[Samba] world-inaccessible home dirs and samba log noise
Norbert Hanke
norbert.hanke at gmx.ch
Fri Jun 20 06:59:29 UTC 2025
Hi,
It's Microsoft's decision that everyone and everyTHING is a user and a
member of BUILTIN\users.
If a service on a workstation running as Local Service tries to access
something on a network drive it uses the machine account of that
workstation, leading to the error messages emitted by samba.
It's the [human] user's decision if his workstation shall have access to
their files on a network drive. If they deny such access then services
like virus scanners cannot access files stored on such network drives.
That can be good or bad.
And it can be good or bad that Samba writes an error message. IMHO it's
not an error and much less a Samba error. To the contrary, Samba does
the needful: rejects access where access shall be rejected. It deservers
a success message.
regards,
Norbert
On 09.06.2025 16:04, Michael Tokarev via samba wrote:
> Hi!
>
> Some of our users changed permissions for their home dirs to
> revoke access for everyone, making it 0750 instead of 0755.
> This is the default on same linux distributions for quite some
> time already, too.
>
> Now, samba logs a lot of noise like this:
>
> [2025/06/08 11:11:02.896807, 0]
> source3/smbd/smb2_service.c:117(chdir_current_service)
> chdir_current_service: vfs_ChDir(/home/jatok) failed: \
> Permission denied. Current token: uid=2100, gid=2000, \
> 4 groups: 2000 5000 5001 5002
>
> (the groups comes from the domain controller, these are
>
> 2000 - domain computers
> 5000 - BUILTIN\administrators
> 5001 - BUILTIN\users
> 5002 - BUILTIN\guests
>
> Why each computer is a member of BUILTIN\users group anyway,
> when it is not a user but a computer?
>
> So, which permissions should a user home directory have to
> avoid this log spam by samba?
>
> Thanks,
>
> /mjt
>
More information about the samba
mailing list