[Samba] Access denied to shares moved from AD DC to member server

[Antonio Trogu]

Hello everybody.

I have joined a new Ubuntu 20.04 server with Samba 4.13.17 (packaged) to 
an AD on CentOS 7.9 and Samba 4.14.4 (compiled), following Samba's Team 
Howto, and everything appears to have succeeded.

Moving our iSCSI target hosting the shares from the PDC to the member 
server and configuring them on Samba, only the domain's Administrator can 
access them, no other authenticated user can. No credentials are asked on 
the client, but a Windows "Network error" appears, while the member 
server's Samba log shows several NT_STATUS_ACCESS_DENIED errors.

Windows ACLs on the shares appear correct, but seem not being applied to 
the moved shares.

This is the AD DC's smb.conf (only global and example share):

[global]
 	workgroup = MYAD
 	realm = MYAD.MYDOMAIN.IT
 	netbios name = MYADDC
 	server role = active directory domain controller
 	idmap_ldb:use rfc2307 = yes
 	log file = /var/log/samba/%m.log
 	log level = 2

[Share1]
 	path = /path/to/share1
 	read only = no

This instead is the member server's smb.conf:

[global]
 	security = ADS
 	workgroup = MYAD
 	realm = MYAD.MYDOMAIN.IT
 	username map = /etc/samba/user.map
 	vfs objects = acl_xattr
 	map acl inherit = yes
 	winbind nss info = rfc2307
 	log file = /var/log/samba/%m.log
 	log level = 5 winbind:10
 	idmap config * : backend = tdb
 	idmap config * : range = 3000-7999
 	idmap config MYAD:backend = rid
 	idmap config MYAD:range = 10000-9999999
 	min domain uid = 0
 	acl_xattr:ignore system acls = yes

[Share1]
 	path = /path/to/Share1
 	read only = no

I've increased the logging, especially winbind's, but I'm not able to see 
anything helpful. Where should I look now?

Thanks,

Antonio


The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.