[Samba] Member server permissions issue

Rowland Penny rpenny at samba.org
Fri Feb 10 20:08:08 UTC 2023



On 10/02/2023 19:47, Rich Webb via samba wrote:
> Hello,
> 
> I just set up a new domain with a separate domain controller and a samba domain member for a file server.
> 
> I am able to set share permissions and ACL permissions through a windows client on computer management OK. Looking at properties / security tab shows the proper permissions...
> 
> Getfacl in linux shows the proper ACLs ... but when I try to access the share from a joined windows client I am getting access denied regardless that the user is in the proper group in ADUC. If I put that same user into Domain Admins group that user can then access all the shares.
> 
> This is the first time I have seen this behavior .. My smb.conf is as follows for the DC:
> 
> # Global parameters
> [global]
>          dns forwarder = 8.8.8.8
>          netbios name = DC1
>          realm = CORP.EXAMPLE.COM
>          server role = active directory domain controller
>          workgroup = CORP
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/corp.example.com/scripts
>          read only = No
> 
> Here is the smb.conf for the member server:
> 
> [global]
>         security = ADS
>         workgroup = CORP
>         realm = CORP.EXAMPLE.COM
> 
>         username map = /etc/samba/user.map
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         # store dos attributes = Yes
> 
>         # Default ID mapping configuration using the autorid
>         # idmap backend. This will work out of the box for simple setups
>         # as well as complex setups with trusted domains.
>         idmap config * : backend = autorid
>         idmap config * : range = 10000-9999999
> 
> 
> [Shared]
>          writeable = yes
>          path=/server/shared
> 
> [Installs]
>          writeable = yes
>          path=/server/installs
> 
> ... rest of share definitions ...
> 
> Samba version on the domain controller is:  4.15.13-Ubuntu
> Samba version on the member server is: 4.15.13-Ubuntu
> 
> Any help is greatly appreciated!
> 
> Thanks,
> Rich
> 

Can you post the output of the following commands:

ls -ld /server/shared

getfacl /server/shared

samba-tool ntacl get /server/shared --as-sddl

Also, is apparmor running and possibly blocking things ?

Rowland




More information about the samba mailing list