[Samba] samba ad integrated file server Permission denied

Tue Nov 18 12:03:38 UTC 2025

I changed the smb.conf

aramis at fs1:~$ testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
     kerberos method = secrets and keytab
     realm = IWW.LAN
     security = ADS
     template homedir = /home/%U@%D
     template shell = /bin/bash
     winbind offline logon = Yes
     winbind refresh tickets = Yes
     winbind use default domain = Yes
     workgroup = IWW
     idmap config * : range = 3000-7999
     idmap config iww : backend = rid
     idmap config iww : range = 2000000-2999999
     idmap config * : backend = tdb
     map acl inherit = Yes
     vfs objects = acl_xattr

[basis]
     comment = AD Basisordner
     path = /mnt/volume1_daten/basisordner
     read only = No

So i deleted the entrys:

winbind enum groups = Yes
winbind enum users = Yes
'acl_xattr:ignore system acls = yes'

but still have the log entries at 5:15 a.m.
But the question remains: who triggers these entries at 5:15 a.m.? I've 
looked through all the cron jobs. There is definitely none entered for 
that time.
The strange thing is that the file server works without any problems.
I then checked who has the uid 2001103 but couldn't find anything. It 
must be an AD user, but I couldn't find the ID in the AD or on the server.
How can I resolve the ID to a user?
fs1$ is the server name. There is no user with fs1 on the server or in 
the domain. However, I can't find anything about the uid or gid in the 
domain or on the server. Is there any way I can query the uid/gid?

Markus

Am 18.11.25 um 10:44 schrieb Rowland Penny via samba:
> On Mon, 17 Nov 2025 15:15:16 +0000
> Rowland Penny via samba<samba at lists.samba.org> wrote:
>
>> On Mon, 17 Nov 2025 15:08:44 +0100
>> Markus Huether via samba<samba at lists.samba.org> wrote:
>>
>>> Hello,
>>> I am experiencing an issue with an Ubuntu 24.04.3 LTS file server
>>> that has samba-ad-dc integrated (4.19.5) as a member server. Every
>>> night at 5:10 a.m., I receive the following syslog entries on the
>>> file server:
>>>
>>> │2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]:
>>>    chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner)
>>> failed: Permission denied. Current token: uid=2001103, gid=2000515,
>>> 5 groups: 2001103 2000515 10003 10004 10006 │
> Then I looked closer at the output you provided and I realised why you
> are getting the error messages.
>
> It is because the user cannot traverse to the directory, but that is
> because the user isn't a member of Domain Users. If you look at the
> UID, I feel it is linked to the username fs1$ and that users primary
> group is Domain Computers (the '515' at the end of the gid '2000515'
> gives this away), yes, it is your computer (aka 'SYSTEM').
>
> Rowland
>
>
>