samba - Nov 2021 - chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

On Sat, 2021-11-27 at 11:09 +0000, spindles seven via samba
wrote:
> On 27 November 2021 10:10 Ralph Boehme wrote:
> > what about the permission on /, /srv and /srv/samba? The account
> > needs
> > at least "x" there.
> > 
> > -slow
> > 
> Thanks Ralph.
> 
> So  "x" was missing on /srv/samba: 
> root at lxd-m1:~# ls -l /srv
> total 16
> drwxrwx--- 1 root domain admins 34 Feb 26  2021 samba
> 
> So add it:
> root at lxd-m1:~# chmod 771 /srv/samba
> root at lxd-m1:~# ls -l /srv
> total 16
> drwxrwx--x 1 root domain admins 34 Feb 26  2021 samba
> 
> The samba WiKi doesn't mention adding the "x" at all in the
directory
> hierarchy as far as I can see;   if so maybe a note needs adding to
> the relevant page(s)?
That is because it is standard Unix, 'x' on a directory means
'enter'
or 'traverse' and if you cannot traverse directories, then you cannot
reach the share.
> 
> Have added the "x" to the /srv/samba directory and the logs
haven't
> recurred (so far!).
> 
> Not sure I understand why this will work, considering that the line:
> "acl_xattr:ignore system acl = yes" is in smb.conf?
> 
> Checking man smb.conf I can't find the description of this parameter.
> A search finds mention of "acl)xattr:ignore system acls = yes"
(note
> the plural of acl) but no actual description of the parameter.
man vfs_acl_xattr
> 
> The Wiki suggests adding "acl_xattr:ignore system acl = yes", but
> should it be: "acl_xattr:ignore system acls = yes"?
Yes, I have fixed it.

Rowland

On 27 November 2021 11:36 Rowland Penny wrote:
> > The samba WiKi doesn't mention adding the "x" at all in
the directory
> > hierarchy as far as I can see;   if so maybe a note needs adding to
> > the relevant page(s)?
> 
> That is because it is standard Unix, 'x' on a directory means
'enter'
> or 'traverse' and if you cannot traverse directories, then you
cannot
> reach the share.
> 
OK, makes sense.   May be worth putting this in the troubleshooting section - to
check this setting if these log messages are seen?
> >
> > Have added the "x" to the /srv/samba directory and the logs
haven't
> > recurred (so far!).
> >
> > Not sure I understand why this will work, considering that the line:
> > "acl_xattr:ignore system acl = yes" is in smb.conf?
> >
> > Checking man smb.conf I can't find the description of this
parameter.
> > A search finds mention of "acl)xattr:ignore system acls =
yes" (note
> > the plural of acl) but no actual description of the parameter.
> 
> man vfs_acl_xattr
Thanks.
> 
> >
> > The Wiki suggests adding "acl_xattr:ignore system acl =
yes", but
> > should it be: "acl_xattr:ignore system acls = yes"?
> 
> Yes, I have fixed it.
OK, good.
> 
> Rowland
> 
Thanks Rowland and Ralph.    Those log entries have indeed stopped now, so that
indeed was the issue.

Best regards,

Roy

On 11/27/21 05:35, Rowland Penny via samba wrote:
> On Sat, 2021-11-27 at 11:09 +0000, spindles seven via samba wrote:
>> On 27 November 2021 10:10 Ralph Boehme wrote:
>>> what about the permission on /, /srv and /srv/samba? The account
>>> needs
>>> at least "x" there.
>>>
>>> -slow
>>>
>> Thanks Ralph.
>>
>> So  "x" was missing on /srv/samba:
>> root at lxd-m1:~# ls -l /srv
>> total 16
>> drwxrwx--- 1 root domain admins 34 Feb 26  2021 samba
>>
>> So add it:
>> root at lxd-m1:~# chmod 771 /srv/samba
>> root at lxd-m1:~# ls -l /srv
>> total 16
>> drwxrwx--x 1 root domain admins 34 Feb 26  2021 samba
>>
>> The samba WiKi doesn't mention adding the "x" at all in
the directory
>> hierarchy as far as I can see;   if so maybe a note needs adding to
>> the relevant page(s)?
> 
> That is because it is standard Unix, 'x' on a directory means
'enter'
> or 'traverse' and if you cannot traverse directories, then you
cannot
> reach the share.
> 

Sure, but Samba, which runs are root, is acting as a middle man in the 
file service, so it's not transparently clear that user execute 
permission in a parent directory is a prerequisite for access; e.g. 
Samba could be treating this like a bind mount or NFS root. In fact, 
based on the way shares are accessed this would be a logical assumption. 
I mount \\server\share, not server:/data/share which is where the files 
actually live in the filesystem hierarchy so why should I care what the 
permissions on /data are?

This is something worth mentioning in a warning note.

>>
>> Have added the "x" to the /srv/samba directory and the logs
haven't
>> recurred (so far!).
>>
>> Not sure I understand why this will work, considering that the line:
>> "acl_xattr:ignore system acl = yes" is in smb.conf?
>>
>> Checking man smb.conf I can't find the description of this
parameter.
>> A search finds mention of "acl)xattr:ignore system acls =
yes" (note
>> the plural of acl) but no actual description of the parameter.
> 
> man vfs_acl_xattr
> 
>>
>> The Wiki suggests adding "acl_xattr:ignore system acl = yes",
but
>> should it be: "acl_xattr:ignore system acls = yes"?
> 
> Yes, I have fixed it.
> 
> Rowland
> 
> 
>