[Samba] Member server permissions issue

Rich Webb rwebb at zylatech.com
Fri Feb 10 19:47:08 UTC 2023


Hello, 

I just set up a new domain with a separate domain controller and a samba domain member for a file server. 

I am able to set share permissions and ACL permissions through a windows client on computer management OK. Looking at properties / security tab shows the proper permissions... 

Getfacl in linux shows the proper ACLs ... but when I try to access the share from a joined windows client I am getting access denied regardless that the user is in the proper group in ADUC. If I put that same user into Domain Admins group that user can then access all the shares. 

This is the first time I have seen this behavior .. My smb.conf is as follows for the DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC1
        realm = CORP.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = CORP

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/corp.example.com/scripts
        read only = No

Here is the smb.conf for the member server: 

[global]
       security = ADS
       workgroup = CORP
       realm = CORP.EXAMPLE.COM

       username map = /etc/samba/user.map
       log file = /var/log/samba/%m.log
       log level = 1

       vfs objects = acl_xattr
       map acl inherit = Yes
       # store dos attributes = Yes

       # Default ID mapping configuration using the autorid
       # idmap backend. This will work out of the box for simple setups
       # as well as complex setups with trusted domains.
       idmap config * : backend = autorid
       idmap config * : range = 10000-9999999


[Shared]
        writeable = yes
        path=/server/shared

[Installs]
        writeable = yes
        path=/server/installs

... rest of share definitions ...

Samba version on the domain controller is:  4.15.13-Ubuntu
Samba version on the member server is: 4.15.13-Ubuntu

Any help is greatly appreciated!

Thanks,
Rich



More information about the samba mailing list