[Samba] Member server permissions issue

Rich Webb rwebb at zylatech.com
Fri Feb 10 19:47:08 UTC 2023


I just set up a new domain with a separate domain controller and a samba domain member for a file server. 

I am able to set share permissions and ACL permissions through a windows client on computer management OK. Looking at properties / security tab shows the proper permissions... 

Getfacl in linux shows the proper ACLs ... but when I try to access the share from a joined windows client I am getting access denied regardless that the user is in the proper group in ADUC. If I put that same user into Domain Admins group that user can then access all the shares. 

This is the first time I have seen this behavior .. My smb.conf is as follows for the DC:

# Global parameters
        dns forwarder =
        netbios name = DC1
        realm = CORP.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = CORP

        path = /var/lib/samba/sysvol
        read only = No

        path = /var/lib/samba/sysvol/corp.example.com/scripts
        read only = No

Here is the smb.conf for the member server: 

       security = ADS
       workgroup = CORP
       realm = CORP.EXAMPLE.COM

       username map = /etc/samba/user.map
       log file = /var/log/samba/%m.log
       log level = 1

       vfs objects = acl_xattr
       map acl inherit = Yes
       # store dos attributes = Yes

       # Default ID mapping configuration using the autorid
       # idmap backend. This will work out of the box for simple setups
       # as well as complex setups with trusted domains.
       idmap config * : backend = autorid
       idmap config * : range = 10000-9999999

        writeable = yes

        writeable = yes

... rest of share definitions ...

Samba version on the domain controller is:  4.15.13-Ubuntu
Samba version on the member server is: 4.15.13-Ubuntu

Any help is greatly appreciated!


More information about the samba mailing list