[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
spindles seven
spindles7 at gmail.com
Sat Nov 27 10:02:31 UTC 2021
Since upgrade to samba version 4.15 one of my member servers which provides the 'home' directory for users, the above logs appear in syslog on a regular basis. The permissions are set from Windows and initially were as follows:
//lxd-m1/users (path on server is /srv/samba/users):
Share Tab: Everyone: Full Control
Security Tab (NTFS Permissions):
Domain Users Read & execute This folder only
CREATOR OWNER Full control Subfolders and files only
Domain Admins Full control This folder, subfolders and files
The full log message is:
Nov 26 21:14:51 lxd-m1 smbd[200894]: chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied. Current token: uid=11104, gid=10515, 7 groups: 11104 10515 10513 2003 2004 2006 2001
uid 11104 belongs to a Windows 10 member workstation (lion-x99) and group 10515 is Domain Computers. Group 2006 is Authenticated Users
So I added:
Authenticated Users Read & execute This folder only
and
SYSTEM Full Control This folder, subfolders and files
But the problem persists.
The platform is Debian Bullseye, samba is version 4.15.2 (Louis' repo).
The results of getfacl on /srv/samba/users:
root at lxd-m1:~# getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
Identify user and groups:
root at lxd-m1:~# getent passwd 11104
lion-x99$:*:11104:10515::/srv/samba/users/lion-x99_:/bin/bashroot at lxd-m1:~# getent group 10515
domain computers:x:10515:
root at lxd-m1:~# getent group 2003
\everyone:x:2003:
root at lxd-m1:~# getent group 2004
NT Authority\network:x:2004:
root at lxd-m1:~# getent group 2006
NT Authority\authenticated users:x:2006:
root at lxd-m1:~# getent group 2001
BUILTIN\users:x:2001:
Result of testparm:
root at lxd-m1:~# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eth0
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
panic action = /usr/local/bin/gdb_backtrace %d
realm = MICROLYNX.ORG
security = ADS
template homedir = /srv/samba/users/%U
template shell = /bin/bash
username map = /etc/samba/user.map
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MICROLYNX
idmap config microlynx:range = 10000-99999
idmap config microlynx:backend = rid
idmap config *:range = 2000-9999
idmap config * : backend = tdb
map acl inherit = Yes
[profiles]
path = /srv/samba/profiles
read only = No
vfs objects = btrfs acl_xattr
acl_xattr:ignore system acl = yes
[users]
path = /srv/samba/users
read only = No
vfs objects = btrfs recycle acl_xattr
recycle:exclude_dir = %U/Recycle_Bin
recycle:exclude = *.tmp,~$*
recycle:touch = Yes
recycle:keeptree = Yes
recycle:versions = Yes
recycle:repository = %U/Recycle_Bin
acl_xattr:ignore system acl = yes
[test]
path = /srv/samba/test
read only = No
vfs objects = btrfs acl_xattr
I am struggling to know what to do next to track down this issue. Any suggestions?
Roy Eastwood
More information about the samba
mailing list