L.P.H. van Belle
2021-Nov-29 09:52 UTC
[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
A full output of the created structure would be nice and helps to explain that. For all the used folders a getfacl should tell sufficent. getfacl /srv getfacl /srv/samba getfacl /srv/samba/users getfacl /srv/samba/users/username But i suspect "SYSTEM" is missing somewhere. And/Or did you change the Share Rights in Windows. Because, if you do that, AFTER users are created, it can mess up already existing folders and there rights. I work in this order. 1) install samba. 2) create the folders in /srv/samba and setup the shares. 3) setup the share and folder fights. 4) create users and set user home and profiles Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > spindles seven via samba > Verzonden: zondag 28 november 2021 0:41 > Aan: samba at lists.samba.org > CC: 'Patrick Goetz' > Onderwerp: Re: [Samba] chdir_current_service: > vfs_ChDir(/srv/samba/users) failed: Permission denied. > > On 27 November 2021 20:05 Ralph Boehme wrote: > > On 11/27/21 18:27, Patrick Goetz via samba wrote: > > > Sure, but Samba, which runs are root, > > > > smbd does not run as root when executing SMB requests, it > impersonates > > the user UNIX token while doing this. > > > OK, that explains why one of my Domain Computers got > permission denied, but that raises the other question - why > then is a normal user able to access his/her files which live > in /srv/samba/users/<username> without any problem? The > permissions on /srv/samba (before I added the "x") was > rwxrwx--- : root and Domain Admins only have access. So > Domain Users were able to traverse the hierarchy but not > Domain Computers. Why? > > Thanks, > > Roy > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Roy Eastwood
2021-Nov-29 10:21 UTC
[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
Ok, here are the results: roy at lxd-m1:~$ sudo getfacl /srv [sudo] password for roy: getfacl: Removing leading '/' from absolute path names # file: srv # owner: root # group: root user::rwx group::r-x other::r-x roy at lxd-m1:~$ sudo getfacl /srv/samba getfacl: Removing leading '/' from absolute path names # file: srv/samba # owner: root # group: domain\040admins # flags: -s- user::rwx group::rwx other::--x roy at lxd-m1:~$ sudo getfacl /srv/samba/users getfacl: Removing leading '/' from absolute path names # file: srv/samba/users # owner: root # group: domain\040admins user::rwx user:root:rwx user:domain\040admins:rwx user:domain\040computers:r-x group::rwx group:NT\040Authority\\authenticated\040users:rwx group:NT\040Authority\\system:rwx group:domain\040admins:rwx group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:domain\040admins:rwx default:group::--- default:group:NT\040Authority\\system:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::--- roy at lxd-m1:~$ sudo getfacl /srv/samba/users/karen getfacl: Removing leading '/' from absolute path names # file: srv/samba/users/karen # owner: karen # group: domain\040users user::rwx user:root:rwx user:domain\040admins:rwx group::--- group:NT\040Authority\\system:rwx group:domain\040admins:rwx group:domain\040users:--- group:karen:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:domain\040admins:rwx default:user:karen:rwx default:group::--- default:group:NT\040Authority\\system:rwx default:group:domain\040admins:rwx default:group:domain\040users:--- default:group:karen:rwx default:mask::rwx default:other::--- Thanks for your help, Roy On Mon, 29 Nov 2021, 09:54 L.P.H. van Belle via samba, < samba at lists.samba.org> wrote:> A full output of the created structure would be nice > and helps to explain that. > > For all the used folders a getfacl should tell sufficent. > getfacl /srv > getfacl /srv/samba > getfacl /srv/samba/users > getfacl /srv/samba/users/username > > But i suspect "SYSTEM" is missing somewhere. > And/Or did you change the Share Rights in Windows. > Because, if you do that, AFTER users are created, > it can mess up already existing folders and there rights. > > I work in this order. > 1) install samba. > 2) create the folders in /srv/samba and setup the shares. > 3) setup the share and folder fights. > 4) create users and set user home and profiles > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > spindles seven via samba > > Verzonden: zondag 28 november 2021 0:41 > > Aan: samba at lists.samba.org > > CC: 'Patrick Goetz' > > Onderwerp: Re: [Samba] chdir_current_service: > > vfs_ChDir(/srv/samba/users) failed: Permission denied. > > > > On 27 November 2021 20:05 Ralph Boehme wrote: > > > On 11/27/21 18:27, Patrick Goetz via samba wrote: > > > > Sure, but Samba, which runs are root, > > > > > > smbd does not run as root when executing SMB requests, it > > impersonates > > > the user UNIX token while doing this. > > > > > OK, that explains why one of my Domain Computers got > > permission denied, but that raises the other question - why > > then is a normal user able to access his/her files which live > > in /srv/samba/users/<username> without any problem? The > > permissions on /srv/samba (before I added the "x") was > > rwxrwx--- : root and Domain Admins only have access. So > > Domain Users were able to traverse the hierarchy but not > > Domain Computers. Why? > > > > Thanks, > > > > Roy > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2021-Nov-29 16:01 UTC
[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
what i see here :
/srv is fine.
