jun  8  2021 documents
drwxrwx---  2 simon simon            6 Jun  8  2021 downloads
drwxrwxr-x 16 simon media           17 Jun 10  2021 media
-rw-r--r--  1 chia  chia     102672297 Jun  8  2021 oldhome.tgz
drwxrwxrwx  2 simon smbgroup         2 Feb  5 21:20 public

I connect as the user simon from the Windows 11 laptop KTLAPTOP02, and simon is both an ordinary user on the linux box and has set a SMB password. Group memberships for simon:

root@KTchia01:~# grep simon /etc/group
adm:x:4:syslog,simon,chia
cdrom:x:24:simon
sudo:x:27:simon,chia
dip:x:30:simon
plugdev:x:46:simon
lpadmin:x:120:simon
lxd:x:131:simon
simon:x:1000:
sambashare:x:132:simon
smbgroup:x:1001:simon
plex:x:998:simon,plex
media:x:1002:simon,plex
chia:x:1003:simon

Log output, when trying to connect:

root@KTchia01:/var/log/samba# tail -f log.ktlaptop02
[2022/02/05 21:41:36.200402,  2] ../../source3/param/loadparm.c:2864(lp_do_section)
  Processing section "[public]"
[2022/02/05 21:41:36.200454,  2] ../../source3/param/loadparm.c:2864(lp_do_section)
  Processing section "[documents]"
[2022/02/05 21:41:36.200509,  2] ../../source3/param/loadparm.c:2864(lp_do_section)
  Processing section "[downloads]"
[2022/02/05 21:41:36.212158,  1] ../../source3/smbd/service.c:362(create_connection_session_info)
  create_connection_session_info: user 'simon' (from session setup) not permitted to access this share (IPC$)
[2022/02/05 21:41:36.212187,  1] ../../source3/smbd/service.c:543(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Can anyone point me in the right direction of how to further troubleshoot, why I get Access Denied, regardless of which share I try to access?

Artur Meinild
  • 31,035
Simon Kepp Nielsen
  • 75

2 Answers2

4

Here are some good troubleshooting steps, shamelessly copied from ServerFault:

  1. Maybe your Windows host is prepending your username with the wrong domain name. From the Windows machine, try to login using localhost\simon as the username
  2. Issue sudo pdbedit -L (must run as root) and check if user simon is listed. If so, set a trivial password (you can change it later) using smbpasswd simon
  3. If user simon is not listed, try to recreate it issuing smbpasswd -a simon
  4. If it does not work, delete the passwd file (it is named passwd.tdb; for reference, it is found under /var/lib/samba/private/). Then, recreate your user issuing smbpasswd -a simon
  5. If it still not working, try to use the root account issuing smbpasswd -a root and check if you can login using the root user. Note: this is only a try. After having done with it, you must delete root's entry issuing smbpasswd -x root
  6. Your last resort is to increase the verbosity of logging and see if you can find clues there. For authentication attempts, edit or add the following line on your smb.conf: log level = 2 winbind:5, check the logs with something like tail -f /var/log/samba/log* and try to login.

Hope some of it helps.

uSlackr
  • 280
Artur Meinild
  • 31,035
3

I had the same issue and finale found a solution as mentioned here.

AppArmor and Samba may interfere each other after updates or not being properly configured. The suggested solution is to activate complaint-mode for AppArmor's smbd:

sudo aa-complain /etc/apparmor.d/usr.sbin.smbd

However you could also add Site-specific additions in /etc/apparmor.d/local/usr.sbin.smbd to get access.

Artur Meinild
  • 31,035
bitdruid
  • 91
  • 1
  • 4