samba - Nov 2021 - chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

Since upgrade to samba version 4.15 one of my member servers which provides the
'home' directory for users, the above logs appear in syslog on a regular
basis.  The permissions are set from Windows and initially were as follows:

//lxd-m1/users (path on server is /srv/samba/users):
Share Tab:   Everyone: Full Control
Security Tab (NTFS Permissions):
Domain Users 	Read & execute 	This folder only 
CREATOR OWNER 	Full control 	Subfolders and files only 
Domain Admins 	Full control 	This folder, subfolders and files

The full log message is:

Nov 26 21:14:51 lxd-m1 smbd[200894]:   chdir_current_service:
vfs_ChDir(/srv/samba/users) failed: Permission denied. Current token: uid=11104,
gid=10515, 7 groups: 11104 10515 10513 2003 2004 2006 2001

uid 11104 belongs to a Windows 10 member workstation (lion-x99) and group 10515
is Domain Computers.   Group 2006 is Authenticated Users

So I added:
Authenticated Users   Read & execute     This folder only
and
SYSTEM                          Full Control           This folder, subfolders
and files

But the problem persists.

The platform is Debian Bullseye, samba is version 4.15.2 (Louis' repo).

The results of getfacl on /srv/samba/users:
root at lxd-m1:~# getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

Identify user and groups:
root at lxd-m1:~# getent passwd 11104
lion-x99$:*:11104:10515::/srv/samba/users/lion-x99_:/bin/bashroot at lxd-m1:~#
getent group 10515
domain computers:x:10515:
root at lxd-m1:~# getent group 2003
\everyone:x:2003:
root at lxd-m1:~# getent group 2004
NT Authority\network:x:2004:
root at lxd-m1:~# getent group 2006
NT Authority\authenticated users:x:2006:
root at lxd-m1:~# getent group 2001
BUILTIN\users:x:2001:

Result of testparm:
root at lxd-m1:~# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        bind interfaces only = Yes
        dedicated keytab file = /etc/krb5.keytab
        interfaces = lo eth0
        kerberos method = secrets and keytab
        log file = /var/log/samba/%m.log
        panic action = /usr/local/bin/gdb_backtrace %d
        realm = MICROLYNX.ORG
        security = ADS
        template homedir = /srv/samba/users/%U
        template shell = /bin/bash
        username map = /etc/samba/user.map
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = MICROLYNX
        idmap config microlynx:range = 10000-99999
        idmap config microlynx:backend = rid
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb
        map acl inherit = Yes


[profiles]
        path = /srv/samba/profiles
        read only = No
        vfs objects = btrfs acl_xattr
        acl_xattr:ignore system acl = yes


[users]
        path = /srv/samba/users
        read only = No
        vfs objects = btrfs recycle acl_xattr
        recycle:exclude_dir = %U/Recycle_Bin
        recycle:exclude = *.tmp,~$*
        recycle:touch = Yes
        recycle:keeptree = Yes
        recycle:versions = Yes
        recycle:repository = %U/Recycle_Bin
        acl_xattr:ignore system acl = yes


[test]
        path = /srv/samba/test
        read only = No
        vfs objects = btrfs acl_xattr


I am struggling to know what to do next to track down this issue.  Any
suggestions?

Roy Eastwood

Hello spindles,

On 11/27/21 11:02, spindles seven via samba wrote:
> I am struggling to know what to do next to track down this issue.  Any
suggestions?
what about the permission on /, /srv and /srv/samba? The account needs 
at least "x" there.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20211127/3cb34d17/OpenPGP_signature.sig>