Mirko
2022-Mar-09 14:07 UTC
[Samba] Samba as Domain Member: user get permission denied accessing share...
Hi Patrick. root at pd-ark:~# ll / drwxr-xr-x?? 3 root root? 4096? 9 mar 09.56 srv root at pd-ark:~# ll /srv/ drwxrwx--- 16 root DOMAIN\domain admins 4096? 9 mar 11.35 samba Thanks Il 09/03/22 14:58, Patrick Goetz via samba ha scritto:> What are the linux permissions on /srv? and /srv/samba ? > > On 3/9/22 07:02, Mirko via samba wrote: >> Hello to everybody. >> >> >> I am new to the list and thank you in advance for the time reading. >> >> If I join a PC to the domain and log in with a user (eg Isabella) >> member of "Domain Users" group, I get a permission error. >> In /var/log/daemon.log I have this: >> >> /Mar? 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0] >> ../../source3/smbd/service.c:166(chdir_current_service)// >> //Mar? 9 11:38:22 pd-ark smbd[743]:?? chdir_current_service: >> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current >> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 >> 3003 3004 3006 3001 >> >> If I add the user "Isabella" to the "Domain Admins" group I can >> lenter, read and write inside the PD-Ambiente share. >> >> >> I have correctly set the "Domain Users" group for reading / writing >> on the "PD-Ambiente" share from within win server (Fastmin user is an >> administrator). >> >> I double-checked and redone all configurations (of the guides) from >> scratch several times with even reinstalls of debian from scratch. >> But I can't get it to work. >> I always have this login error. >> Where am I wrong? What can I try? >> >> A thousand thanks >> >> Greetings >> Mirko >> >> >> >> Some verification commands: >> >> /getent group isabella// >> //isabella:x:11110:isabella// >> // >> //getent group "domain users"// >> //domain users:x:10513:// >> // >> //getent group "domain admins"// >> //domain admins:x:10512:// >> // >> //getfacl /srv/samba/PD-Ambiente/// >> //getfacl: Removing leading '/' from absolute path names// >> //# file: srv/samba/PD-Ambiente/// >> //# owner: root// >> //# group: domain\040admins// >> //user::rwx// >> //user:root:rwx// >> //user:domain\040admins:rwx// >> //user:domain\040users:rwx// >> //group::rwx// >> //group:domain\040admins:rwx// >> //group:domain\040users:rwx// >> //mask::rwx// >> //other::rwx// >> //default:user::rwx// >> //default:user:root:rwx// >> //default:user:domain\040users:rwx// >> //default:group::r-x// >> //default:group:domain\040admins:r-x// >> //default:group:domain\040users:rwx// >> //default:mask::rwx// >> //default:other::r-x/ >> >> I followed the guides on the official samba site: >> - >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain_Member&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GNhkwtzPm2OS2WYDz%2FuhkTXVnfUxR92BFJLLCd1YETw%3D&reserved=0 >> >> - >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Windows_ACLs&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=12EMIRvxWgA265KtEPx%2Fa%2FFFOTW4HSlRuweXODSXp0M%3D&reserved=0 >> >> >> AD server is Windows Server 2019 Std. >> Samba on debian 11.2 version 4.13.13-Debian. >> >> File smb.conf: >> >> /[global]// >> //?? ?workgroup = DOMAIN// >> //?? ?security = ADS// >> //?? ?realm = DOMAIN.LAN// >> // >> //?? ?winbind refresh tickets = Yes// >> //?? ?vfs objects = acl_xattr// >> //?? ?map acl inherit = Yes// >> //?? ?#store dos attributes = Yes// >> // >> //?? ?winbind enum users = yes// >> //?? ?winbind enum groups = yes// >> // >> //?? ?# Disable printing...// >> //?? ?load printers = no// >> //?? ?printing = bsd// >> //?? ?printcap name = /dev/null// >> //?? ?disable spoolss = yes// >> // >> //?? ?log file = /var/log/samba/%m.log// >> //?? ?#log level = 1// >> / >> >> /?? ?log level = 3 passdb:5 auth:5/ >> >> /?? ?idmap config * : backend = tdb/ >> /?? ?idmap config * : range = 3000-7999/ >> /?? ?idmap config DOMAIN : backend = rid/ >> /?? ?idmap config DOMAIN : range = 10000-999999/ >> >> /??? username map = /etc/samba/user.map/ >> >> /?? ?# >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Fsamba%2Fmsg172624.html%2F&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FsQ9%2Ff7%2FOmRX95l%2Bg8T3Q%2BIsfWIrTiss1LEpGo1ejDE%3D&reserved=0 >> >> /??? # Without this i cannot set SeDiskOperatorPrivilege (get an >> INVALID TOKEN error).../ >> /??? min domain uid = 0/ >> >> /[PD-Ambiente]// >> //?? ?comment = Documenti Ambiente// >> //?? ?path = /srv/samba/PD-Ambiente// >> //?? ?read only = no// >> /// >> >> >> File user.map: >> >> /!root = DOMAIN\Fastmin DOMAIN\fastmin / >
Patrick Goetz
2022-Mar-09 14:17 UTC
[Samba] Samba as Domain Member: user get permission denied accessing share...
The UNIX permissions on the /srv/samba folder indicate that no one
outside the domain admins group will have access to anything inside
/srv/samba (no matter what POSIX ACLs are set or what the Windows
permissions show).
# chmod 775 /srv/samba
and try again.
On 3/9/22 08:07, Mirko via samba wrote:> Hi Patrick.
