[Samba] Share access permission errors after upgrade from 4.12.14
unraidster
unraidster at protonmail.com
Thu Jan 11 08:53:38 UTC 2024
Hello,
Issue Description
After the upgrade of the Unraid server OS (unraid.net) from v6.9.2 to v6.12.6 (which upgrades the version of Samba from 4.12.14 to 4.17.12) access to shares stops working.
Error Summary:
[2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0)] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current token: uid=1278739538, gid=1278738945, 7 groups: 1278739538 1278738945 1278739551 1278739543 1278739547 1278739545 1278739556
Samba is joined to an Active Directory domain as a member server. The following error is found in the log when I attempt to browse to the share using a Windows 10 client signed in as the domain's "rwuser" user account. (Note: worked with the older version of the OS).
I have included output from logs/commands that I thought might help answer any subsequent questions that readers may have. Please let me know if there is any additional information I can provide. Thank You.
Error Detail:
==================
[2024/01/07 21:52:43.356009, 4, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=vfs] ../../source3/smbd/vfs.c:938(vfs_ChDir)
vfs_ChDir to /mnt/user/PrivateShare
[2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0)] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current token: uid=1278739538, gid=1278738945, 7 groups: 1278739538 1278738945 1278739551 1278739543 1278739547 1278739545 1278739556
[2024/01/07 21:52:43.357802, 3, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2] ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3253
[2024/01/07 21:52:43.357809, 10, pid=91942, effective(0, 0), real(0, 0)] ../../source3/smbd/notify_inotify.c:446(inotify_watch)
inotify_add_watch for /mnt/user/PublicShare mask 210003c6 returned wd 1
[2024/01/07 21:52:43.357834, 10, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2] ../../source3/smbd/smb2_server.c:3847(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: mid [15] idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:4011
[2024/01/07 21:52:43.357843, 10, pid=91942, effective(0, 0), real(0, 0)] ../../source3/smbd/notifyd/notifyd.c:449(notifyd_apply_rec_change)
notifyd_apply_rec_change: /mnt/user/PublicShare has 2 instances
[2024/01/07 21:52:43.357855, 10, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:975(smb2_set_operation_credit)
smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8161/8192, total granted/max/low/range 32/8192/16/32
Directory Permissions
=========================
/
drwxr-xr-x 20 root root
/mnt/
drwxr-xr-x 9 root root
/mnt/user/
drwxrwxrwx 1 ur_admin ur-lab_access
/mnt/user/PrivateShare/
drwxrwx---+ 1 ur_admin ur-lab_access
ACL
root at UR-Lab:~# getfacl /mnt/user/PrivateShare
getfacl: Removing leading '/' from absolute path names
# file: mnt/user/PrivateShare
# owner: ur_admin
# group: ur-lab_access
user::rwx
user:ur_admin:rwx
group::rwx
group:ur-lab_access:rwx
group:ur-lab-privateshare-ro:r-x
group:ur-lab-privateshare-rw:rwx
mask::rwx
other::---
default:user::rwx
default:user:ur_admin:rwx
default:group::---
default:group:ur-lab_access:rwx
default:group:ur-lab-privateshare-ro:r-x
default:group:ur-lab-privateshare-rw:rwx
default:mask::rwx
default:other::---
WB Info for Users and groups
=========================
ur_admin
root at UR-Lab:~# wbinfo -n ur_admin
S-1-5-21-3759969785-1361971536-1710822149-1107 SID_USER (1)
rwuser
root at UR-Lab:~# wbinfo -n rwuser
S-1-5-21-3759969785-1361971536-1710822149-1106 SID_USER (1)
root at UR-Lab:~# id 1278739538
