[Samba] vfs_ChDir failed: Permission denied

Marco Shmerykowsky marco at sce-engineers.com
Sun Jan 31 14:42:36 UTC 2021

On 2021-01-31 8:36 am, Rowland penny via samba wrote:
> On 31/01/2021 13:18, Marco Shmerykowsky via samba wrote:
>> After working on DNS issues, I thought I had everything working.
>> When I log into the domain on windows, the drive maps are
>> applied by group policy, but the server that contains all
>> the shares denies access to everything with a number of
>> errors in the following format:
>>  vfs_ChDir(/path/to/server/share) failed: Permission denied
>> Thoughts?
> I think you haven't given us enough information to work with 😂

Short description.  Everything seemed to be working until
I embarked on an effort to correct apparent DNS issues. :)
Can't this be fixed automagically? :)

> Where is the error message coming from ?

I found the errors in the smbd log file on the domain member
server that contains the file shares.  I have group policies
for the desktop background and drives shares.  The policies
seem to be applied since the drive maps show up and I do
not see any errors when I run gpresult.

The background doesn't show up because the image file is
stored in one of the drive shares.  Trying to access the
drive shares results in an error under windows that I do
not have permission to access the share.

> Is there anything surrounding it (paths etc)

The full line in the log is as follows:

   chdir_current_service: vfs_ChDir(/path/to/domain-member-server/share) 
failed: Permission denied. Current token: uid=11105, gid=10513, 13 
groups: 11105 10513 11119 11118 11120 11121 11122 11135 11138 2004 2005 
2007 2002

> If it is on a Unix domain member, what is in smb.conf.

Domain Member server.  It seemed to be working fine until the
DNS changes.

         workgroup = AD_DOMAIN
         security = ADS
         realm = AD-DOMAIN.COMPANY.COM
         server string = Samba 4 Client %h

         winbind use default domain = yes
         winbind expand groups = 2
         winbind refresh tickets = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

         ## map ids outside of domain to RDB files
         idmap config *:backend = tdb
         idmap config *:range = 2000-9999

         ## map ids from the domain
         idmap config AD-DOMAIN : backend = rid
         idmap config AD-DOMAIN : range = 10000-999999

         # uncomment next line to allow loging
         # template shell = /bin/bash
         template homedir = /home/%U

         domain master = no
         local master = no
         preferred master = no

         # user Administrator workaround
         username map = /etc/samba/user.map

         # For ACL support on domain member
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

         # disable printing completely
         # remove these lines to print
         load printers = no
         printing = bsd
         printcap name =  /dev/null
         disable spoolss = yes

         # logging
         # change the number to raise level
         log level = 0
         # map untrusted to domain = yes

         path = /path/to/domain-member-server/share
         read only = no

> If it is a Unix domain member, what permissions are set on the share
> (including those shown by getfacl) ?

permissions via getfacl:

# file: path/to/domain-member-server/share
# owner: root
# group: domain\040admins

Permissions via ls -la:

drwxrwx---+  14 root domain admins  4096 Jan 25 16:12 share

> Rowland

More information about the samba mailing list