-------------------
/srv/samba not fully, its possible to use it like this.
# flags: -s- your setting Creator Group, its possible.
other::--x it allows traversal, but this is also before a share ping, you need
read rights also.
to be able to read the next folder. ( like users)
so i have
# file: srv/samba
# owner: root
# group: root
# flags: s--
user::rwx
group::rwx
other::r-x
----------------
The users share is very different.
what i really recommend..
setup exactly as shown here.
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
When thats done, create 1 user in there and capture the settings with getfacl
and samba-tools
sudo samba-tool ntacl get /srv/samba/users/ --as-sddl
Then is something goes wrong you can easy script it to fix it.
So this is what i have.
# file: srv/samba/users
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:BUILTIN\\users:r-x
group:2007:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:2007:rwx
default:mask::rwx
default:other::---
(Domain Users is member of BUILTIN\\users. )
(Domain Admins is member of BUILTIN\\Administrators. )
wbinfo -G 2007 = S-1-5-18
wbinfo -s S-1-5-18 = NT Authority\SYSTEM 5
(Domain Users is member of BUILTIN\\users. )
looking at your set.. i suspect this is the one thats wrong.
group:domain\040users:---
what i suggest, create a new share, dont change the share security.
run this on the new test folder
samba-tool ntacl set
"O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)"
/srv/samba/users-test
This is the following setting.
security On the folder, (via Advanced)
Creator Owner, only on subfolders and files.
SYSTEM Full control
Administrators (Domain admins) full control.
Users (Domain users), Read and Exec, only this folder.
Then run this
TESTUSER=karen
samba-tool ntacl set
"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid
"${TESTUSER}" |awk '{ print $1
}'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)"
/srv/samba/users/"${TESTUSER}"
Now look at the rights from within windows on karen's folder.
its is this setup.
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection
the pittfall in that tekst is :
Security group of users who need to put data on the share (Folder Redirection
Users)
Dont use domain users or everyone
i use "Redirected Folder Users"
I hope this helps a bit.
Greetz,
Louis
________________________________
Van: Roy Eastwood [mailto:spindles7 at gmail.com]
Verzonden: maandag 29 november 2021 11:21
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] chdir_current_service: vfs_ChDir(/srv/samba/users)
failed: Permission denied.
Ok, here are the results:
roy at lxd-m1:~$ sudo getfacl /srv
[sudo] password for roy:
getfacl: Removing leading '/' from absolute path names
# file: srv
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
roy at lxd-m1:~$ sudo getfacl /srv/samba
getfacl: Removing leading '/' from absolute path names
# file: srv/samba
# owner: root
# group: domain\040admins
# flags: -s-
user::rwx
group::rwx
other::--x
roy at lxd-m1:~$ sudo getfacl /srv/samba/users
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:domain\040computers:r-x
group::rwx
group:NT\040Authority\\authenticated\040users:rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
roy at lxd-m1:~$ sudo getfacl /srv/samba/users/karen
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/users/karen
# owner: karen
# group: domain\040users
user::rwx
user:root:rwx
user:domain\040admins:rwx
group::---
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:domain\040users:---
group:karen:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:user:karen:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:group:karen:rwx
default:mask::rwx
default:other::---
Thanks for your help,
Roy
On Mon, 29 Nov 2021, 09:54 L.P.H. van Belle via samba, <samba at
lists.samba.org> wrote:
A full output of the created structure would be nice
and helps to explain that.
