[Samba] samba ad integrated file server Permission denied

Rowland Penny rpenny at samba.org
Mon Nov 17 15:15:16 UTC 2025 

On Mon, 17 Nov 2025 15:08:44 +0100
Markus Huether via samba <samba at lists.samba.org> wrote:

> Hello,
> I am experiencing an issue with an Ubuntu 24.04.3 LTS file server
> that has samba-ad-dc integrated (4.19.5) as a member server. Every
> night at 5:10 a.m., I receive the following syslog entries on the
> file server:
> 
> │2025-11-16T05:15:01.532768+01:00 fs1 CRON[194336]: (root) CMD
> (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
>> │2025-11-16T05:15:10.601499+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.599170,  0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
>> │2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: 
>   chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006 │
> │2025-11-16T05:15:10.602389+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.601006,  0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
>> │2025-11-16T05:15:10.602615+01:00 fs1 smbd[194338]: 
>   chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006 │
> │2025-11-16T05:15:10.602893+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.602047,  0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
>> │2025-11-16T05:15:10.603069+01:00 fs1 smbd[194338]: 
>   chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006
> 
> However, I don't have a cron job running at that time. The backup
> runs at 2 a.m. with borg.

You probably do have a cron job, try looking at /etc/cron.d/sysstat

> I'm not sure if this has anything to do with smb.conf.
> 
> 
> root at fs1:/# testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>      kerberos method = secrets and keytab
>      realm = IWW.LAN
>      security = ADS
>      template homedir = /home/%U@%D
>      template shell = /bin/bash
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      winbind offline logon = Yes
>      winbind refresh tickets = Yes
>      winbind use default domain = Yes
>      workgroup = IWW
>      idmap config * : range = 10000-999999
>      idmap config iww : backend = rid
>      idmap config iww : range = 2000000-2999999
>      idmap config * : backend = tdb
>      map acl inherit = Yes
>      vfs objects = acl_xattr
> 
> 
> [basis]
>      comment = AD Basisordner
>      path = /mnt/volume1_daten/basisordner
>      read only = No
>      'acl_xattr:ignore system acls = yes'
> 
> 
> Is this smb.conf correct?

It depends on your definition of correct, yes it will work and yes it
could be better.

You do not require the 'winbind enum' lines, they do two things, they
make 'getent passwd' & 'getent group' work to list all users & groups
and potentially slow everything down in large domains.

Your default domain '*' range is a bit large. The default domain is
meant for anything outside the 'IWW' domain (so really '0') and the
Well Known SIDs (there are less than 200 of those), so 989,999 is a bit
of an overkill ;-)
 
> Specifically regarding the entries:
> 
> map acl inherit = Yes
>      vfs objects = acl_xattr

You need those for extended attributes i.e. Windows permissions

> 
> 'acl_xattr:ignore system acls = yes'

That could be your problem, it does what it says, it makes Samba ignore
the Linux permissions set on the shares directory and I am fairly sure
that 'smbd' needs them to traverse into the directory.

Rowland

More information about the samba mailing list