[Samba] Access Error for Roaming Profiles Share
Mike Ruebner
samba at machichemicals.com
Thu Jan 2 05:30:00 UTC 2020
Hi,
I am trying to address some error messages that are hitting the log files
for two 4.9.5-Debian file servers in our all-Samba AD domain. Most
prominently
"connect to service Profiles initially as user MYDOMAIN\tc-mj00y2ps$
(uid=11128, gid=10515) (pid 1634)"
"../source3/smbd/uid.c:453(change_to_user_internal)"
"change_to_user_internal: chdir_current_service() failed!"
and
"../source3/smbd/vfs.c:898(vfs_GetWd)"
"vfs_GetWd: couldn't stat "." error Permission denied (NFS problem ?)"
Looks like our Win boxes connect to the roaming profiles share with
computer-account credentials initially. Other shares, such as 'Users', are
being accessed with respective user credentials, and everything works as
expected; ie., no "change_to_user_internal" error message.
I am a bit hazy on the internals here, so before I dump config settings for
all the usual suspects, my question is whether this is expected behavior for
domain-joined machines? Windows ACLs on the 'Profiles' directory have been
set according to the corresponding Samba Wiki article, including 'Full
Control' for the 'System' account, and the above snafus don't seem to have
any impact on performance. One quirk, though, is that we are relying on
non-integrated bind9 zones at two different sites, setting the same A record
alias for the respective file server's IP address (ie., 'legacybox' ->
192.168.55.2 @ site1; 'legacybox' -> 192.168.66.2 @ site2). This means that
there are no SPN entries for 'legacybox', and all authentication against
those shares is pure NTLMv2.
Another observation is that, after a recent update, machine accounts do not
show any longer in 'wbinfo -u' and 'getent passwd' listings. 'wbinfo -i
[computer name]$' will provide mappings within the expected domain range
(10000-999999), though. Again, I know just enough to be dangerous, so I am
unsure as to whether the 'change_to_user_internal' error might be idmap
related?
Any pointers greatly appreciated!
Mike
More information about the samba
mailing list