[Samba] Samba as Domain Member: user get permission denied accessing share...

Mirko panciom at gmail.com
Wed Mar 9 14:07:50 UTC 2022


Hi Patrick.

root at pd-ark:~# ll /
drwxr-xr-x   3 root root  4096  9 mar 09.56 srv

root at pd-ark:~# ll /srv/
drwxrwx--- 16 root DOMAIN\domain admins 4096  9 mar 11.35 samba

Thanks

Il 09/03/22 14:58, Patrick Goetz via samba ha scritto:
> What are the linux permissions on /srv  and /srv/samba ?
>
> On 3/9/22 07:02, Mirko via samba wrote:
>> Hello to everybody.
>>
>>
>> I am new to the list and thank you in advance for the time reading.
>>
>> If I join a PC to the domain and log in with a user (eg Isabella) 
>> member of "Domain Users" group, I get a permission error.
>> In /var/log/daemon.log I have this:
>>
>> /Mar  9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0] 
>> ../../source3/smbd/service.c:166(chdir_current_service)//
>> //Mar  9 11:38:22 pd-ark smbd[743]:   chdir_current_service: 
>> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current 
>> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 
>> 3003 3004 3006 3001
>>
>> If I add the user "Isabella" to the "Domain Admins" group I can 
>> lenter, read and write inside the PD-Ambiente share.
>>
>>
>> I have correctly set the "Domain Users" group for reading / writing 
>> on the "PD-Ambiente" share from within win server (Fastmin user is an 
>> administrator).
>>
>> I double-checked and redone all configurations (of the guides) from 
>> scratch several times with even reinstalls of debian from scratch.
>> But I can't get it to work.
>> I always have this login error.
>> Where am I wrong? What can I try?
>>
>> A thousand thanks
>>
>> Greetings
>> Mirko
>>
>>
>>
>> Some verification commands:
>>
>> /getent group isabella//
>> //isabella:x:11110:isabella//
>> //
>> //getent group "domain users"//
>> //domain users:x:10513://
>> //
>> //getent group "domain admins"//
>> //domain admins:x:10512://
>> //
>> //getfacl /srv/samba/PD-Ambiente///
>> //getfacl: Removing leading '/' from absolute path names//
>> //# file: srv/samba/PD-Ambiente///
>> //# owner: root//
>> //# group: domain\040admins//
>> //user::rwx//
>> //user:root:rwx//
>> //user:domain\040admins:rwx//
>> //user:domain\040users:rwx//
>> //group::rwx//
>> //group:domain\040admins:rwx//
>> //group:domain\040users:rwx//
>> //mask::rwx//
>> //other::rwx//
>> //default:user::rwx//
>> //default:user:root:rwx//
>> //default:user:domain\040users:rwx//
>> //default:group::r-x//
>> //default:group:domain\040admins:r-x//
>> //default:group:domain\040users:rwx//
>> //default:mask::rwx//
>> //default:other::r-x/
>>
>> I followed the guides on the official samba site:
>> - 
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain_Member&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GNhkwtzPm2OS2WYDz%2FuhkTXVnfUxR92BFJLLCd1YETw%3D&reserved=0 
>>
>> - 
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Windows_ACLs&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=12EMIRvxWgA265KtEPx%2Fa%2FFFOTW4HSlRuweXODSXp0M%3D&reserved=0 
>>
>>
>> AD server is Windows Server 2019 Std.
>> Samba on debian 11.2 version 4.13.13-Debian.
>>
>> File smb.conf:
>>
>> /[global]//
>> //    workgroup = DOMAIN//
>> //    security = ADS//
>> //    realm = DOMAIN.LAN//
>> //
>> //    winbind refresh tickets = Yes//
>> //    vfs objects = acl_xattr//
>> //    map acl inherit = Yes//
>> //    #store dos attributes = Yes//
>> //
>> //    winbind enum users = yes//
>> //    winbind enum groups = yes//
>> //
>> //    # Disable printing...//
>> //    load printers = no//
>> //    printing = bsd//
>> //    printcap name = /dev/null//
>> //    disable spoolss = yes//
>> //
>> //    log file = /var/log/samba/%m.log//
>> //    #log level = 1//
>> /
>>
>> /    log level = 3 passdb:5 auth:5/
>>
>> /    idmap config * : backend = tdb/
>> /    idmap config * : range = 3000-7999/
>> /    idmap config DOMAIN : backend = rid/
>> /    idmap config DOMAIN : range = 10000-999999/
>>
>> /    username map = /etc/samba/user.map/
>>
>> /    # 
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Fsamba%2Fmsg172624.html%2F&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FsQ9%2Ff7%2FOmRX95l%2Bg8T3Q%2BIsfWIrTiss1LEpGo1ejDE%3D&reserved=0 
>>
>> /    # Without this i cannot set SeDiskOperatorPrivilege (get an 
>> INVALID TOKEN error).../
>> /    min domain uid = 0/
>>
>> /[PD-Ambiente]//
>> //    comment = Documenti Ambiente//
>> //    path = /srv/samba/PD-Ambiente//
>> //    read only = no//
>> ///
>>
>>
>> File user.map:
>>
>> /!root = DOMAIN\Fastmin DOMAIN\fastmin /
>



More information about the samba mailing list