[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
Anders Östling
anders.ostling at gmail.com
Mon Nov 29 16:30:45 UTC 2021
This is gold and deserves it's own section/chapter in the Wiki. I have been
bitten more than once by this.
Anders
On Mon, Nov 29, 2021 at 5:03 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> what i see here :
>
> /srv is fine.
> -------------------
> /srv/samba not fully, its possible to use it like this.
> # flags: -s- your setting Creator Group, its possible.
> other::--x it allows traversal, but this is also before a share ping, you
> need read rights also.
> to be able to read the next folder. ( like users)
>
> so i have
>
> # file: srv/samba
> # owner: root
> # group: root
> # flags: s--
> user::rwx
> group::rwx
> other::r-x
>
> ----------------
> The users share is very different.
>
> what i really recommend..
>
> setup exactly as shown here.
>
> https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
>
> When thats done, create 1 user in there and capture the settings with
> getfacl and samba-tools
> sudo samba-tool ntacl get /srv/samba/users/ --as-sddl
>
> Then is something goes wrong you can easy script it to fix it.
>
> So this is what i have.
>
> # file: srv/samba/users
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\users:r-x
> group:2007:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:BUILTIN\\administrators:rwx
> default:group:2007:rwx
> default:mask::rwx
> default:other::---
>
> (Domain Users is member of BUILTIN\\users. )
> (Domain Admins is member of BUILTIN\\Administrators. )
>
> wbinfo -G 2007 = S-1-5-18
> wbinfo -s S-1-5-18 = NT Authority\SYSTEM 5
>
> (Domain Users is member of BUILTIN\\users. )
>
>
> looking at your set.. i suspect this is the one thats wrong.
> group:domain\040users:---
>
> what i suggest, create a new share, dont change the share security.
> run this on the new test folder
> samba-tool ntacl set
> "O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)"
> /srv/samba/users-test
>
> This is the following setting.
> security On the folder, (via Advanced)
> Creator Owner, only on subfolders and files.
> SYSTEM Full control
> Administrators (Domain admins) full control.
> Users (Domain users), Read and Exec, only this folder.
>
> Then run this
> TESTUSER=karen
> samba-tool ntacl set
> "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid
> "${TESTUSER}" |awk '{ print $1
> }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)"
> /srv/samba/users/"${TESTUSER}"
>
> Now look at the rights from within windows on karen's folder.
>
>
> its is this setup.
>
> https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
>
> the pittfall in that tekst is :
> Security group of users who need to put data on the share (Folder
> Redirection Users)
> Dont use domain users or everyone
>
> i use "Redirected Folder Users"
>
> I hope this helps a bit.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: Roy Eastwood [mailto:spindles7 at gmail.com]
> Verzonden: maandag 29 november 2021 11:21
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] chdir_current_service:
> vfs_ChDir(/srv/samba/users) failed: Permission denied.
>
>
> Ok, here are the results:
>
> roy at lxd-m1:~$ sudo getfacl /srv
> [sudo] password for roy:
> getfacl: Removing leading '/' from absolute path names
> # file: srv
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
>
> roy at lxd-m1:~$ sudo getfacl /srv/samba
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba
> # owner: root
> # group: domain\040admins
> # flags: -s-
> user::rwx
> group::rwx
> other::--x
>
> roy at lxd-m1:~$ sudo getfacl /srv/samba/users
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/users
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> user:domain\040computers:r-x
> group::rwx
> group:NT\040Authority\\authenticated\040users:rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040computers:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
>
> roy at lxd-m1:~$ sudo getfacl /srv/samba/users/karen
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/users/karen
> # owner: karen
> # group: domain\040users
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> group::---
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:domain\040users:---
> group:karen:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:user:karen:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:domain\040users:---
> default:group:karen:rwx
> default:mask::rwx
> default:other::---
>
> Thanks for your help,
> Roy
>
> On Mon, 29 Nov 2021, 09:54 L.P.H. van Belle via samba, <
> samba at lists.samba.org> wrote:
>
>
> A full output of the created structure would be nice
> and helps to explain that.
>
> For all the used folders a getfacl should tell sufficent.
> getfacl /srv
> getfacl /srv/samba
> getfacl /srv/samba/users
> getfacl /srv/samba/users/username
>
> But i suspect "SYSTEM" is missing somewhere.
> And/Or did you change the Share Rights in Windows.
> Because, if you do that, AFTER users are created,
> it can mess up already existing folders and there rights.
>
> I work in this order.
> 1) install samba.
> 2) create the folders in /srv/samba and setup the shares.
> 3) setup the share and folder fights.
> 4) create users and set user home and profiles
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens
> > spindles seven via samba
> > Verzonden: zondag 28 november 2021 0:41
> > Aan: samba at lists.samba.org
> > CC: 'Patrick Goetz'
> > Onderwerp: Re: [Samba] chdir_current_service:
> > vfs_ChDir(/srv/samba/users) failed: Permission denied.
> >
> > On 27 November 2021 20:05 Ralph Boehme wrote:
> > > On 11/27/21 18:27, Patrick Goetz via samba wrote:
> > > > Sure, but Samba, which runs are root,
> > >
> > > smbd does not run as root when executing SMB requests,
> it
> > impersonates
> > > the user UNIX token while doing this.
> > >
> > OK, that explains why one of my Domain Computers got
> > permission denied, but that raises the other question -
> why
> > then is a normal user able to access his/her files which
> live
> > in /srv/samba/users/<username> without any problem?
> The
> > permissions on /srv/samba (before I added the "x") was
> > rwxrwx--- : root and Domain Admins only have access.
> So
> > Domain Users were able to traverse the hierarchy but not
> > Domain Computers. Why?
> >
> > Thanks,
> >
> > Roy
> >
> >
> > --
> > To unsubscribe from this list go to the following URL
> and read the
> > instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
------ -------------------- 8 ------------------ ------
"A *wise* man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"
Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01 (Hem)
More information about the samba
mailing list