[Samba] Only domain admins can access shares

Lorenzo Milesi maxxer at yetopen.it
Fri May 8 22:13:20 UTC 2020

I've set up a single server with a DC and fileserver. I've read through all docs and the warnings on the wiki (VERY well done, many thanks to all the contributors) more than once so I hope I haven't missed anything.

# Global parameters
        netbios name = FILESERVER
        realm = WDC.DOMAIN.IT
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = WDC
        netbios aliases = server
        idmap_ldb:use rfc2307 = yes
        # https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
#       template shell = /bin/bash
        template homedir = /home/%U

#log level = 5

        path = /usr/local/samba/var/locks/sysvol
        read only = No

        path = /usr/local/samba/var/locks/sysvol/wdc.domain.it/scripts
        read only = No

        path = /home/CONDIVISI/SHARE1
        include = /usr/local/samba/etc/cestino.conf
        read only = No

As I wish to use recycle, cestino.conf contains:
        vfs objects = dfs_samba4 acl_xattr recycle
        recycle:repository = .cestino/%U
        recycle:keeptree = yes
        recycle:touch = yes
        recycle:versions= yes
        recycle:exclude = *.tmp *.bak ~$*
        recycle:exclude_dir = /tmp /temp /cache
        recycle:noversions = *.doc *.xls *.ppt
        recycle:directory_mode = 770
        recycle:touch_mtime = yes

Then I ran (directoy was not empty)
chown -R root:"Domain Admins" /home/CONDIVISI/SHARE1
chmod -R 0770 /home/CONDIVISI/SHARE1

and via Windows "Manage computer > Shares" I add users and group on the "Security" tab, giving all the necessary group "Full control". Unfortunately, despite of this, only users in the "Domain Admins" group can access the shares.
getfacl SHARE1 returns 

# file: SHARE1/
# owner: root
# group: WDC\134domain\040admins

where "tutti" is a general group for everyone access.

I tested the filesystem for attr support and it's working. Acl as well. smbd -D returns HAVE_LIBACL.

# samba-tool ntacl get BACHECA --as-sddl

(there's one more group I omitted in the getfacl)

# samba-tool group show tutti
dn: CN=tutti,CN=Users,DC=wdc,DC=domain,DC=it
objectClass: top
objectClass: group
cn: tutti
instanceType: 4
whenCreated: 20200430161053.0Z
uSNCreated: 4095
name: tutti
objectGUID: 01c15efe-dcde-4b1d-91d4-3e31a3e542f9
objectSid: S-1-5-21-2667713901-96841565-2831603132-1108
sAMAccountName: tutti
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=wdc,DC=domain,DC=it
member: CN=maxxer,CN=Users,DC=wdc,DC=domain,DC=it

so "tutti" group appears in the ntacl.

When trying to access with debug enabled I get:

[2020/05/09 00:02:39.284780,  5] ../../source3/auth/token_util.c:874(debug_unix_user_token)
  UNIX token of user 3000049
  Primary group is 100 and contains 9 supplementary groups
  Group[  0]: 3000049
  Group[  1]: 100
  Group[  2]: 3000026
  Group[  3]: 3000021
  Group[  4]: 3000014
  Group[  5]: 3000015
  Group[  6]: 3000003
  Group[  7]: 3000009
  Group[  8]: 3000017
[2020/05/09 00:02:39.284843,  4] ../../source3/smbd/vfs.c:825(vfs_ChDir)
  vfs_ChDir to /home/CONDIVISI/SHARE1
[2020/05/09 00:02:39.284866,  1] ../../source3/smbd/service.c:164(chdir_current_service)
  chdir_current_service: vfs_ChDir(/home/CONDIVISI/SHARE1) got permission denied, current token: uid=3000049, gid=100, 9 groups: 3000049 100 3000026 3000021 3000014
3000015 3000003 3000009 3000017
[2020/05/09 00:02:39.284881,  3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:2558

# wbinfo --gid-info=3000021

What am I missing?
Thanks again
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list