On 2021-01-31 8:36 am, Rowland penny via samba wrote:> On 31/01/2021 13:18, Marco Shmerykowsky via samba wrote:
>> After working on DNS issues, I thought I had everything working.
>>
>> When I log into the domain on windows, the drive maps are
>> applied by group policy, but the server that contains all
>> the shares denies access to everything with a number of
>> errors in the following format:
>>
>> ?vfs_ChDir(/path/to/server/share) failed: Permission denied
>>
>> Thoughts?
>>
>
> I think you haven't given us enough information to work with ?
Short description. Everything seemed to be working until
I embarked on an effort to correct apparent DNS issues. :)
Can't this be fixed automagically? :)
>
> Where is the error message coming from ?
I found the errors in the smbd log file on the domain member
server that contains the file shares. I have group policies
for the desktop background and drives shares. The policies
seem to be applied since the drive maps show up and I do
not see any errors when I run gpresult.
The background doesn't show up because the image file is
stored in one of the drive shares. Trying to access the
drive shares results in an error under windows that I do
not have permission to access the share.
>
> Is there anything surrounding it (paths etc)
The full line in the log is as follows:
chdir_current_service: vfs_ChDir(/path/to/domain-member-server/share)
failed: Permission denied. Current token: uid=11105, gid=10513, 13
groups: 11105 10513 11119 11118 11120 11121 11122 11135 11138 2004 2005
2007 2002
>
> If it is on a Unix domain member, what is in smb.conf.
Domain Member server. It seemed to be working fine until the
DNS changes.
[global]
workgroup = AD_DOMAIN
security = ADS
realm = AD-DOMAIN.COMPANY.COM
server string = Samba 4 Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
## map ids outside of domain to RDB files
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain
idmap config AD-DOMAIN : backend = rid
idmap config AD-DOMAIN : range = 10000-999999
# uncomment next line to allow loging
# template shell = /bin/bash
template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user Administrator workaround
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# disable printing completely
# remove these lines to print
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logging
# change the number to raise level
log level = 0
# map untrusted to domain = yes
[share]
path = /path/to/domain-member-server/share
read only = no
>
> If it is a Unix domain member, what permissions are set on the share
> (including those shown by getfacl) ?
permissions via getfacl:
# file: path/to/domain-member-server/share
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
group:owners:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040admins:r-x
default:group:owners:rwx
default:mask::rwx
default:other::---
Permissions via ls -la:
drwxrwx---+ 14 root domain admins 4096 Jan 25 16:12 share
>
> Rowland