[Samba] samba ad integrated file server Permission denied

Markus Huether huether at markus-huether.de
Mon Nov 17 14:08:44 UTC 2025 

Hello,
I am experiencing an issue with an Ubuntu 24.04.3 LTS file server that 
has samba-ad-dc integrated (4.19.5) as a member server. Every night at 
5:10 a.m., I receive the following syslog entries on the file server:

│2025-11-16T05:15:01.532768+01:00 fs1 CRON[194336]: (root) CMD (command 
-v debian-sa1 > /dev/null && debian-sa1 1 1)                             
                             │
│2025-11-16T05:15:10.601499+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.599170,  0] 
source3/smbd/smb2_service.c:117(chdir_current_service)                   
      │
│2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: 
  chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006 │
│2025-11-16T05:15:10.602389+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.601006,  0] 
source3/smbd/smb2_service.c:117(chdir_current_service)                   
      │
│2025-11-16T05:15:10.602615+01:00 fs1 smbd[194338]: 
  chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006 │
│2025-11-16T05:15:10.602893+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.602047,  0] 
source3/smbd/smb2_service.c:117(chdir_current_service)                   
      │
│2025-11-16T05:15:10.603069+01:00 fs1 smbd[194338]: 
  chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006

However, I don't have a cron job running at that time. The backup runs 
at 2 a.m. with borg.
I'm not sure if this has anything to do with smb.conf.


root at fs1:/# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
     kerberos method = secrets and keytab
     realm = IWW.LAN
     security = ADS
     template homedir = /home/%U@%D
     template shell = /bin/bash
     winbind enum groups = Yes
     winbind enum users = Yes
     winbind offline logon = Yes
     winbind refresh tickets = Yes
     winbind use default domain = Yes
     workgroup = IWW
     idmap config * : range = 10000-999999
     idmap config iww : backend = rid
     idmap config iww : range = 2000000-2999999
     idmap config * : backend = tdb
     map acl inherit = Yes
     vfs objects = acl_xattr


[basis]
     comment = AD Basisordner
     path = /mnt/volume1_daten/basisordner
     read only = No
     'acl_xattr:ignore system acls = yes'


Is this smb.conf correct?
Specifically regarding the entries:

map acl inherit = Yes
     vfs objects = acl_xattr

'acl_xattr:ignore system acls = yes'


The file server is working as it should. I can access it with Windows 
clients and the ACLs are also error-free when accessing the file server.
The path to the share has the following permissions:
drwxr-xr-x   3 root root       4096 Mai 12  2025 mnt
drwxr-xr-x 3 root root 4096 Mai 15  2025 volume1_daten
drwxrwx--T+ 5 root domain users 4096 Sep 30 18:31 basisordner

Can anyone help me with this?

Markus

More information about the samba mailing list