[Samba] Write access to shares denied for domain user(s)

Peter Milesson miles at atmos.eu
Tue Jan 9 20:31:37 UTC 2024


Hi folks,

I have got a strange error, where create/modify/write is denied on file 
server shares for domain users, even if the users in question are 
assigned full permission to the shares via RSAT. Create/modify/write is 
denied to the share root folder, or sub folders in all Windows versions 
from 7 and up to 11. Reading is OK, except for a hidden share, which is 
not accessible at all, but create/modify/write is denied. All share 
administration is made through RSAT. The domain consists of one Samba AD 
DC, and one member server, where the shared folders reside. I have 
checked documentation in the Samba Wiki, and also the instructions on 
Luis Peromarta's blog, and I cannot find anything out of the way.

OS in both the AD DC and member server is Debian Bookworm, with Samba 
from backports 4.19.3.

Any help would be much appreciated. smb.conf from the member server in 
the end of this message. All shares have got the same configuration as 
the one in displayed below.

Best regards,

Peter


[global]
         workgroup = PRIVATE
         realm = PRIVATE.SPLAT
         security = ADS
         server role = member server

         kerberos method = secrets and keytab
         dedicated keytab file = /etc/krb5.keytab

         disable netbios = yes
         smb ports = 445

         debug pid = yes
         debug uid = yes
         disable spoolss = yes
         printcap name = /dev/null

         log level = 1

         restrict anonymous = 2
         template homedir = /home/%U
         template shell = /bin/bash
#       username map = /etc/samba/user.map
#       min domain uid = 0
         winbind refresh tickets = yes
         idmap config * : backend = tdb
         idmap config * : range = 3000-9999
         idmap config PRIVATE : backend = rid
         idmap config PRIVATE : range = 10000-99999
         idmap config PRIVATE : unix_primary_group = yes
         inherit acls = yes
         map acl inherit = yes
         vfs objects = acl_xattr
         apply group policies = yes
         winbind use default domain = yes


[public]
         comment = Public folders
         path = /data/public-access/
         read only = no
         acl_xattr:ignore system acls = yes
         hide dot files = no





More information about the samba mailing list