[Samba] Access Denied to share

Luke Barone lukebarone at gmail.com
Fri Dec 20 21:18:27 UTC 2024


Hi list,

I am running Samba in a 2-DC, 1-Member setup, all on Debian Bookworm,
version 4.17.12.

I have the member server sharing shares to many users, and it's all working
except one folder. Here is the member smb.conf (name sanitized):

[global]
        bind interfaces only = Yes
        client signing = required
        disable netbios = Yes
        interfaces = lo enp1s0
        log file = /var/log/samba/%m.log
        realm = SITE.AD.EXAMPLE.CA
        security = ADS
        server role = member server
        server signing = required
        template homedir = /home/SITE/%U
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind separator = /
        winbind use default domain = Yes
        workgroup = SITE
        idmap config SITE : range = 100000-299999
        idmap config SITE : backend = rid
        idmap config * : range = 70000-99999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr
# ... more shares, all of which currently work
[Yearbook]
        path = /usr/local/share/Yearbook
        read only = No

Here is the shared folder:
ls -la /usr/local/share/Yearbook/
total 60
drwxrwx---+  4 yearbook domain admins  4096 Dec 10 10:54  .
drwxr-xr-x  14 root     root           4096 Sep  9 13:00  ..

# getfacl /usr/local/share/Yearbook/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/share/Yearbook/
# owner: yearbook
# group: domain\040admins
user::rwx
user:domain\040admins:rwx
user:yearbookstudents:rwx
group::rwx
group:domain\040admins:rwx
group:yearbook:rwx
group:yearbookstudents:rwx
mask::rwx
other::---
default:user::rwx
default:user:domain\040admins:rwx
default:user:yearbook:rwx
default:user:yearbookstudents:rwx
default:group::rwx
default:group:domain\040admins:rwx
default:group:yearbook:rwx
default:group:yearbookstudents:rwx
default:mask::rwx
default:other::---

I am trying to connect as a member of "yearbookstudents", but no matter
where I login, Windows reports Access Denied. I have verified that
replication is happening between the two DCs, and that winbind on the file
server knows the groups my user is part of (based on the gid number). I
assigned the permissions first through Windows, tested with no change, then
tried with setfacl recursively. Again, no change - Access is Denied.

Just in case, here is DC1's smb.conf (again, name sanitized):
[global]
        bind interfaces only = Yes
        disable netbios = Yes
        dns forwarder = 1.1.1.1
        dns zone transfer clients allow = 127.0.0.0/8 ::1/128
        interfaces = lo enp1s0
        ntlm auth = mschapv2-and-ntlmv2-only
        passdb backend = samba_dsdb
        realm = SITE.AD.EXAMPLE.CA
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        winbind separator = /
        workgroup = SITE
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr

[netlogon]
        path = /var/lib/samba/sysvol/SITE.ad.example.ca/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Where can I look for more info?


More information about the samba mailing list