samba - Jan 2021 - vfs_ChDir failed: Permission denied

On 2021-01-31 10:15 am, Rowland penny via samba wrote:
> On 31/01/2021 14:42, Marco Shmerykowsky via samba wrote:
>> 
>> I found the errors in the smbd log file on the domain member
>> server that contains the file shares.? I have group policies
>> for the desktop background and drives shares.? The policies
>> seem to be applied since the drive maps show up and I do
>> not see any errors when I run gpresult.
>> 
>> The background doesn't show up because the image file is
>> stored in one of the drive shares.? Trying to access the
>> drive shares results in an error under windows that I do
>> not have permission to access the share.
>> 
>>> 
>>> Is there anything surrounding it (paths etc)
>> 
>> The full line in the log is as follows:
>> 
>> ? chdir_current_service: 
>> vfs_ChDir(/path/to/domain-member-server/share) failed: Permission 
>> denied. Current token: uid=11105, gid=10513, 13 groups: 11105 10513 
>> 11119 11118 11120 11121 11122 11135 11138 2004 2005 2007 2002
>> 
>> 
>> Domain Member server.? It seemed to be working fine until the
>> DNS changes.
>> 
>> permissions via getfacl:
>> 
>> # file: path/to/domain-member-server/share
>> # owner: root
>> # group: domain\040admins
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:domain\040admins:rwx
>> group:owners:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::r-x
>> default:group:domain\040admins:r-x
>> default:group:owners:rwx
>> default:mask::rwx
>> default:other::---
>> 
>> Permissions via ls -la:
>> 
>> drwxrwx---+? 14 root domain admins? 4096 Jan 25 16:12 share
> 
> 
> From the data supplied, only root and members of the groups 'Domain
> Admins & owners' can enter the share. You are connecting as a user
> with the ID 11105 and primary group Domain Users, but does the group
> 'owners' have one of these GID's '11119 11118 11120 11121
11122 11135
> 11138'
I believe the answer is 'yes.'  Under windows, the user attempting to
log in is a member of the group 'owners'

running 'wbinfo --name-to-sid user' returns:

S-1-5-21-816939725-271653577-1537739732-1105 SID_USER (1)
                                         ^^^^

running 'wbinfo --name-to-sid group' returns:

S-1-5-21-816939725-271653577-1537739732-1118 SID_DOM_GROUP (2)
                                         ^^^^

On 2021-01-31 10:41 am, Marco Shmerykowsky via samba
wrote:
> On 2021-01-31 10:15 am, Rowland penny via samba wrote:
>> On 31/01/2021 14:42, Marco Shmerykowsky via samba wrote:
>>> 
>>> I found the errors in the smbd log file on the domain member
>>> server that contains the file shares.? I have group policies
>>> for the desktop background and drives shares.? The policies
>>> seem to be applied since the drive maps show up and I do
>>> not see any errors when I run gpresult.
>>> 
>>> The background doesn't show up because the image file is
>>> stored in one of the drive shares.? Trying to access the
>>> drive shares results in an error under windows that I do
>>> not have permission to access the share.
>>> 
>>>> 
>>>> Is there anything surrounding it (paths etc)
>>> 
>>> The full line in the log is as follows:
>>> 
>>> ? chdir_current_service: 
>>> vfs_ChDir(/path/to/domain-member-server/share) failed: Permission 
>>> denied. Current token: uid=11105, gid=10513, 13 groups: 11105 10513
>>> 11119 11118 11120 11121 11122 11135 11138 2004 2005 2007 2002
>>> 
>>> 
>>> Domain Member server.? It seemed to be working fine until the
>>> DNS changes.
>>> 
>>> permissions via getfacl:
>>> 
>>> # file: path/to/domain-member-server/share
>>> # owner: root
>>> # group: domain\040admins
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:domain\040admins:rwx
>>> group:owners:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::r-x
>>> default:group:domain\040admins:r-x
>>> default:group:owners:rwx
>>> default:mask::rwx
>>> default:other::---
>>> 
>>> Permissions via ls -la:
>>> 
>>> drwxrwx---+? 14 root domain admins? 4096 Jan 25 16:12 share
>> 
>> 
>> From the data supplied, only root and members of the groups 'Domain
>> Admins & owners' can enter the share. You are connecting as a
user
>> with the ID 11105 and primary group Domain Users, but does the group
>> 'owners' have one of these GID's '11119 11118 11120
11121 11122 11135
>> 11138'
> 
> I believe the answer is 'yes.'  Under windows, the user attempting
to
> log in is a member of the group 'owners'
> 
> running 'wbinfo --name-to-sid user' returns:
> 
> S-1-5-21-816939725-271653577-1537739732-1105 SID_USER (1)
>                                         ^^^^
> 
> running 'wbinfo --name-to-sid group' returns:
> 
> S-1-5-21-816939725-271653577-1537739732-1118 SID_DOM_GROUP (2)
>                                         ^^^^
Correction, the gid seems to be off by 10000.