uid=1278739538(rwuser) gid=1278738945(domain users) groups=1278738945(domain users),1278739538(rwuser),1278739551(ur_users),1278739543(ur-lab-privateshare-rw),1278739547(b-rw),1278739545(ur-lab-privateshare-a-rw),1278739556(ubuntu_share_rw)
ur-lab-privateshare-rw
root at UR-Lab:~# wbinfo -n ur-lab-privateshare-rw
S-1-5-21-3759969785-1361971536-1710822149-1111 SID_DOM_GROUP (2)
ur-lab-privateshare-ro
root at UR-Lab:~# wbinfo -n ur-lab-privateshare-ro
S-1-5-21-3759969785-1361971536-1710822149-1110 SID_DOM_GROUP (2)
Testparm Output
===============
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
disable spoolss = Yes
host msdfs = No
interfaces = 192.168.66.4 127.0.0.1
ldap ssl = no
load printers = No
log file = /var/log/samba/samba.log
logging = syslog at 0
max open files = 40960
multicast dns register = No
ntlm auth = ntlmv1-permitted
null passwords = Yes
os level = 100
printcap name = /dev/null
realm = TESTLAB.COM
security = ADS
server min protocol = NT1
server multi channel support = No
server string = Media server
show add printer wizard = No
smb1 unix extensions = No
winbind use default domain = Yes
workgroup = TESTLAB
fruit:nfs_aces = No
idmap config * : range = 10000-4000000000
idmap config * : backend = hash
acl allow execute always = Yes
acl group control = Yes
aio read size = 0
aio write size = 0
dos filemode = Yes
hide dot files = No
include = /etc/samba/smb-shares.conf
inherit acls = Yes
inherit permissions = Yes
invalid users = root
map acl inherit = Yes
use sendfile = Yes
wide links = Yes
[PrivateShare]
path = /mnt/user/PrivateShare
read only = No
[PrivateShare-A]
path = /mnt/user/PrivateShare-A
read only = No
[PrivateShare-B]
path = /mnt/user/PrivateShare-B
read only = No
[PublicShare]
path = /mnt/user/PublicShare
read only = No
========================================
Not sure if it is of any use, I noticed a log entry which includes the phrase security_token_debug. This includes the IDs of the groups that the user account is a member of.
[2024/01/07 21:52:43.271094, 5, pid=93992, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (19):
SID[ 0]: S-1-5-21-3759969785-1361971536-1710822149-1106
SID[ 1]: S-1-5-21-3759969785-1361971536-1710822149-513
SID[ 2]: S-1-5-21-3759969785-1361971536-1710822149-1119
SID[ 3]: S-1-5-21-3759969785-1361971536-1710822149-1111
SID[ 4]: S-1-5-21-3759969785-1361971536-1710822149-1115
SID[ 5]: S-1-5-21-3759969785-1361971536-1710822149-1113
SID[ 6]: S-1-5-21-3759969785-1361971536-1710822149-1124
SID[ 7]: S-1-18-1
SID[ 8]: S-1-1-0
SID[ 9]: S-1-5-2
SID[ 10]: S-1-5-11
SID[ 11]: S-1-22-1-1278739538
SID[ 12]: S-1-22-2-1278738945
SID[ 13]: S-1-22-2-1278739538
SID[ 14]: S-1-22-2-1278739551
SID[ 15]: S-1-22-2-1278739543
SID[ 16]: S-1-22-2-1278739547
SID[ 17]: S-1-22-2-1278739545
SID[ 18]: S-1-22-2-1278739556
Privileges (0x 0):
Rights (0x 0):
[2024/01/07 21:52:43.271202, 5, pid=93992, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
UNIX token of user 1278739538
Primary group is 1278738945 and contains 7 supplementary groups
Group[ 0]: 1278739538
Group[ 1]: 1278738945
Group[ 2]: 1278739551
Group[ 3]: 1278739543
Group[ 4]: 1278739547
Group[ 5]: 1278739545
Group[ 6]: 1278739556
===============================================
I am planning to move to the RID IDMAP backend and have tested a RID based IDMAP config within the lab. This did not seem to make a difference in relation to the issue above and therefore I have not used it in the scenario above to keep troubleshooting as simple as possible for now.
This is my first time posting to the list and please let me know if there is anything I can do differently to make the process better.
Thank You,
More information about the samba
mailing list