[Samba] Access Denied to share
Luke Barone
lukebarone at gmail.com
Fri Dec 20 21:18:27 UTC 2024
Hi list,
I am running Samba in a 2-DC, 1-Member setup, all on Debian Bookworm,
version 4.17.12.
I have the member server sharing shares to many users, and it's all working
except one folder. Here is the member smb.conf (name sanitized):
[global]
bind interfaces only = Yes
client signing = required
disable netbios = Yes
interfaces = lo enp1s0
log file = /var/log/samba/%m.log
realm = SITE.AD.EXAMPLE.CA
security = ADS
server role = member server
server signing = required
template homedir = /home/SITE/%U
winbind enum groups = Yes
winbind enum users = Yes
winbind separator = /
winbind use default domain = Yes
workgroup = SITE
idmap config SITE : range = 100000-299999
idmap config SITE : backend = rid
idmap config * : range = 70000-99999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
# ... more shares, all of which currently work
[Yearbook]
path = /usr/local/share/Yearbook
read only = No
Here is the shared folder:
ls -la /usr/local/share/Yearbook/
total 60
drwxrwx---+ 4 yearbook domain admins 4096 Dec 10 10:54 .
drwxr-xr-x 14 root root 4096 Sep 9 13:00 ..
# getfacl /usr/local/share/Yearbook/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/share/Yearbook/
# owner: yearbook
# group: domain\040admins
user::rwx
user:domain\040admins:rwx
user:yearbookstudents:rwx
group::rwx
group:domain\040admins:rwx
group:yearbook:rwx
group:yearbookstudents:rwx
mask::rwx
other::---
default:user::rwx
default:user:domain\040admins:rwx
default:user:yearbook:rwx
default:user:yearbookstudents:rwx
default:group::rwx
default:group:domain\040admins:rwx
default:group:yearbook:rwx
default:group:yearbookstudents:rwx
default:mask::rwx
default:other::---
I am trying to connect as a member of "yearbookstudents", but no matter
where I login, Windows reports Access Denied. I have verified that
replication is happening between the two DCs, and that winbind on the file
server knows the groups my user is part of (based on the gid number). I
assigned the permissions first through Windows, tested with no change, then
tried with setfacl recursively. Again, no change - Access is Denied.
Just in case, here is DC1's smb.conf (again, name sanitized):
[global]
bind interfaces only = Yes
disable netbios = Yes
dns forwarder = 1.1.1.1
dns zone transfer clients allow = 127.0.0.0/8 ::1/128
interfaces = lo enp1s0
ntlm auth = mschapv2-and-ntlmv2-only
passdb backend = samba_dsdb
realm = SITE.AD.EXAMPLE.CA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
winbind separator = /
workgroup = SITE
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/SITE.ad.example.ca/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Where can I look for more info?
More information about the samba
mailing list