[Samba] Access Denied to share

Steven Monai stevemoca at gmail.com
Sat Dec 21 02:29:47 UTC 2024


On 2024-12-20 1:18 p.m., Luke Barone via samba wrote:
> Hi list,
> 
> I am running Samba in a 2-DC, 1-Member setup, all on Debian Bookworm,
> version 4.17.12.
> 
> I have the member server sharing shares to many users, and it's all working
> except one folder. Here is the member smb.conf (name sanitized):
> 
> [global]
>          bind interfaces only = Yes
>          client signing = required
>          disable netbios = Yes
>          interfaces = lo enp1s0
>          log file = /var/log/samba/%m.log
>          realm = SITE.AD.EXAMPLE.CA
>          security = ADS
>          server role = member server
>          server signing = required
>          template homedir = /home/SITE/%U
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind separator = /
>          winbind use default domain = Yes
>          workgroup = SITE
>          idmap config SITE : range = 100000-299999
>          idmap config SITE : backend = rid
>          idmap config * : range = 70000-99999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          vfs objects = acl_xattr
> # ... more shares, all of which currently work
> [Yearbook]
>          path = /usr/local/share/Yearbook
>          read only = No
> 
> Here is the shared folder:
> ls -la /usr/local/share/Yearbook/
> total 60
> drwxrwx---+  4 yearbook domain admins  4096 Dec 10 10:54  .
> drwxr-xr-x  14 root     root           4096 Sep  9 13:00  ..
> 
> # getfacl /usr/local/share/Yearbook/
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/share/Yearbook/
> # owner: yearbook
> # group: domain\040admins
> user::rwx
> user:domain\040admins:rwx
> user:yearbookstudents:rwx
> group::rwx
> group:domain\040admins:rwx
> group:yearbook:rwx
> group:yearbookstudents:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:user:yearbook:rwx
> default:user:yearbookstudents:rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:group:yearbook:rwx
> default:group:yearbookstudents:rwx
> default:mask::rwx
> default:other::---
> 
> I am trying to connect as a member of "yearbookstudents", but no matter
> where I login, Windows reports Access Denied. I have verified that
> replication is happening between the two DCs, and that winbind on the file
> server knows the groups my user is part of (based on the gid number). I
> assigned the permissions first through Windows, tested with no change, then
> tried with setfacl recursively. Again, no change - Access is Denied.
> 
> Just in case, here is DC1's smb.conf (again, name sanitized):
> [global]
>          bind interfaces only = Yes
>          disable netbios = Yes
>          dns forwarder = 1.1.1.1
>          dns zone transfer clients allow = 127.0.0.0/8 ::1/128
>          interfaces = lo enp1s0
>          ntlm auth = mschapv2-and-ntlmv2-only
>          passdb backend = samba_dsdb
>          realm = SITE.AD.EXAMPLE.CA
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>          winbind separator = /
>          workgroup = SITE
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap_ldb:use rfc2307 = yes
>          idmap config * : backend = tdb
>          map archive = No
>          vfs objects = dfs_samba4 acl_xattr
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/SITE.ad.example.ca/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> Where can I look for more info?

Hi Luke.

Did you check the Yearbook share's Share Permissions? That is: What is 
the output of this command on the fileserver:

sharesec Yearbook -v

In the normal case, where you intend to control access to the share via 
NT ACLS, the Share Permissions should be set to simply Allow Full 
Control to Everyone. In that case, I would expect the above sharesec 
command to generate output like this:

REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL

If you see something else, then the Share Permissions are possibly the 
cause of your access-denial problem.

I hope this helps!

Cheers,
-S.M.




More information about the samba mailing list