[Samba] Permission denied for home, even when it's 777

Deft Developer dev at hymes.name
Mon Jul 6 16:31:46 UTC 2020

I cannot access home samba share from windows. Windows client displays a
permission denied error. The problem is not Linux permissions for the user
directory, permission is still denied when permissions are to 777. I don't
think the problem is selinux, because no denials appear in any logs. I don't
think it's an extended attributes issue from xfs, because I don't see any
attributes from lsattr, and only "selinux" in attr -l. The problem is
specific to home, other shares owned by the same user work as expected.


The share-logs logs show errors like this:

Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) (flags=0)  smbd_smb2_request_error_ex:
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at
../../source3/smbd/smb2_create.c:296  get_ea_dos_attribute: Cannot get attribute from EA on
file .: Error = Permission denied

And I see similar errors from strace:

getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES (Permission

getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES (Permission

open(".", O_RDONLY)                     = -1 EACCES (Permission denied)

(Permission denied)

I am very puzzled about which "." directory samba is failing to access.



Home shares worked for years with the configuration below, until I migrated
the samba server from one CentOS 7 server to another. I expect that home
shares have never worked on this new CentOS 7 server.

My samba is 

Version     : 4.10.4

Release     : 11.el7_8

CentOS Linux release 7.8.2003 (Core)

Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux

Here is an excerpt of my samba.conf:

        workgroup = MSAKYTOWN

        realm = MSAKYTOWN.ORG

        security = ADS

        server string = Galactica %v

        netbios name = GALACTICA

        log file = /var/log/samba/%m.log

        max log size = 50

        log level = 4 passdb:5 auth:5

        idmap config * : backend = tdb

        idmap config * : range = 3000-7999

        idmap config MSAKYTOWN:backend = ad

        idmap config MSAKYTOWN:range = 10000-999999

        idmap config MSAKYTOWN:unix_primary_group = no

        idmap config MSAKYTOWN:unix_nss_info = yes

        idmap config MSAKYTOWN:schema_mode = rfc2307

        template shell = /usr/bin/bash

        template homedir = /home/%U

        kerberos method = secrets and keytab

        local master = no

        preferred master = no

        unix extensions = no

        allow insecure wide links = yes

        username map = /etc/samba/user.map


        comment = Home Directories

        read only = No

        browseable = yes

        writable = yes

        follow symlinks = yes

        wide links = yes

More information about the samba mailing list