[Samba] Samba as Domain Member: user get permission denied accessing share...
Mirko
panciom at gmail.com
Wed Mar 9 13:02:24 UTC 2022
Hello to everybody.
I am new to the list and thank you in advance for the time reading.
If I join a PC to the domain and log in with a user (eg Isabella) member
of "Domain Users" group, I get a permission error.
In /var/log/daemon.log I have this:
/Mar 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0]
../../source3/smbd/service.c:166(chdir_current_service)//
//Mar 9 11:38:22 pd-ark smbd[743]: chdir_current_service:
vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current
token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157
3003 3004 3006 3001
If I add the user "Isabella" to the "Domain Admins" group I can lenter,
read and write inside the PD-Ambiente share.
I have correctly set the "Domain Users" group for reading / writing on
the "PD-Ambiente" share from within win server (Fastmin user is an
administrator).
I double-checked and redone all configurations (of the guides) from
scratch several times with even reinstalls of debian from scratch.
But I can't get it to work.
I always have this login error.
Where am I wrong? What can I try?
A thousand thanks
Greetings
Mirko
Some verification commands:
/getent group isabella//
//isabella:x:11110:isabella//
//
//getent group "domain users"//
//domain users:x:10513://
//
//getent group "domain admins"//
//domain admins:x:10512://
//
//getfacl /srv/samba/PD-Ambiente///
//getfacl: Removing leading '/' from absolute path names//
//# file: srv/samba/PD-Ambiente///
//# owner: root//
//# group: domain\040admins//
//user::rwx//
//user:root:rwx//
//user:domain\040admins:rwx//
//user:domain\040users:rwx//
//group::rwx//
//group:domain\040admins:rwx//
//group:domain\040users:rwx//
//mask::rwx//
//other::rwx//
//default:user::rwx//
//default:user:root:rwx//
//default:user:domain\040users:rwx//
//default:group::r-x//
//default:group:domain\040admins:r-x//
//default:group:domain\040users:rwx//
//default:mask::rwx//
//default:other::r-x/
I followed the guides on the official samba site:
- https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
- https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
AD server is Windows Server 2019 Std.
Samba on debian 11.2 version 4.13.13-Debian.
File smb.conf:
/[global]//
// workgroup = DOMAIN//
// security = ADS//
// realm = DOMAIN.LAN//
//
// winbind refresh tickets = Yes//
// vfs objects = acl_xattr//
// map acl inherit = Yes//
// #store dos attributes = Yes//
//
// winbind enum users = yes//
// winbind enum groups = yes//
//
// # Disable printing...//
// load printers = no//
// printing = bsd//
// printcap name = /dev/null//
// disable spoolss = yes//
//
// log file = /var/log/samba/%m.log//
// #log level = 1//
/
/ log level = 3 passdb:5 auth:5/
/ idmap config * : backend = tdb/
/ idmap config * : range = 3000-7999/
/ idmap config DOMAIN : backend = rid/
/ idmap config DOMAIN : range = 10000-999999/
/ username map = /etc/samba/user.map/
/ # https://www.spinics.net/lists/samba/msg172624.html/
/ # Without this i cannot set SeDiskOperatorPrivilege (get an INVALID
TOKEN error).../
/ min domain uid = 0/
/[PD-Ambiente]//
// comment = Documenti Ambiente//
// path = /srv/samba/PD-Ambiente//
// read only = no//
///
File user.map:
/!root = DOMAIN\Fastmin DOMAIN\fastmin /
More information about the samba
mailing list