[Samba] Samba AD DC: share access denied

Rowland Penny rpenny at samba.org
Thu Nov 15 19:07:11 UTC 2018

On Thu, 15 Nov 2018 15:54:50 +0000
Jens Kuipers <hitmokyhitter at hotmail.com> wrote:

> cat /etc/samba/smb.conf
> # Global parameters
> [global]
>   workgroup = LDB-BEHEER
>   realm = LDB-BEHEER.NL
>   netbios name = AD
>   server role = active directory domain controller
>   idmap_ldb:use rfc2307 = yes
>   dns forwarder =
>   allow dns updates = nonsecure and secure
> [netlogon]
>   path = /var/lib/samba/sysvol/ldb-beheer.nl/scripts
>   read only = no
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = no
> [users]
>   path = /mnt/users/roaming
>   read only = no

Ah, that's better, I can read it now ;-)

The only thing I would say about your smb.conf is that most people would
call the profiles share 'profiles' instead of 'users', the latter is
usually used for the Unix users home directories.

You also posted this:

Getfacl /mnt/users/roaming
getfacl: Removing leading '/' from absolute path names
# file: mnt/users/roaming
# owner: root
# group: LDB-BEHEER\134domain\040users
# flags: -s-

This is undoubtedly shows your problem, the 'roaming' directory is
owned by 'root' and the group is 'Domain Users', the group is wrong! It
should be 'Domain Admins'.
However, even if the group was correct, it still wouldn't work, because
the permissions are incorrect, only 'root' can write to the directory,
'Domain Users' can only read & enter the directory. You need to run:
chgrp 'Domain Admins' /mnt/users/roaming
chmod 0770 /mnt/users/roaming
to correct this.

Then go and read this:



More information about the samba mailing list