samba - Feb 2021 - vfs_ChDir failed: Permission denied

>>>> Having said that, if it is only the group you are worried
about, just
>>>> fix the smb.conf on the old computer (which at this stage could
just
>>>> be restarting Samba) and then fix the group ownership of the
files and
>>>> directories.
>>>
>>> Out of ignorance, how do I fix the group ownership? of the files
&
>>> directories?
>>>
>>
>> This would depend on your computer, at the moment your files will show
>> as belonging to the group 'owners', but if you restart Samba,
it is
>> probable they will then show as belonging? to '2011'. If this
is the
>> case, then you can use chown or chgrp to change the group ownership
>> back to 'owners'. I am not saying this is going to be a 5
minute job ?
> 
> The directories and files on the server all have the ownership of
> "whatever user created the filed ie jdoe" and "domain
users"
> and permissions rwxrwx---+
> 
> Access is controlled by the group policies.
I guess I'm still unclear on if this is fixable.  If I take
a directory listing of anything in the shared directories,
I get something like this:

drwxrwx---+   5 root domain admins  4096 Jan  5 13:28 share-1
drwxrwx---+   9 root domain admins  4096 Jan  5 13:28 share-2
drwxrwx---+ 744 root domain admins 28672 Jan 26 09:51 share-3
drwxrwx---+  10 root domain admins  4096 Mar 13  2020 share-4
drwxrwx---+  14 root domain admins  4096 Jan 25 16:12 share-5

The user/group assignment has looked like this from day one.
The only variation it that the "user" changes to match whatever
windows user created the file.  It is not an important attribute
and could be reset to one person.

I'm getting that "permission denied" warning on all these shares.
The "group" assigned on Linux hasn't changed from the original
configuration.  How do the Security Groups in Windows AD fit
into this?

On 01/02/2021 19:44, Marco Shmerykowsky via samba wrote:
>>>>> Having said that, if it is only the group you are worried
about, just
>>>>> fix the smb.conf on the old computer (which at this stage
could just
>>>>> be restarting Samba) and then fix the group ownership of
the files
>>>>> and
>>>>> directories.
>>>>
>>>> Out of ignorance, how do I fix the group ownership? of the
files &
>>>> directories?
>>>>
>>>
>>> This would depend on your computer, at the moment your files will
show
>>> as belonging to the group 'owners', but if you restart
Samba, it is
>>> probable they will then show as belonging? to '2011'. If
this is the
>>> case, then you can use chown or chgrp to change the group ownership
>>> back to 'owners'. I am not saying this is going to be a 5
minute job ?
>>
>> The directories and files on the server all have the ownership of
>> "whatever user created the filed ie jdoe" and "domain
users"
>> and permissions rwxrwx---+
>>
>> Access is controlled by the group policies.
>
> I guess I'm still unclear on if this is fixable.? If I take
> a directory listing of anything in the shared directories,
> I get something like this:
>
> drwxrwx---+?? 5 root domain admins? 4096 Jan? 5 13:28 share-1
> drwxrwx---+?? 9 root domain admins? 4096 Jan? 5 13:28 share-2
> drwxrwx---+ 744 root domain admins 28672 Jan 26 09:51 share-3
> drwxrwx---+? 10 root domain admins? 4096 Mar 13? 2020 share-4
> drwxrwx---+? 14 root domain admins? 4096 Jan 25 16:12 share-5

The problem may be that the numeric ID for 'domain admins' might be
wrong.
>
> The user/group assignment has looked like this from day one.
> The only variation it that the "user" changes to match whatever
> windows user created the file.? It is not an important attribute
> and could be reset to one person.

 From what you are saying, it doesn't sound like you really have a big 
problem.

I would? create a new Unix domain member and create the required share 
structure. Copy the files to the required places on the new Unix domain 
member, then 'chown root:domain admins' the files (you can do this 
recursively by adding '-R' to the command). You can then use
'setfacl'
to add further users and groups.
>
> I'm getting that "permission denied" warning on all these
shares.
> The "group" assigned on Linux hasn't changed from the
original
> configuration.? How do the Security Groups in Windows AD fit
> into this?

Provided 'getent group THE_GROUP_NAME' displays the groups info on Unix,
then Unix knows who they are, if nothing is returned, then Unix cannot 
use them.

You can use Windows to set permissions on Samba shares, see here: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

>
>