[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 30 08:24:15 UTC 2021
Thanks :-)
When im done here with all the work currently, since our office is moving in 2 weeks...
Then i can rewrite some things for setups, when the time is there.. more going on currently
and hard to handle everthing at once.. but beside that..
Main problem is, that most info we find with google, referres to old setups in windows.
But things changed, more security is added.. soo..
This link is the one everyone should read and setup.
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview
Yes, setting it all up is a pain, but .. when done correctly and do take your time for it..
it's set it and forget it, untill microsoft desides to change something in that area..
and if people look closely in these examples, you see things like..
\\fs1.corp.contoso.com\UserProfiles$\%username%
I reffer here to the use of FQDN. ;-)
So far,
Greetz,
Louis
Van: Anders Östling [mailto:anders.ostling at gmail.com]
Verzonden: maandag 29 november 2021 17:31
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
This is gold and deserves it's own section/chapter in the Wiki. I have been bitten more than once by this.
Anders
On Mon, Nov 29, 2021 at 5:03 PM L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
what i see here :
/srv is fine.
-------------------
/srv/samba not fully, its possible to use it like this.
# flags: -s- your setting Creator Group, its possible.
other::--x it allows traversal, but this is also before a share ping, you need read rights also.
to be able to read the next folder. ( like users)
so i have
# file: srv/samba
# owner: root
# group: root
# flags: s--
user::rwx
group::rwx
other::r-x
----------------
The users share is very different.
what i really recommend..
setup exactly as shown here.
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
When thats done, create 1 user in there and capture the settings with getfacl and samba-tools
sudo samba-tool ntacl get /srv/samba/users/ --as-sddl
Then is something goes wrong you can easy script it to fix it.
So this is what i have.
# file: srv/samba/users
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:BUILTIN\\users:r-x
group:2007:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:2007:rwx
default:mask::rwx
default:other::---
(Domain Users is member of BUILTIN\\users. )
(Domain Admins is member of BUILTIN\\Administrators. )
wbinfo -G 2007 = S-1-5-18
wbinfo -s S-1-5-18 = NT Authority\SYSTEM 5
(Domain Users is member of BUILTIN\\users. )
looking at your set.. i suspect this is the one thats wrong.
group:domain\040users:---
what i suggest, create a new share, dont change the share security.
run this on the new test folder
samba-tool ntacl set "O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test
This is the following setting.
security On the folder, (via Advanced)
Creator Owner, only on subfolders and files.
SYSTEM Full control
Administrators (Domain admins) full control.
Users (Domain users), Read and Exec, only this folder.
Then run this
TESTUSER=karen
samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid "${TESTUSER}" |awk '{ print $1 }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)" /srv/samba/users/"${TESTUSER}"
Now look at the rights from within windows on karen's folder.
its is this setup.
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
the pittfall in that tekst is :
Security group of users who need to put data on the share (Folder Redirection Users)
Dont use domain users or everyone
i use "Redirected Folder Users"
I hope this helps a bit.
Greetz,
Louis
________________________________
Van: Roy Eastwood [mailto:spindles7 at gmail.com]
Verzonden: maandag 29 november 2021 11:21
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
Ok, here are the results:
roy at lxd-m1:~$ sudo getfacl /srv
[sudo] password for roy:
getfacl: Removing leading '/' from absolute path names
# file: srv
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
roy at lxd-m1:~$ sudo getfacl /srv/samba
getfacl: Removing leading '/' from absolute path names
# file: srv/samba
# owner: root
# group: domain\040admins
# flags: -s-
user::rwx
group::rwx
other::--x
roy at lxd-m1:~$ sudo getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:domain\040computers:r-x
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
roy at lxd-m1:~$ sudo getfacl /srv/samba/users/karen
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users/karen
# owner: karen
# group: domain\040users
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::---
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:---
group:karen:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:user:karen:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:group:karen:rwx
default:mask::rwx
default:other::---
Thanks for your help,
Roy
On Mon, 29 Nov 2021, 09:54 L.P.H. van Belle via samba, <samba at lists.samba.org> wrote:
A full output of the created structure would be nice
and helps to explain that.
For all the used folders a getfacl should tell sufficent.
getfacl /srv
getfacl /srv/samba
getfacl /srv/samba/users
getfacl /srv/samba/users/username
But i suspect "SYSTEM" is missing somewhere.
And/Or did you change the Share Rights in Windows.
Because, if you do that, AFTER users are created,
it can mess up already existing folders and there rights.
I work in this order.
1) install samba.
2) create the folders in /srv/samba and setup the shares.
3) setup the share and folder fights.
4) create users and set user home and profiles
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> spindles seven via samba
> Verzonden: zondag 28 november 2021 0:41
> Aan: samba at lists.samba.org
> CC: 'Patrick Goetz'
> Onderwerp: Re: [Samba] chdir_current_service:
> vfs_ChDir(/srv/samba/users) failed: Permission denied.
>
> On 27 November 2021 20:05 Ralph Boehme wrote:
> > On 11/27/21 18:27, Patrick Goetz via samba wrote:
> > > Sure, but Samba, which runs are root,
> >
> > smbd does not run as root when executing SMB requests, it
> impersonates
> > the user UNIX token while doing this.
> >
> OK, that explains why one of my Domain Computers got
> permission denied, but that raises the other question - why
> then is a normal user able to access his/her files which live
> in /srv/samba/users/<username> without any problem? The
> permissions on /srv/samba (before I added the "x") was
> rwxrwx--- : root and Domain Admins only have access. So
> Domain Users were able to traverse the hierarchy but not
> Domain Computers. Why?
>
> Thanks,
>
> Roy
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
------ -------------------- 8 ------------------ ------ "A wise man once told me - Any idiot can do backups, but it takes a genius to successfully restore"
Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01 (Hem)
More information about the samba
mailing list