>
> root at pd-ark:~# ll /
> drwxr-xr-x?? 3 root root? 4096? 9 mar 09.56 srv
>
> root at pd-ark:~# ll /srv/
> drwxrwx--- 16 root DOMAIN\domain admins 4096? 9 mar 11.35 samba
>
> Thanks
>
> Il 09/03/22 14:58, Patrick Goetz via samba ha scritto:
>> What are the linux permissions on /srv? and /srv/samba ?
>>
>> On 3/9/22 07:02, Mirko via samba wrote:
>>> Hello to everybody.
>>>
>>>
>>> I am new to the list and thank you in advance for the time reading.
>>>
>>> If I join a PC to the domain and log in with a user (eg Isabella)
>>> member of "Domain Users" group, I get a permission error.
>>> In /var/log/daemon.log I have this:
>>>
>>> /Mar? 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0]
>>> ../../source3/smbd/service.c:166(chdir_current_service)//
>>> //Mar? 9 11:38:22 pd-ark smbd[743]:?? chdir_current_service:
>>> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current
>>> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149
11157
>>> 3003 3004 3006 3001
>>>
>>> If I add the user "Isabella" to the "Domain
Admins" group I can
>>> lenter, read and write inside the PD-Ambiente share.
>>>
>>>
>>> I have correctly set the "Domain Users" group for reading
/ writing
>>> on the "PD-Ambiente" share from within win server
(Fastmin user is an
>>> administrator).
>>>
>>> I double-checked and redone all configurations (of the guides) from
>>> scratch several times with even reinstalls of debian from scratch.
>>> But I can't get it to work.
>>> I always have this login error.
>>> Where am I wrong? What can I try?
>>>
>>> A thousand thanks
>>>
>>> Greetings
>>> Mirko
>>>
>>>
>>>
>>> Some verification commands:
>>>
>>> /getent group isabella//
>>> //isabella:x:11110:isabella//
>>> //
>>> //getent group "domain users"//
>>> //domain users:x:10513://
>>> //
>>> //getent group "domain admins"//
>>> //domain admins:x:10512://
>>> //
>>> //getfacl /srv/samba/PD-Ambiente///
>>> //getfacl: Removing leading '/' from absolute path names//
>>> //# file: srv/samba/PD-Ambiente///
>>> //# owner: root//
>>> //# group: domain\040admins//
>>> //user::rwx//
>>> //user:root:rwx//
>>> //user:domain\040admins:rwx//
>>> //user:domain\040users:rwx//
>>> //group::rwx//
>>> //group:domain\040admins:rwx//
>>> //group:domain\040users:rwx//
>>> //mask::rwx//
>>> //other::rwx//
>>> //default:user::rwx//
>>> //default:user:root:rwx//
>>> //default:user:domain\040users:rwx//
>>> //default:group::r-x//
>>> //default:group:domain\040admins:r-x//
>>> //default:group:domain\040users:rwx//
>>> //default:mask::rwx//
>>> //default:other::r-x/
>>>
>>> I followed the guides on the official samba site:
>>> -
>>>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain_Member&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nU7Cpa32TPTj%2B0hRiLkbyeiZ%2FbLSH3s%2Fg3PwS64fPhU%3D&reserved=0
>>>
>>> -
>>>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Windows_ACLs&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eOv1W7T3Z1OeLjdhbO9P8YUQiVekpieQfQwczN%2F0tEI%3D&reserved=0
>>>
>>>
>>> AD server is Windows Server 2019 Std.
>>> Samba on debian 11.2 version 4.13.13-Debian.
>>>
>>> File smb.conf:
>>>
>>> /[global]//
>>> //?? ?workgroup = DOMAIN//
>>> //?? ?security = ADS//
>>> //?? ?realm = DOMAIN.LAN//
>>> //
>>> //?? ?winbind refresh tickets = Yes//
>>> //?? ?vfs objects = acl_xattr//
>>> //?? ?map acl inherit = Yes//
>>> //?? ?#store dos attributes = Yes//
>>> //
>>> //?? ?winbind enum users = yes//
>>> //?? ?winbind enum groups = yes//
>>> //
>>> //?? ?# Disable printing...//
>>> //?? ?load printers = no//
>>> //?? ?printing = bsd//
>>> //?? ?printcap name = /dev/null//
>>> //?? ?disable spoolss = yes//
>>> //
>>> //?? ?log file = /var/log/samba/%m.log//
>>> //?? ?#log level = 1//
>>> /
>>>
>>> /?? ?log level = 3 passdb:5 auth:5/
>>>
>>> /?? ?idmap config * : backend = tdb/
>>> /?? ?idmap config * : range = 3000-7999/
>>> /?? ?idmap config DOMAIN : backend = rid/
>>> /?? ?idmap config DOMAIN : range = 10000-999999/
>>>
>>> /??? username map = /etc/samba/user.map/
>>>
>>> /?? ?#
>>>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Fsamba%2Fmsg172624.html%2F&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DDDX7O1S%2BRulGpgtYM%2FHv0p2kNJnC%2Bwc7%2FVMBOvgV48%3D&reserved=0
>>>
>>> /??? # Without this i cannot set SeDiskOperatorPrivilege (get an
>>> INVALID TOKEN error).../
>>> /??? min domain uid = 0/
>>>
>>> /[PD-Ambiente]//
>>> //?? ?comment = Documenti Ambiente//
>>> //?? ?path = /srv/samba/PD-Ambiente//
>>> //?? ?read only = no//
>>> ///
>>>
>>>
>>> File user.map:
>>>
>>> /!root = DOMAIN\Fastmin DOMAIN\fastmin /
>>
>