[Samba] samba ad integrated file server Permission denied

Rowland Penny rpenny at samba.org
Tue Nov 18 15:23:34 UTC 2025 

On Tue, 18 Nov 2025 14:45:52 +0100
Markus Huether via samba <samba at lists.samba.org> wrote:

> rowland at devstation:~$ getent passwd devstation$
> devstation$:*:12657:10515::/home/devstation_:/bin/bash
> 
> But if I only have one uid, getent doesn't help me. I have already 
> checked all users and computers stored in AD with getent.
> 
> 
> If I run 'cat /etc/cron.d/sysstat', I get this:
> 
> # The first element of the path is a directory where the debian-sa1
> # script is located
> PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
> 
> # Activity reports every 10 minutes everyday
> 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1
> 1 1
> 
> # Additional run at 23:59 to rotate the statistics file
> 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
> 
> I get the same result here. The cron runs every 10 minutes and 
> additionally at 11:59 p.m. However, I always receive the syslog
> entries at 5:15 a.m. and only then. So this has nothing to do with
> these cron entries.
> 

I now think that the cron entry is a blind alley, as I said, it appears
to be an 'housekeeping' command run on a regular basis, it just seems
to happen before your real problem, I do not think the two are
connected. Lets examine the permissions set on your shares directory:
drwxrwx--T+ 5 root domain users 4096 Sep 30 18:31 basisordner

Working left to right:
The 'd' shows it is a directory
The first 'rwx' shows that the owner has full permissions on the directory
The second 'rwx' shows that the group has full permissions on the directory 
the final '--T' is a bit special, it shows that 'others' have no
permissions on the directory and that the 'sticky bit' is set on the
directory.

There is also a '+' at the very end, more about this later.

The standard permissions shows that the owner (root) and members of the
group (Domain Users) have full permisions on the directory (read,write
and enter), others cannot even enter the directory. Because the 'sticky
bit' is set, then any files in the directory can only be renamed or
deleted by the files owner, the directory's owner, or root (in this
case the same user) 

Now something is attempting, via smbd, to change directory into the
'basisordner' directory, that 'something' in your case is the computer
fs1. Because 'fs1' is not 'root' or a member of Domain Users it is
being denied access. However there is that '+', that shows that there
are extended acls set on the directory, what they are, I have no idea,
because I haven't seen the output of 'getfacl
/mnt/volume1_daten/basisordner', but, from the error you are getting, I
doubt they show 'fs1' having permission to enter the directory.

Your main problem is tracing the 'something' that is triggering smbd to
attempt to chdir, it could be something on the server or something
connecting from another computer. 

Rowland

More information about the samba mailing list