For all the used folders a getfacl should tell sufficent.
getfacl /srv
getfacl /srv/samba
getfacl /srv/samba/users
getfacl /srv/samba/users/username
But i suspect "SYSTEM" is missing somewhere.
And/Or did you change the Share Rights in Windows.
Because, if you do that, AFTER users are created,
it can mess up already existing folders and there rights.
I work in this order.
1) install samba.
2) create the folders in /srv/samba and setup the shares.
3) setup the share and folder fights.
4) create users and set user home and profiles
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> spindles seven via samba
> Verzonden: zondag 28 november 2021 0:41
> Aan: samba at lists.samba.org
> CC: 'Patrick Goetz'
> Onderwerp: Re: [Samba] chdir_current_service:
> vfs_ChDir(/srv/samba/users) failed: Permission denied.
>
> On 27 November 2021 20:05 Ralph Boehme wrote:
> > On 11/27/21 18:27, Patrick Goetz via samba wrote:
> > > Sure, but Samba, which runs are root,
> >
> > smbd does not run as root when executing SMB requests, it
> impersonates
> > the user UNIX token while doing this.
> >
> OK, that explains why one of my Domain Computers got
> permission denied, but that raises the other question - why
> then is a normal user able to access his/her files which live
> in /srv/samba/users/<username> without any problem? The
> permissions on /srv/samba (before I added the "x") was
> rwxrwx--- : root and Domain Admins only have access. So
> Domain Users were able to traverse the hierarchy but not
> Domain Computers. Why?
>
> Thanks,
>
> Roy
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
spindles seven
2021-Dec-01 15:42 UTC
[Samba] chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.
On 29 November 2021 16:02 L.P.H. van Belle wrote:> what i see here : > > /srv is fine. > ------------------- > /srv/samba not fully, its possible to use it like this. > # flags: -s- your setting Creator Group, its possible. > other::--x it allows traversal, but this is also before a share ping, you need read rights also. > to be able to read the next folder. ( like users) > > so i have > > # file: srv/samba > # owner: root > # group: root > # flags: s-- > user::rwx > group::rwx > other::r-x >OK have changed /srv/samba to match your settings.> ---------------- > The users share is very different. > > what i really recommend.. > > setup exactly as shown here. > https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection > > When thats done, create 1 user in there and capture the settings with getfacl and samba-tools > sudo samba-tool ntacl get /srv/samba/users/ --as-sddl > > Then is something goes wrong you can easy script it to fix it. > > So this is what i have. > > # file: srv/samba/users > # owner: root > # group: root > # flags: -s- > user::rwx > user:root:rwx > group::--- > group:root:--- > group:BUILTIN\\administrators:rwx > group:BUILTIN\\users:r-x > group:2007:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:BUILTIN\\administrators:rwx > default:group:2007:rwx > default:mask::rwx > default:other::--- > > (Domain Users is member of BUILTIN\\users. ) > (Domain Admins is member of BUILTIN\\Administrators. ) > > wbinfo -G 2007 = S-1-5-18 > wbinfo -s S-1-5-18 = NT Authority\SYSTEM 5 > > (Domain Users is member of BUILTIN\\users. ) > > > looking at your set.. i suspect this is the one thats wrong. > group:domain\040users:---That show no access for Domain Users? If so still don't understand why Domain Users were able to traverse /srv/samba but Domain Computers were not.