[Samba] samba ad integrated file server Permission denied

Markus Huether huether at markus-huether.de
Sun Nov 23 11:58:20 UTC 2025 

I have no idea,
because I haven't seen the output of 'getfacl
/mnt/volume1_daten/basisordner'

Here is the output of getfacl from the directory /mnt/volume1_daten/basisordner.

root at fs1:/mnt/volume1_daten# getfacl -R /mnt/volume1_daten/basisordner/ 
|more
getfacl: Removing leading '/' from absolute path names
# file: mnt/volume1_daten/basisordner/
# owner: root
# group: domain\040users
# flags: --t
user::rwx
user:root:rwx
user:administrator:rwx
user:domain\040users:r-x
group::r-x
group:administrator:rwx
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:administrator:rwx
default:group::---
default:group:administrator:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

I set the rights for the “basisordner” when installing the file server 
using the following commands:

sudo chmod 1770 /mnt/volume1_daten/basisordnersudo chgrp "domain 
users"mnt/volume1_daten/basisordner

Is that correct? It should be, as the file server then works with the 
rights assignment via the RSAT tools.
I will continue to investigate who accessed the system at 5:15 a.m.

Markus


Am 18.11.25 um 16:23 schrieb Rowland Penny via samba:
> On Tue, 18 Nov 2025 14:45:52 +0100
> Markus Huether via samba<samba at lists.samba.org> wrote:
>
>> rowland at devstation:~$ getent passwd devstation$
>> devstation$:*:12657:10515::/home/devstation_:/bin/bash
>>
>> But if I only have one uid, getent doesn't help me. I have already
>> checked all users and computers stored in AD with getent.
>>
>>
>> If I run 'cat /etc/cron.d/sysstat', I get this:
>>
>> # The first element of the path is a directory where the debian-sa1
>> # script is located
>> PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
>>
>> # Activity reports every 10 minutes everyday
>> 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1
>> 1 1
>>
>> # Additional run at 23:59 to rotate the statistics file
>> 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
>>
>> I get the same result here. The cron runs every 10 minutes and
>> additionally at 11:59 p.m. However, I always receive the syslog
>> entries at 5:15 a.m. and only then. So this has nothing to do with
>> these cron entries.
>>
> I now think that the cron entry is a blind alley, as I said, it appears
> to be an 'housekeeping' command run on a regular basis, it just seems
> to happen before your real problem, I do not think the two are
> connected. Lets examine the permissions set on your shares directory:
> drwxrwx--T+ 5 root domain users 4096 Sep 30 18:31 basisordner
>
> Working left to right:
> The 'd' shows it is a directory
> The first 'rwx' shows that the owner has full permissions on the directory
> The second 'rwx' shows that the group has full permissions on the directory
> the final '--T' is a bit special, it shows that 'others' have no
> permissions on the directory and that the 'sticky bit' is set on the
> directory.
>
> There is also a '+' at the very end, more about this later.
>
> The standard permissions shows that the owner (root) and members of the
> group (Domain Users) have full permisions on the directory (read,write
> and enter), others cannot even enter the directory. Because the 'sticky
> bit' is set, then any files in the directory can only be renamed or
> deleted by the files owner, the directory's owner, or root (in this
> case the same user)
>
> Now something is attempting, via smbd, to change directory into the
> 'basisordner' directory, that 'something' in your case is the computer
> fs1. Because 'fs1' is not 'root' or a member of Domain Users it is
> being denied access. However there is that '+', that shows that there
> are extended acls set on the directory, what they are, I have no idea,
> because I haven't seen the output of 'getfacl
> /mnt/volume1_daten/basisordner', but, from the error you are getting, I
> doubt they show 'fs1' having permission to enter the directory.
>
> Your main problem is tracing the 'something' that is triggering smbd to
> attempt to chdir, it could be something on the server or something
> connecting from another computer.
>
> Rowland
>
>
>
>
>

More information about the samba mailing list