[Samba] Can't get permission on a share to work problem with groups

Horace mailinglist at lhplan.tk
Sun Feb 9 02:01:33 MST 2014 

On 2014-01-24 18:10, me at electronico.nc wrote:
> Le 25/01/2014 08:05, Horace a écrit :
>> Hello,
>> 
>> 1. I have created a directory /srv/samba4/Public Applications.
>> 2. I created a group 'Domain Admins' with gid 1003
>> 3. I setfacl -m group:1003:rwx on Public Applications
>> 4. I created a share
>> [Public Applications]
>>     read list = @ACCOUNTSAD\"Domain Users"
>>     write list = @"Domain Admins"
>>     comment = Public Applications
>>     path = /srv/samba4/Public Applications
>>     #admin users = @"Domain Admins"
>> 5. wbinfo --group-info 'Domain Admins'
>> ACCOUNTSAD\Domain Admins:*:1003:
>> 
>> Debug level
>> # Debug logging information
>> #log level = 10
>> log level = 3
>> #log file = /var/log/samba.log.%m
>> #max log size = 50
>> debug timestamp = yes
>> syslog only = yes
>> 
>> 
>> As anyone can see, I like Domain Admins read write access and Domain 
>> Users read access only. For whatever reason, when I access the share 
>> \\PDC-S2\Public Applications and try to create a folder, I get 
>> Permission denied.
>> 
>> I have tailed both syslog's and log.smbd and there is NO relevant 
>> information regarding why this is failing.
>> 
>> Am I doing something wrong here ?
> Not sure if it's relevent, but I never use shares with space in
> filename, so you don't have to double-quote them.
> This avoids lot of errors.
> Nicolas

I followed your suggestion and set path to path = 
/srv/samba4/Public_Applications, that resolve some annoying errors. 
However, I am still getting ACCESS DENIED, if you take at the logs 
below:

[2014/02/09 03:46:03.001182,  4, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/02/09 03:46:03.001309,  5, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/share_access.c:127(token_contains_name)
   Domain Admins is a None, expected a group
[2014/02/09 03:46:03.001393, 10, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/share_access.c:215(user_ok_token)
   User ACCOUNTSAD\lutchy.horace not in 'valid users'
[2014/02/09 03:46:03.001474,  2, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/service.c:418(create_connection_session_info)
   user 'ACCOUNTSAD\lutchy.horace' (from session setup) not permitted to 
access this share (Public Applications)
[2014/02/09 03:46:03.001564,  1, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/service.c:550(make_connection_snum)
   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2014/02/09 03:46:03.001655,  5, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
   check lock order 1 for 
/usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
[2014/02/09 03:46:03.001738, 10, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
   lock order:  1:/usr/local/samba/var/lock/smbXsrv_tcon_global.tdb 
2:<none> 3:<none>
[2014/02/09 03:46:03.001827, 10, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
   Locking key 96AE9D8A
[2014/02/09 03:46:03.001920, 10, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
   Allocated locked data 0x0xb8ec2290
[2014/02/09 03:46:03.002025, 10, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
   Unlocking key 96AE9D8A
[2014/02/09 03:46:03.002109,  5, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
   release lock order 1 for 
/usr/local/samba/var/lock/smbXsrv_tcon_global.tdb
[2014/02/09 03:46:03.002189, 10, pid=13792, effective(0, 0), real(0, 0)] 
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
   lock order:  1:<none> 2:<none> 3:<none>
[2014/02/09 03:46:03.002380, 10, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/smb2_server.c:2643(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || 
at ../source3/smbd/smb2_tcon.c:127
[2014/02/09 03:46:03.002470, 10, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/smb2_server.c:2544(smbd_smb2_request_done_ex)
   smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] 
body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2682
[2014/02/09 03:46:03.002558, 10, pid=13792, effective(0, 0), real(0, 0)] 
../source3/smbd/smb2_server.c:873(smb2_set_operation_credit)
   smb2_set_operation_credit: requested 1, charge 1, granted 1, current 
possible/max 386/512, total granted/max/low/range 127/8192/17/127

Domain Admins is a None, expected a group is invalid?

Here is my current configuration for the time being:

[Public Applications]
	write list = @"Domain Admins"
	comment = Publicly Shared Applications for Intranet Users
	path = /srv/samba4/Public_Applications
	valid users = @"Domain Admins"


I have also tried valid users = ACCOUNTSAD\"Domain Admins" but I still 
get 'is none, expected a group'? What is the correct syntax to providing 
groups in valid users field??

More information about the samba mailing list