[Samba] Random permission denied and path not found errors

Tamás Papp t.papp at spectral.hu
Sat Jun 22 09:34:21 UTC 2024 

I have upgraded one of the servers to 4.20 from MJT's repository, however 
it's not the main one and has way lower traffic load.

I have also removed the entries that you suggested.

Besides this changes I started wondering two other workarounds.

1. Is it possible to add and authenticate a local user when the samba 
server is an AD member?
I would add a local user and render machines would map the share with that 
user.

2. Is there any option to cache AD users better?
My assumption is that the user id or gid does not resolve properly and 
that's the root cause.

Could you advice, please?


On June 17, 2024 20:20:49 Rowland Penny via samba <samba at lists.samba.org> 
wrote:

> On Mon, 17 Jun 2024 19:47:04 +0200
> Tamas Papp via samba <samba at lists.samba.org> wrote:
>
>>
>> On 6/17/24 16:15, Rowland Penny via samba wrote:
>>> Are your incus containers privileged ?
>>
>> Yes.
>>
>>> I should also point out that, from the Samba point of view, 4.15.13
>>> is EOL.
>>
>>
>> I can upgrade samba (ubuntu), but would only do if there is any
>> relevant change/fix/improvement. The release notes are quite long and
>> in many cases I am unsure about the meaning of the content.
>>
>> Ubuntu 24.04 includes 4.19.5+dfsg-4ubuntu9.
>
> There have been numerous fixes since 4.15.x , using the most recent
> version of Samba possible is always a good idea.
>
>>
>>> No idea because I haven't a clue how you are running Samba, for all
>>> I know, you could be running sssd on a Samba fileserver.
>>>
>>> Might be an idea if you post the output of 'testparm -s'
>>
>>
>> Good point, I missed adding the configuration.
>>
>> The windows server is a AD DC and samba is AD member:
>>
>>
>> # Global parameters
>> [global]
>>    kerberos method = secrets and keytab
>>    log file = /var/log/samba/log.%m
>>    logging = file
>>    map to guest = Bad User
>>    max log size = 1000
>>    obey pam restrictions = Yes
>>    pam password change = Yes
>>    panic action = /usr/share/samba/panic-action %d
>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>    passwd program = /usr/bin/passwd %u
>>    realm = SPECTRALSTUDIOS.LOCAL
>>    security = ADS
>>    server role = standalone server
>>    server string = %h server (Samba, Ubuntu)
>>    template homedir = /home/%U@%D
>>    template shell = /bin/bash
>>    unix password sync = Yes
>>    usershare allow guests = Yes
>>    winbind offline logon = Yes
>>    winbind refresh tickets = Yes
>>    workgroup = SPECTRALSTUDIOS
>>    idmap config * : range = 10000-999999
>>    idmap config spectralstudios : backend = rid
>>    idmap config spectralstudios : range = 2000000-2999999
>>    idmap config * : backend = tdb
>>
>> [HUNY_asset]
>>    comment = HUNY/asset
>>    create mask = 0664
>>    directory mask = 02775
>>    force create mode = 0664
>>    force directory mode = 02775
>>    path = /data/Projects/HUNY/asset
>>    read only = No
>>    valid users = "@spectralstudios\domain users"
>>
>>
>> There are more shares but the configuration is the same.
>
> Hmm, did you take the standard Ubuntu smb.conf and then add to it ?
> I ask this because you have numerous lines that do not really have a
> place in Unix domain member smb.conf
>
> I would definitely remove these lines:
>
>     obey pam restrictions = Yes
>     pam password change = Yes
>     passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* 
>     %n\n *password\supdated\ssuccessfully* .
>     passwd program = /usr/bin/passwd %u
>     server role = standalone server
>     unix password sync = Yes
>
> Unless you have 'guest ok = yes' or 'public = yes' set in a share (if
> so why ?) then I would remove this line:
>
>     map to guest = Bad User
>
> Also if you are not going to be using usershares, I would remove this
> line:
>
>     usershare allow guests = Yes
>
> Turning to your share, add these lines to 'global':
>
>  vfs objects = acl_xattr
>  map acl inherit = Yes
>
> then make your share look like this:
>
> [HUNY_asset]
>     comment = HUNY/asset
>     read only = No
>
> Then read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list