[Samba] After upgrade from Debian Bookworm to Trixie we get access denied for group users
Wim De Geeter
wim.de-geeter at uni-graz.at
Sun Nov 23 14:37:26 UTC 2025
In the logs we see that the user1 (belongs to group1 and group2) are found
/[2025/11/23 15:20:55.651217, 2]
source3/passdb/pdb_ldap.c:2415(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20000
[2025/11/23 15:20:55.653778, 2]
source3/passdb/pdb_ldap.c:2415(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 20001
[2025/11/23 15:20:55.653836, 1]
source3/smbd/smb2_service.c:337(create_connection_session_info)
create_connection_session_info: user 'user1' (from session setup) not
permitted to access this share (share)
[2025/11/23 15:20:55.653856, 1]
source3/smbd/smb2_service.c:519(make_connection_snum)
make_connection_snum: create_connection_session_info failed:
NT_STATUS_ACCESS_DENIED/
Anyone an idea why we get /NT_STATUS_ACCESS_DENIED?/
Before the upgrade it worked for at least 10 years.
Many thanks for advice where we have to look or what has changed in the
new version regarding ldap authentication/authorization
/
/
On 11/20/25 13:48, Wim De Geeter wrote:
> Rowland, thanks for the quick reply
>
> On 11/20/25 12:34, Rowland Penny wrote:
>> On Thu, 20 Nov 2025 11:50:50 +0100
>> Wim De Geeter via samba<samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> We have a running working Samba configuration on a Debian Bookworm
>>> (Samba 4.17.12). All authentication and authorization management is
>>> done via openLDAP.
>>>
>>> Samba is only used for file services for Windows clients.
>> Are the Windows clients in an AD domain, if so, why are you using ldap,
>> why not just join the fileserver to the domain and use 'security = ADS'
>> ?
>
> The clients are in an AD Domain. Technically we can (and will) not do
> this.
>
> Our department is working under Linux (no AD). Only the windows users
> (not many) should
>
> also have access to these shares.
>
>>> There is
>>> one personal share [homes] and 2 shares (share1 and share2) that are
>>> accessed via groups configured in openLDAP.
>>>
>>> Now we have upgrade our server to Debian Trixie (Samba version
>>> 4.22.6). The personal share can still be accessed by all the users,
>>> but access to the shares [share1] and [share2] is denied. All users
>>> and groups (group1, group2, group3) are defined in openLDAP
>>>
>>> When I use (as a test) a group locally on the server, it works.
>>>
>>>
>> At a guess and it has been quite sometime since I had to do this (it
>> works out of the box with AD), I think you need to map the groups to
>> local groups.
>>
>> It may be that the ldap searches are failing for some reason, have you
>> tried a manual search ?
>
> With the version in Bookworm (4.17.12) it worked flawless. The user
> could access his personal share and the group shares.
>
> After upgrade to version 4.22.6 (Trixie) the user can still access his
> peronal share but for groups something changed andwecan'tfigureoutwhat.
>
> Any other ideas where to look?
>
> Many Thanks!!
>
>>
>> Rowland
>>
>>
>>
>
More information about the samba
mailing list