> > what i suggest, create a new share, dont change the share security.OK did that and set permissions and the -s- flag with: chmod 2770 /srv/samba/users-test> run this on the new test folder > samba-tool ntacl set "O:LAG:S-1-22-2- > 0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test >This produced: root at lxd-m1:~# samba-tool ntacl set "O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" /srv/samba/users-test root at lxd-m1:~# getfacl /srv/samba/users-test getfacl: Removing leading '/' from absolute path names # file: srv/samba/users-test # owner: administrator # group: root # flags: -s- user::rwx user:administrator:rwx group::--- group:root:--- group:BUILTIN\\administrators:rwx group:BUILTIN\\users:r-x group:NT\040Authority\\system:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:group::--- default:group:root:--- default:group:BUILTIN\\administrators:rwx default:group:NT\040Authority\\system:rwx default:mask::rwx default:other::--- However, when I tried to look at this from Windows, I wasn't able to see the entries on the Security tab until I removed the line from smb.conf: acl_xattr:ignore system acls = yes and restarted smbd. Windows then showed (for the share \\lxd-m1\users-test): Administrator:Full Control:This Folder, subfolders and files CREATOR OWNER:Full Control:Subfolders and files only CREATOR GROUP:none: Subfolders and files only SYSTEM: Full Control:This Folder, subfolders and files Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files root (Unix Group\root):none:This Folder, subfolders and files] Users (LXD-M1\Users):Read & Execute:This folder only Everyone:none:This Folder, subfolders and files If I edit the above from Windows, removing the Administrator, CREATOR GROUP, root and Everyone entries and then restore the acl_xattr:ignore system acls = yes setting in smb.conf, restarting smbd, the entries become like you show below:> This is the following setting. > security On the folder, (via Advanced) > Creator Owner, only on subfolders and files. > SYSTEM Full control > Administrators (Domain admins) full control. > Users (Domain users), Read and Exec, only this folder. >I created a security group called 'Redirected Folder Users' and I then created a test user called 'testuser' and set the Home folder to connect the H: drive to: \\lxd-m1.microlynx.org\users-test\%username%, and made the user a member of that group. This automatically created the testuser's home folder in /srv/samba/users-test as expected: root at lxd-m1:~# getfacl /srv/samba/users-test/testuser getfacl: Removing leading '/' from absolute path names # file: srv/samba/users-test/testuser # owner: roy # group: domain\040users # flags: -s- user::rwx user:administrator:rwx group::--- group:root:--- group:BUILTIN\\administrators:rwx group:NT\040Authority\\system:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:group::--- default:group:root:--- default:group:BUILTIN\\administrators:rwx default:group:NT\040Authority\\system:rwx default:mask::rwx default:other::---> Then run this > TESTUSER=karen > samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;$(wbinfo --name-to-sid "${TESTUSER}" |awk '{ print $1 > }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)" > /srv/samba/users/"${TESTUSER}" > > Now look at the rights from within windows on karen's folder. >I then ran the above (replacing karen with testuser and /srv/samba/users with /srv/samba/users-test) and got: testuser:Full Control:This Folder, subfolders and files Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files roy: Full Control:This Folder, subfolders and files CREATOR OWNER:Full Control:Subfolders and files only SYSTEM: Full Control:This Folder, subfolders and files Administrators (LXD-M1\Administrators): Full Control:This Folder, subfolders and files (The last 4 inherited from \\lxd-m1\users-test) There's no mention of the Redirected Folder Users. I assume I need to add that manually to the users-test share?> > its is this setup. > https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection > > the pittfall in that tekst is : > Security group of users who need to put data on the share (Folder Redirection Users) > Dont use domain users or everyone > > i use "Redirected Folder Users" > > I hope this helps a bit. > > > Greetz, > > LouisNote that I was using a user with Domain Admin rights (roy) - I couldn't get the Domain Administrator user (MICROLYNX\Administrator) to access any of the samba domain computers using Computer Management console from Windows 10. Is that because Administrator is mapped to root and is that expected? Thanks for your valuable help. Roy