[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

L.P.H. van Belle belle at bazuin.nl
Mon Nov 29 16:01:42 UTC 2021 

what i see here : 
 
/srv is fine. 
-------------------
/srv/samba not fully, its possible to use it like this. 
# flags: -s-  your setting Creator Group, its possible.  
other::--x  it allows traversal, but this is also before a share ping, you need read rights also.
to be able to read the next folder. ( like users) 

so i have 

# file: srv/samba
# owner: root
# group: root
# flags: s--
user::rwx
group::rwx
other::r-x

----------------
The users share is very different. 

what i really recommend.. 

setup exactly as shown here. 
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection 

When thats done, create 1 user in there and capture the settings with getfacl and samba-tools 
sudo samba-tool ntacl get /srv/samba/users/ --as-sddl

Then is something goes wrong you can easy script it to fix it. 

So this is what i have. 

# file: srv/samba/users
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:BUILTIN\\users:r-x
group:2007:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:2007:rwx
default:mask::rwx
default:other::---

(Domain Users is member of BUILTIN\\users. )
(Domain Admins is member of BUILTIN\\Administrators. )

wbinfo -G 2007  =  S-1-5-18
wbinfo -s S-1-5-18  =  NT Authority\SYSTEM 5

(Domain Users is member of BUILTIN\\users. )


looking at your set.. i suspect this is the one thats wrong. 
group:domain\040users:---        

what i suggest, create a new share, dont change the share security. 
run this on the new test folder 
samba-tool ntacl set "O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test

This is the following setting. 
security On the folder,  (via Advanced) 
Creator Owner, only on subfolders and files. 
SYSTEM Full control
Administrators (Domain admins)  full control. 
Users (Domain users), Read and Exec, only this folder. 

Then run this  
TESTUSER=karen
samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid "${TESTUSER}" |awk '{ print $1 }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)" /srv/samba/users/"${TESTUSER}"
 
Now look at the rights from within windows on karen's folder. 


its is this setup. 
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection

the pittfall in that tekst is : 
Security group of users who need to put data on the share (Folder Redirection Users)
Dont use domain users or everyone  

i use "Redirected Folder Users"

I hope this helps a bit. 


Greetz, 

Louis

 

________________________________

	Van: Roy Eastwood [mailto:spindles7 at gmail.com] 
	Verzonden: maandag 29 november 2021 11:21
	Aan: L.P.H. van Belle; samba at lists.samba.org
	Onderwerp: Re: [Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
	
	
	Ok, here are the results:

	roy at lxd-m1:~$ sudo getfacl /srv
	[sudo] password for roy:
	getfacl: Removing leading '/' from absolute path names
	# file: srv
	# owner: root
	# group: root
	user::rwx
	group::r-x
	other::r-x
	
	
	roy at lxd-m1:~$ sudo getfacl /srv/samba
	getfacl: Removing leading '/' from absolute path names
	# file: srv/samba
	# owner: root
	# group: domain\040admins
	# flags: -s-
	user::rwx
	group::rwx
	other::--x

	roy at lxd-m1:~$ sudo getfacl /srv/samba/users
	getfacl: Removing leading '/' from absolute path names
	# file: srv/samba/users
	# owner: root
	# group: domain\040admins
	user::rwx
	user:root:rwx
	user:domain\040admins:rwx
	user:domain\040computers:r-x
	group::rwx
	group:NT\040Authority\\authenticated\040users:rwx
	group:NT\040Authority\\system:rwx
	group:domain\040admins:rwx
	group:domain\040computers:r-x
	mask::rwx
	other::---
	default:user::rwx
	default:user:root:rwx
	default:user:domain\040admins:rwx
	default:group::---
	default:group:NT\040Authority\\system:rwx
	default:group:domain\040admins:rwx
	default:mask::rwx
	default:other::---
	
	
	roy at lxd-m1:~$ sudo getfacl /srv/samba/users/karen
	getfacl: Removing leading '/' from absolute path names
	# file: srv/samba/users/karen
	# owner: karen
	# group: domain\040users
	user::rwx
	user:root:rwx
	user:domain\040admins:rwx
	group::---
	group:NT\040Authority\\system:rwx
	group:domain\040admins:rwx
	group:domain\040users:---         
	group:karen:rwx
	mask::rwx
	other::---
	default:user::rwx
	default:user:root:rwx
	default:user:domain\040admins:rwx
	default:user:karen:rwx
	default:group::---
	default:group:NT\040Authority\\system:rwx
	default:group:domain\040admins:rwx
	default:group:domain\040users:---
	default:group:karen:rwx
	default:mask::rwx
	default:other::---

	Thanks for your help,
	Roy

	On Mon, 29 Nov 2021, 09:54 L.P.H. van Belle via samba, <samba at lists.samba.org> wrote:
	

		A full output of the created structure would be nice
		and helps to explain that.  
		
		For all the used folders a getfacl should tell sufficent. 
		getfacl /srv
		getfacl /srv/samba
		getfacl /srv/samba/users
		getfacl /srv/samba/users/username 
		
		But i suspect "SYSTEM" is missing somewhere. 
		And/Or did you change the Share Rights in Windows. 
		Because, if you do that, AFTER users are created, 
		it can mess up already existing folders and there rights.
		
		I work in this order. 
		1) install samba.
		2) create the folders in /srv/samba and setup the shares. 
		3) setup the share and folder fights. 
		4) create users and set user home and profiles
		
		Greetz,
		
		Louis
		
		
		> -----Oorspronkelijk bericht-----
		> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
		> spindles seven via samba
		> Verzonden: zondag 28 november 2021 0:41
		> Aan: samba at lists.samba.org
		> CC: 'Patrick Goetz'
		> Onderwerp: Re: [Samba] chdir_current_service: 
		> vfs_ChDir(/srv/samba/users) failed: Permission denied.
		> 
		> On 27 November 2021 20:05 Ralph Boehme wrote:
		> > On 11/27/21 18:27, Patrick Goetz via samba wrote:
		> > > Sure, but Samba, which runs are root,
		> > 
		> > smbd does not run as root when executing SMB requests, it 
		> impersonates
		> > the user UNIX token while doing this.
		> > 
		> OK, that explains why one of my Domain Computers got 
		> permission denied, but that raises the other question - why 
		> then is a normal user able to access his/her files which live 
		> in /srv/samba/users/<username> without any problem?      The 
		> permissions on /srv/samba (before I added the "x") was 
		> rwxrwx--- : root and Domain Admins only have access.     So 
		> Domain Users were able to traverse the hierarchy but not 
		> Domain Computers.    Why?
		> 
		> Thanks,
		> 
		> Roy
		> 
		> 
		> -- 
		> To unsubscribe from this list go to the following URL and read the
		> instructions:  https://lists.samba.org/mailman/options/samba
		> 
		> 
		
		
		-- 
		To unsubscribe from this list go to the following URL and read the
		instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list