[Samba] Samba as Domain Member: user get permission denied accessing share...

Mirko panciom at gmail.com
Wed Mar 9 13:02:24 UTC 2022


Hello to everybody.


I am new to the list and thank you in advance for the time reading.

If I join a PC to the domain and log in with a user (eg Isabella) member 
of "Domain Users" group, I get a permission error.
In /var/log/daemon.log I have this:

/Mar  9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470,  0] 
../../source3/smbd/service.c:166(chdir_current_service)//
//Mar  9 11:38:22 pd-ark smbd[743]:   chdir_current_service: 
vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current 
token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 
3003 3004 3006 3001

If I add the user "Isabella" to the "Domain Admins" group I can lenter, 
read and write inside the PD-Ambiente share.


I have correctly set the "Domain Users" group for reading / writing on 
the "PD-Ambiente" share from within win server (Fastmin user is an 
administrator).

I double-checked and redone all configurations (of the guides) from 
scratch several times with even reinstalls of debian from scratch.
But I can't get it to work.
I always have this login error.
Where am I wrong? What can I try?

A thousand thanks

Greetings
Mirko



Some verification commands:

/getent group isabella//
//isabella:x:11110:isabella//
//
//getent group "domain users"//
//domain users:x:10513://
//
//getent group "domain admins"//
//domain admins:x:10512://
//
//getfacl /srv/samba/PD-Ambiente///
//getfacl: Removing leading '/' from absolute path names//
//# file: srv/samba/PD-Ambiente///
//# owner: root//
//# group: domain\040admins//
//user::rwx//
//user:root:rwx//
//user:domain\040admins:rwx//
//user:domain\040users:rwx//
//group::rwx//
//group:domain\040admins:rwx//
//group:domain\040users:rwx//
//mask::rwx//
//other::rwx//
//default:user::rwx//
//default:user:root:rwx//
//default:user:domain\040users:rwx//
//default:group::r-x//
//default:group:domain\040admins:r-x//
//default:group:domain\040users:rwx//
//default:mask::rwx//
//default:other::r-x/

I followed the guides on the official samba site:
- https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
- https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

AD server is Windows Server 2019 Std.
Samba on debian 11.2 version 4.13.13-Debian.

File smb.conf:

/[global]//
//    workgroup = DOMAIN//
//    security = ADS//
//    realm = DOMAIN.LAN//
//
//    winbind refresh tickets = Yes//
//    vfs objects = acl_xattr//
//    map acl inherit = Yes//
//    #store dos attributes = Yes//
//
//    winbind enum users = yes//
//    winbind enum groups = yes//
//
//    # Disable printing...//
//    load printers = no//
//    printing = bsd//
//    printcap name = /dev/null//
//    disable spoolss = yes//
//
//    log file = /var/log/samba/%m.log//
//    #log level = 1//
/

/    log level = 3 passdb:5 auth:5/

/    idmap config * : backend = tdb/
/    idmap config * : range = 3000-7999/
/    idmap config DOMAIN : backend = rid/
/    idmap config DOMAIN : range = 10000-999999/

/    username map = /etc/samba/user.map/

/    # https://www.spinics.net/lists/samba/msg172624.html/
/    # Without this i cannot set SeDiskOperatorPrivilege (get an INVALID 
TOKEN error).../
/    min domain uid = 0/

/[PD-Ambiente]//
//    comment = Documenti Ambiente//
//    path = /srv/samba/PD-Ambiente//
//    read only = no//
///


File user.map:

/!root = DOMAIN\Fastmin DOMAIN\fastmin /


More information about the samba mailing list