[Samba] Samba4 Permission Problem

[André Luiz]

Hello everyone,


I am having the following problem with my samba:


I did the installation and compilation from source and samba is working
correctly integrated with my AD. However the following situation happens:
when I am logged on to the workstation with a user from the domain
administrators group I can create files and folders on the share. When I am
logged in with a user who does not belong to the admin group, I cannot
create anything within the share because it gives a permission denied error
even though this user (non admin) is allowed to modify in the folder.


Samba Version: 4.11.2

OS: CentOS 7.7 - 1908

Storage File System: ext4


Workstation: Windows 10 Pro 1903

OS Compilation: 18362.175


Active Directory: Windows 2016 STD


smb.conf file


[global]

        server role = MEMBER SERVER

        security = ADS

        realm = DOMAIN.LOCAL

        workgroup = DOMAIN

        dedicated key tab file = /etc/krb5.keytab

        kerberos method = secrets and key tab

        server string = Linux File Server

        log file = /var/log/samba/%m.log

        log level = 3 auth_audit: 3 auth_json_audit: 3

        idmap config *: backend = tdb

        idmap config *: range = 10000-20000

        idmap config DOMAIN: backend = rid

        idmap config DOMAIN: range = 30000 - 40000

        winbind refresh tickets = yes

        winbind offline logon = yes

        winbind enum users = yes

        winbind enum groups = yes

        winbind nested groups = yes

        winbind expand groups = 2

        winbind use default domain = yes

        os level = 20

        domain master = no

        master location = no

        preferred master = no

        map to guest = bad user

        host msdfs = no

        netbios name = linux-fs

        client min protocol = SMB2

        client max protocol = SMB3

        hosts allow = 192.168.

        unix extensions = no

        reset on zero you = yes

        veto files =

        hide unreadable = yes

        acl group control = yes

        acl map full control = true

        ea support = yes

        dos filetimes = yes

        restrict anonymous = 2

        guest ok = no

        vfs objects = acl_xattr

        map acl inherit = Yes

        attributes store = Yes

        inherit acls = true

        dos filemode = true

        force unknown acl user = true

        unix extensions = no

        wide links = yes


[data]

        path = / fileserver / data

        read only = no

        admin users = "@DOMAIN \ domain admins"

        valid users = "@DOMAIN \ domain admins", "@ DOMAIN \ domain users"

        write list = "@DOMAIN \ domain admins", "@ DOMAIN \ domain users"

        create mask - 0770

        browseable = yes

        writeable = yes


Logs found in file with workstation IP:



[2019/11/26 07:45:20.837967,  3] ../../source3/smbd/dir.c:662(dptr_create)

  creating new dirptr 0 for path ., expect_close = 0

[2019/11/26 07:45:20.838294,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found . fname=. (.)

[2019/11/26 07:45:20.838449,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)

[2019/11/26 07:45:20.838998,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found my_windows_user
fname=my_windows_user (my_windows_user)

[2019/11/26 07:45:20.839621,  3]
../../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)

  smbd_dirptr_get_entry mask=[*] found .recycle fname=.recycle (.recycle)

[2019/11/26 07:45:20.839819,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_NO_MORE_FILES] || at
../../source3/smbd/smb2_query_directory.c:159

[2019/11/26 07:45:20.840626,  3]
../../source3/smbd/trans2.c:3526(smbd_do_qfsinfo)

  smbd_do_qfsinfo: level = 1001

[2019/11/26 07:45:20.840774,  3]
../../source3/smbd/trans2.c:3526(smbd_do_qfsinfo)

  smbd_do_qfsinfo: level = 1005

[2019/11/26 07:45:20.844005,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.845695,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.847389,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.849103,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.850856,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.853251,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../../source3/smbd/smb2_create.c:296

[2019/11/26 07:45:20.856722,  3]
../../source3/smbd/nttrans.c:2047(smbd_do_query_security_desc)

  smbd_do_query_security_desc: sd_size = 48.

[2019/11/26 07:45:20.859302,  3] ../../lib/util/access.c:371(allow_access)

  Allowed connection from 192.168.2.218 (192.168.2.218)

[2019/11/26 07:45:20.859446,  3]
../../source3/smbd/service.c:605(make_connection_snum)

  make_connection_snum: Connect path is '/tmp' for service [IPC$]

[2019/11/26 07:45:20.859520,  3]
../../source3/smbd/vfs.c:114(vfs_init_default)

  Initialising default vfs hooks

[2019/11/26 07:45:20.859548,  3]
../../source3/smbd/vfs.c:140(vfs_init_custom)

  Initialising custom vfs hooks from [/[Default VFS]/]

[2019/11/26 07:45:20.859579,  3]
../../source3/smbd/vfs.c:140(vfs_init_custom)

  Initialising custom vfs hooks from [acl_xattr]

[2019/11/26 07:45:20.859639,  2]
../../source3/modules/vfs_acl_xattr.c:233(connect_acl_xattr)

  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service IPC$

[2019/11/26 07:45:20.859928,  3]
../../source3/smbd/service.c:851(make_connection_snum)

  192.168.2.218 (ipv4:192.168.2.218:54324) connect to service IPC$
initially as user DOMAIN\my_windows_user (uid=35306, gid=30513) (pid 3108)

[2019/11/26 07:45:20.863989,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at ../../source3/smbd/smb2_getinfo.c:159

[2019/11/26 07:45:20.865503,  3]
../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)

  api_pipe_bind_req: lsarpc -> lsarpc rpc service

[2019/11/26 07:45:20.865597,  3]
../../source3/rpc_server/srv_pipe.c:356(check_bind_req)

  check_bind_req for lsarpc context_id=0

[2019/11/26 07:45:20.865652,  3]
../../source3/rpc_server/srv_pipe.c:399(check_bind_req)

  check_bind_req: lsarpc -> lsarpc rpc service

[2019/11/26 07:45:20.866731,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_OPENPOLICY2

[2019/11/26 07:45:20.867673,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_LOOKUPSIDS2

[2019/11/26 07:45:20.869386,  3]
../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)

  api_rpcTNP: rpc command: LSA_CLOSE


Thanks


Andre