On 2024-12-20 1:18 p.m., Luke Barone via samba wrote:> Hi list,
>
> I am running Samba in a 2-DC, 1-Member setup, all on Debian Bookworm,
> version 4.17.12.
>
> I have the member server sharing shares to many users, and it's all
working
> except one folder. Here is the member smb.conf (name sanitized):
>
> [global]
> bind interfaces only = Yes
> client signing = required
> disable netbios = Yes
> interfaces = lo enp1s0
> log file = /var/log/samba/%m.log
> realm = SITE.AD.EXAMPLE.CA
> security = ADS
> server role = member server
> server signing = required
> template homedir = /home/SITE/%U
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind separator = /
> winbind use default domain = Yes
> workgroup = SITE
> idmap config SITE : range = 100000-299999
> idmap config SITE : backend = rid
> idmap config * : range = 70000-99999
> idmap config * : backend = tdb
> map acl inherit = Yes
> vfs objects = acl_xattr
> # ... more shares, all of which currently work
> [Yearbook]
> path = /usr/local/share/Yearbook
> read only = No
>
> Here is the shared folder:
> ls -la /usr/local/share/Yearbook/
> total 60
> drwxrwx---+ 4 yearbook domain admins 4096 Dec 10 10:54 .
> drwxr-xr-x 14 root root 4096 Sep 9 13:00 ..
>
> # getfacl /usr/local/share/Yearbook/
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/share/Yearbook/
> # owner: yearbook
> # group: domain\040admins
> user::rwx
> user:domain\040admins:rwx
> user:yearbookstudents:rwx
> group::rwx
> group:domain\040admins:rwx
> group:yearbook:rwx
> group:yearbookstudents:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:user:yearbook:rwx
> default:user:yearbookstudents:rwx
> default:group::rwx
> default:group:domain\040admins:rwx
> default:group:yearbook:rwx
> default:group:yearbookstudents:rwx
> default:mask::rwx
> default:other::---
>
> I am trying to connect as a member of "yearbookstudents", but no
matter
> where I login, Windows reports Access Denied. I have verified that
> replication is happening between the two DCs, and that winbind on the file
> server knows the groups my user is part of (based on the gid number). I
> assigned the permissions first through Windows, tested with no change, then
> tried with setfacl recursively. Again, no change - Access is Denied.
>
> Just in case, here is DC1's smb.conf (again, name sanitized):
> [global]
> bind interfaces only = Yes
> disable netbios = Yes
> dns forwarder = 1.1.1.1
> dns zone transfer clients allow = 127.0.0.0/8 ::1/128
> interfaces = lo enp1s0
> ntlm auth = mschapv2-and-ntlmv2-only
> passdb backend = samba_dsdb
> realm = SITE.AD.EXAMPLE.CA
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> winbind separator = /
> workgroup = SITE
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
>
> [netlogon]
> path = /var/lib/samba/sysvol/SITE.ad.example.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Where can I look for more info?
Hi Luke.
Did you check the Yearbook share's Share Permissions? That is: What is
the output of this command on the fileserver:
sharesec Yearbook -v
In the normal case, where you intend to control access to the share via
NT ACLS, the Share Permissions should be set to simply Allow Full
Control to Everyone. In that case, I would expect the above sharesec
command to generate output like this:
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL
If you see something else, then the Share Permissions are possibly the
cause of your access-denial problem.
I hope this helps!
Cheers,
-S.M.