[Samba] Samba as Domain Member: user get permission denied accessing share...
Rowland Penny
rpenny at samba.org
Wed Mar 9 13:18:48 UTC 2022
On Wed, 2022-03-09 at 14:02 +0100, Mirko via samba wrote:
> Hello to everybody.
>
>
> I am new to the list and thank you in advance for the time reading.
>
> If I join a PC to the domain and log in with a user (eg Isabella)
> member
> of "Domain Users" group, I get a permission error.
> In /var/log/daemon.log I have this:
>
> /Mar 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0]
> ../../source3/smbd/service.c:166(chdir_current_service)//
> //Mar 9 11:38:22 pd-ark smbd[743]: chdir_current_service:
> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current
> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149
> 11157
> 3003 3004 3006 3001
>
> If I add the user "Isabella" to the "Domain Admins" group I can
> lenter,
> read and write inside the PD-Ambiente share.
>
>
> I have correctly set the "Domain Users" group for reading / writing
> on
> the "PD-Ambiente" share from within win server (Fastmin user is an
> administrator).
>
> I double-checked and redone all configurations (of the guides) from
> scratch several times with even reinstalls of debian from scratch.
> But I can't get it to work.
> I always have this login error.
> Where am I wrong? What can I try?
>
> A thousand thanks
>
> Greetings
> Mirko
>
>
>
> Some verification commands:
>
> /getent group isabella//
> //isabella:x:11110:isabella//
> //
> //getent group "domain users"//
> //domain users:x:10513://
> //
> //getent group "domain admins"//
> //domain admins:x:10512://
> //
> //getfacl /srv/samba/PD-Ambiente///
> //getfacl: Removing leading '/' from absolute path names//
> //# file: srv/samba/PD-Ambiente///
> //# owner: root//
> //# group: domain\040admins//
> //user::rwx//
> //user:root:rwx//
> //user:domain\040admins:rwx//
> //user:domain\040users:rwx//
> //group::rwx//
> //group:domain\040admins:rwx//
> //group:domain\040users:rwx//
> //mask::rwx//
> //other::rwx//
> //default:user::rwx//
> //default:user:root:rwx//
> //default:user:domain\040users:rwx//
> //default:group::r-x//
> //default:group:domain\040admins:r-x//
> //default:group:domain\040users:rwx//
> //default:mask::rwx//
> //default:other::r-x/
>
> I followed the guides on the official samba site:
> -
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> -
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> AD server is Windows Server 2019 Std.
> Samba on debian 11.2 version 4.13.13-Debian.
>
> File smb.conf:
>
> /[global]//
> // workgroup = DOMAIN//
> // security = ADS//
> // realm = DOMAIN.LAN//
> //
> // winbind refresh tickets = Yes//
> // vfs objects = acl_xattr//
> // map acl inherit = Yes//
> // #store dos attributes = Yes//
> //
> // winbind enum users = yes//
> // winbind enum groups = yes//
> //
> // # Disable printing...//
> // load printers = no//
> // printing = bsd//
> // printcap name = /dev/null//
> // disable spoolss = yes//
> //
> // log file = /var/log/samba/%m.log//
> // #log level = 1//
> /
>
> / log level = 3 passdb:5 auth:5/
>
> / idmap config * : backend = tdb/
> / idmap config * : range = 3000-7999/
> / idmap config DOMAIN : backend = rid/
> / idmap config DOMAIN : range = 10000-999999/
>
> / username map = /etc/samba/user.map/
>
> / # https://www.spinics.net/lists/samba/msg172624.html/
> / # Without this i cannot set SeDiskOperatorPrivilege (get an
> INVALID
> TOKEN error).../
> / min domain uid = 0/
>
> /[PD-Ambiente]//
> // comment = Documenti Ambiente//
> // path = /srv/samba/PD-Ambiente//
> // read only = no//
> ///
>
>
> File user.map:
>
> /!root = DOMAIN\Fastmin DOMAIN\fastmin /
Just about the only thing wrong is your user.map, it should be:
!root = DOMAIN\Administrator
It maps Administrator to the Unix user 'root'
Rowland
More information about the samba
mailing list