[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

spindles seven spindles7 at gmail.com
Wed Dec 1 15:42:28 UTC 2021


On 29 November 2021 16:02 L.P.H. van Belle wrote:
> what i see here :
> 
> /srv is fine.
> -------------------
> /srv/samba not fully, its possible to use it like this.
> # flags: -s-  your setting Creator Group, its possible.
> other::--x  it allows traversal, but this is also before a share ping, you need read rights also.
> to be able to read the next folder. ( like users)
> 
> so i have
> 
> # file: srv/samba
> # owner: root
> # group: root
> # flags: s--
> user::rwx
> group::rwx
> other::r-x
> 

OK have changed /srv/samba to match your settings.

> ----------------
> The users share is very different.
> 
> what i really recommend..
> 
> setup exactly as shown here.
> https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
> 
> When thats done, create 1 user in there and capture the settings with getfacl and samba-tools
> sudo samba-tool ntacl get /srv/samba/users/ --as-sddl
> 
> Then is something goes wrong you can easy script it to fix it.
> 
> So this is what i have.
> 
> # file: srv/samba/users
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\users:r-x
> group:2007:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:BUILTIN\\administrators:rwx
> default:group:2007:rwx
> default:mask::rwx
> default:other::---
> 
> (Domain Users is member of BUILTIN\\users. )
> (Domain Admins is member of BUILTIN\\Administrators. )
> 
> wbinfo -G 2007  =  S-1-5-18
> wbinfo -s S-1-5-18  =  NT Authority\SYSTEM 5
> 
> (Domain Users is member of BUILTIN\\users. )
> 
> 
> looking at your set.. i suspect this is the one thats wrong.
> group:domain\040users:---

That show no access for Domain Users?    If so still don't understand why Domain Users were able to traverse /srv/samba but Domain Computers were not.

> 
> what i suggest, create a new share, dont change the share security.

OK did that and set permissions and the -s- flag with:
chmod 2770 /srv/samba/users-test

> run this on the new test folder
> samba-tool ntacl set "O:LAG:S-1-22-2-
> 0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test
> 
This produced:
root at lxd-m1:~# samba-tool ntacl set "O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test
root at lxd-m1:~# getfacl /srv/samba/users-test
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users-test
# owner: administrator
# group: root
# flags: -s-
user::rwx
user:administrator:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:BUILTIN\\users:r-x
group:NT\040Authority\\system:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:NT\040Authority\\system:rwx
default:mask::rwx
default:other::---

However, when I tried to look at this from Windows, I wasn't able to see the entries on the Security tab until I removed the line from smb.conf:
       acl_xattr:ignore system acls = yes
and restarted smbd.

Windows then showed (for the share \\lxd-m1\users-test):
Administrator:Full Control:This Folder, subfolders and files
CREATOR OWNER:Full Control:Subfolders and files only
CREATOR GROUP:none: Subfolders and files only
SYSTEM: Full Control:This Folder, subfolders and files
Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files
root (Unix Group\root):none:This Folder, subfolders and files]
Users (LXD-M1\Users):Read & Execute:This folder only
Everyone:none:This Folder, subfolders and files

If I edit the above from Windows, removing the Administrator, CREATOR GROUP, root and Everyone entries and then restore the acl_xattr:ignore system acls = yes setting in smb.conf, restarting smbd,  the entries become like you show below:

> This is the following setting.
> security On the folder,  (via Advanced)
> Creator Owner, only on subfolders and files.
> SYSTEM Full control
> Administrators (Domain admins)  full control.
> Users (Domain users), Read and Exec, only this folder.
> 
I created a security group called 'Redirected Folder Users' and I then created a test user called 'testuser'  and set the Home folder to connect the H: drive to: \\lxd-m1.microlynx.org\users-test\%username%, and made the user a member of that group.

This automatically created the testuser's home folder in /srv/samba/users-test as expected:
root at lxd-m1:~# getfacl /srv/samba/users-test/testuser
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users-test/testuser
# owner: roy
# group: domain\040users
# flags: -s-
user::rwx
user:administrator:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:NT\040Authority\\system:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:NT\040Authority\\system:rwx
default:mask::rwx
default:other::---

> Then run this
> TESTUSER=karen
> samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid "${TESTUSER}" |awk '{ print $1
> }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)"
> /srv/samba/users/"${TESTUSER}"
> 
> Now look at the rights from within windows on karen's folder.
> 
I then ran the above (replacing karen with testuser and /srv/samba/users with /srv/samba/users-test) and got:
testuser:Full Control:This Folder, subfolders and files
Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files
roy: Full Control:This Folder, subfolders and files
CREATOR OWNER:Full Control:Subfolders and files only
SYSTEM: Full Control:This Folder, subfolders and files
Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files

(The last 4 inherited from \\lxd-m1\users-test)

There's no mention of the Redirected Folder Users.   I assume I need to add that manually to the users-test share?
> 
> its is this setup.
> https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
> 
> the pittfall in that tekst is :
> Security group of users who need to put data on the share (Folder Redirection Users)
> Dont use domain users or everyone
> 
> i use "Redirected Folder Users"
> 
> I hope this helps a bit.
> 
> 
> Greetz,
> 
> Louis

Note that I was using a user with Domain Admin rights (roy) - I couldn't get the Domain Administrator user (MICROLYNX\Administrator)  to access any of the samba domain computers using Computer Management console from Windows 10.   Is that because Administrator is mapped to root and is that expected?

Thanks for your valuable help.

Roy




More information about the samba mailing list