samba - Nov 2021 - chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

On 11/27/21 18:27, Patrick Goetz via samba wrote:
> Sure, but Samba, which runs are root, 
smbd does not run as root when executing SMB requests, it impersonates 
the user UNIX token while doing this.


-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20211127/acb347d7/OpenPGP_signature.sig>

Ah, good to know. Thanks!

(And yes, this is of course much better even if it introduces other 
complications.)

On 11/27/21 14:04, Ralph Boehme wrote:
> On 11/27/21 18:27, Patrick Goetz via samba wrote:
>> Sure, but Samba, which runs are root, 
> 
> smbd does not run as root when executing SMB requests, it impersonates 
> the user UNIX token while doing this.
> 
> 
> -slow
> 
> 
> 
> This message is from an external sender. Learn more about why this 
> matters.
<https://ut.service-now.com/sp?id=kb_article&number=KB0011401>
> 
>

On 27 November 2021 20:05 Ralph Boehme wrote:
> On 11/27/21 18:27, Patrick Goetz via samba wrote:
> > Sure, but Samba, which runs are root,
> 
> smbd does not run as root when executing SMB requests, it impersonates
> the user UNIX token while doing this.
> 
OK, that explains why one of my Domain Computers got permission denied, but that
raises the other question - why then is a normal user able to access his/her
files which live in /srv/samba/users/<username> without any problem?     
The permissions on /srv/samba (before I added the "x") was rwxrwx--- :
root and Domain Admins only have access.     So Domain Users were able to
traverse the hierarchy but not Domain Computers.    Why?

Thanks,

Roy

A full output of the created structure would be nice
and helps to explain that.  

For all the used folders a getfacl should tell sufficent. 
getfacl /srv
getfacl /srv/samba
getfacl /srv/samba/users
getfacl /srv/samba/users/username 

But i suspect "SYSTEM" is missing somewhere. 
And/Or did you change the Share Rights in Windows. 
Because, if you do that, AFTER users are created, 
it can mess up already existing folders and there rights.

I work in this order. 
1) install samba.
2) create the folders in /srv/samba and setup the shares. 
3) setup the share and folder fights. 
4) create users and set user home and profiles

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> spindles seven via samba
> Verzonden: zondag 28 november 2021 0:41
> Aan: samba at lists.samba.org
> CC: 'Patrick Goetz'
> Onderwerp: Re: [Samba] chdir_current_service: 
> vfs_ChDir(/srv/samba/users) failed: Permission denied.
> 
> On 27 November 2021 20:05 Ralph Boehme wrote:
> > On 11/27/21 18:27, Patrick Goetz via samba wrote:
> > > Sure, but Samba, which runs are root,
> > 
> > smbd does not run as root when executing SMB requests, it 
> impersonates
> > the user UNIX token while doing this.
> > 
> OK, that explains why one of my Domain Computers got 
> permission denied, but that raises the other question - why 
> then is a normal user able to access his/her files which live 
> in /srv/samba/users/<username> without any problem?      The 
> permissions on /srv/samba (before I added the "x") was 
> rwxrwx--- : root and Domain Admins only have access.     So 
> Domain Users were able to traverse the hierarchy but not 
> Domain Computers.    Why?
> 
> Thanks,
> 
> Roy
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>