[Samba] vfs_ChDir failed: Permission denied

[Rowland penny]

On 01/02/2021 19:44, Marco Shmerykowsky via samba wrote:
>>>>> Having said that, if it is only the group you are worried about, just
>>>>> fix the smb.conf on the old computer (which at this stage could just
>>>>> be restarting Samba) and then fix the group ownership of the files 
>>>>> and
>>>>> directories.
>>>>
>>>> Out of ignorance, how do I fix the group ownership? of the files & 
>>>> directories?
>>>>
>>>
>>> This would depend on your computer, at the moment your files will show
>>> as belonging to the group 'owners', but if you restart Samba, it is
>>> probable they will then show as belonging  to '2011'. If this is the
>>> case, then you can use chown or chgrp to change the group ownership
>>> back to 'owners'. I am not saying this is going to be a 5 minute job 😁
>>
>> The directories and files on the server all have the ownership of
>> "whatever user created the filed ie jdoe" and "domain users"
>> and permissions rwxrwx---+
>>
>> Access is controlled by the group policies.
>
> I guess I'm still unclear on if this is fixable.  If I take
> a directory listing of anything in the shared directories,
> I get something like this:
>
> drwxrwx---+   5 root domain admins  4096 Jan  5 13:28 share-1
> drwxrwx---+   9 root domain admins  4096 Jan  5 13:28 share-2
> drwxrwx---+ 744 root domain admins 28672 Jan 26 09:51 share-3
> drwxrwx---+  10 root domain admins  4096 Mar 13  2020 share-4
> drwxrwx---+  14 root domain admins  4096 Jan 25 16:12 share-5


The problem may be that the numeric ID for 'domain admins' might be wrong.

>
> The user/group assignment has looked like this from day one.
> The only variation it that the "user" changes to match whatever
> windows user created the file.  It is not an important attribute
> and could be reset to one person.


 From what you are saying, it doesn't sound like you really have a big 
problem.

I would  create a new Unix domain member and create the required share 
structure. Copy the files to the required places on the new Unix domain 
member, then 'chown root:domain admins' the files (you can do this 
recursively by adding '-R' to the command). You can then use 'setfacl' 
to add further users and groups.

>
> I'm getting that "permission denied" warning on all these shares.
> The "group" assigned on Linux hasn't changed from the original
> configuration.  How do the Security Groups in Windows AD fit
> into this?


Provided 'getent group THE_GROUP_NAME' displays the groups info on Unix, 
then Unix knows who they are, if nothing is returned, then Unix cannot 
use them.

You can use Windows to set permissions on Samba shares, see here: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland


>
>