[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Mon Jan 29 17:27:58 UTC 2024


On 1/29/24 08:17, Rowland Penny via samba wrote:
> On Mon, 29 Jan 2024 07:55:05 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>> Just to make sure this morning, I created another VM and it behaves
>> the same, so obviously we have something slightly different in our
>> configs. I think we have gone through the client side pretty
>> thoroughly and they are the same.  That leaves:
>>
>>    * our security settings on the share -  but you said that your
>> machine isn't in domain users and domain computers doesn't have
>> access to the share.  What else there to test here?
>>    * file server samba settings
>>    * possibly version differences
>>        o Client: Version 4.15.13-Ubuntu
>>        o File Server: Version 4.19.0pre1-GIT-1e793357906
>>        o Domain Controller: Version 4.18.0pre1-GIT-d385058ce7c
>>        o I was doing some work on generic user level linux GPOs which
>> is why the DC and FS are running from source
>>    * or even at the DC.?
>>
>> What's the easiest way to proceed?  I can post pretty much any config
>> needed.
>>
> The share I am mounting is a simple share on a Unix domain member using
> the 'rid' backend (as is the client), these are the permissions on the
> share:
>
> ls -lad /srv/share
> drwxrwx--- 3 rowland domain users 4096 Jan 28 21:48 /srv/share
>
> The share in smb.conf is this:
>
> [data]
>      path=/srv/share
>      read only = no
>
> With that, I can start my VM and find the share in /mnt/test
>
> I think my next step will have to be to set up a new share on the
> server, but this time set the permissions from Windows and see if that
> mounts on the Unix client. But it will have to be tomorrow now.
>
> Rowland
>
No worries on the timeline, I appreciate the help!

here is my windows share permissions: https://pasteboard.co/m6j9vYkRkt3q.png

here is my share config:

root at fs1:~# ls -lad /data/test
drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test


[global]
server string = %h server (Samba, Ubuntu)
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d
log level = 3

kerberos method = secrets and keytab
realm = CARLSON.LAB
workgroup = CARLSON
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config CARLSON : range = 2000000-2999999
idmap config CARLSON : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

vfs objects = acl_xattr
map acl inherit = yes

winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

apply group policies = yes

#======================= Share Definitions =======================
[Test]
     path = /data/test
     comment = test
     writable = yes




More information about the samba mailing list