[Samba] Trying to add a share to a windows drive letter for a second group on samba file server - access denied

Jürgen Echter j.echter at echter-kuechen-elektro.de
Fri Sep 29 15:36:40 UTC 2023 

Hi,

i have share that is mapped to a drive letter via gpo. I now added a second group with "is member of group 1 OR group2".

Windows seems to try to mount the share but i don't see it in windows explorer. If i try to mount it manually i get: it's already mapped. If i browse to the share i get access denied.

I am in a samba AD environment and the ACL's seem to work. I set the ACL's with a windows machine.

Anything obvious i'm not seeing here?

My smb.conf on the file server:

[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.MY.NET
winbind refresh tickets = Yes
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[share]
comment = a share
path = /srv/samba/share
read only = no
guest ok = no
vfs objects = acl_xattr recycle io_uring
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:directory_mode = 0770
acl_xattr:ignore system acls = yes

Samba Version 4.17.5

getfacl share
# file: share
# owner: root
# group: SAMDOM\\domain\040admins
user::rwx user:SAMDOM\\administrator:rwx
user:SAMDOM\\domain\040admins:rwx
user:SAMDOM\\group1:rwx
user:SAMDOM\\group2:rwx
group::rwx
group:SAMDOM\\domain\040admins:rwx
group:SAMDOM\\domain\040users:---
group:SAMDOM\\group1:rwx
group:SAMDOM\\group2:rwx
other::---
default:user::rwx
default:user:SAMDOM\\administrator:rwx
default:user:SAMDOM\\domain\040admins:rwx
default:user:SAMDOM\\group1:rwx
default:user:SAMDOM\\group2:rwx
default:group::---
default:group:SAMDOM\\domain\040admins:rwx
default:group:SAMDOM\\domain\040users:---
default:group:SAMDOM\\group1:rwx
default:group:SAMDOM\\group2:rwx
default:mask::rwx
default:other::---


Samba AD Server Version 4.18.6

smb.conf:

[global]
netbios name = SMBADDC1
realm = SAMDOM.MY.NET
server role = active directory domain controller
workgroup = SAMDOM
dns forwarder = 192.168.0.1
tls keyfile = tls/SMBADDC1.key
tls certfile = tls/SMBADDC1.crt
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.my.net/scripts
read only = No


Thanks for your input

Juergen

More information about the samba mailing list