samba - Mar 2022 - Samba as Domain Member: user get permission denied accessing share...

Hello to everybody.


I am new to the list and thank you in advance for the time reading.

If I join a PC to the domain and log in with a user (eg Isabella) member 
of "Domain Users" group, I get a permission error.
In /var/log/daemon.log I have this:

/Mar? 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470,? 0] 
../../source3/smbd/service.c:166(chdir_current_service)//
//Mar? 9 11:38:22 pd-ark smbd[743]:?? chdir_current_service: 
vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current 
token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 
3003 3004 3006 3001

If I add the user "Isabella" to the "Domain Admins" group I
can lenter,
read and write inside the PD-Ambiente share.


I have correctly set the "Domain Users" group for reading / writing on
the "PD-Ambiente" share from within win server (Fastmin user is an 
administrator).

I double-checked and redone all configurations (of the guides) from 
scratch several times with even reinstalls of debian from scratch.
But I can't get it to work.
I always have this login error.
Where am I wrong? What can I try?

A thousand thanks

Greetings
Mirko



Some verification commands:

/getent group isabella//
//isabella:x:11110:isabella//
//
//getent group "domain users"//
//domain users:x:10513://
//
//getent group "domain admins"//
//domain admins:x:10512://
//
//getfacl /srv/samba/PD-Ambiente///
//getfacl: Removing leading '/' from absolute path names//
//# file: srv/samba/PD-Ambiente///
//# owner: root//
//# group: domain\040admins//
//user::rwx//
//user:root:rwx//
//user:domain\040admins:rwx//
//user:domain\040users:rwx//
//group::rwx//
//group:domain\040admins:rwx//
//group:domain\040users:rwx//
//mask::rwx//
//other::rwx//
//default:user::rwx//
//default:user:root:rwx//
//default:user:domain\040users:rwx//
//default:group::r-x//
//default:group:domain\040admins:r-x//
//default:group:domain\040users:rwx//
//default:mask::rwx//
//default:other::r-x/

I followed the guides on the official samba site:
- https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
- https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

AD server is Windows Server 2019 Std.
Samba on debian 11.2 version 4.13.13-Debian.

File smb.conf:

/[global]//
//?? ?workgroup = DOMAIN//
//?? ?security = ADS//
//?? ?realm = DOMAIN.LAN//
//
//?? ?winbind refresh tickets = Yes//
//?? ?vfs objects = acl_xattr//
//?? ?map acl inherit = Yes//
//?? ?#store dos attributes = Yes//
//
//?? ?winbind enum users = yes//
//?? ?winbind enum groups = yes//
//
//?? ?# Disable printing...//
//?? ?load printers = no//
//?? ?printing = bsd//
//?? ?printcap name = /dev/null//
//?? ?disable spoolss = yes//
//
//?? ?log file = /var/log/samba/%m.log//
//?? ?#log level = 1//
/

/?? ?log level = 3 passdb:5 auth:5/

/?? ?idmap config * : backend = tdb/
/?? ?idmap config * : range = 3000-7999/
/?? ?idmap config DOMAIN : backend = rid/
/?? ?idmap config DOMAIN : range = 10000-999999/

/??? username map = /etc/samba/user.map/

/?? ?# https://www.spinics.net/lists/samba/msg172624.html/
/??? # Without this i cannot set SeDiskOperatorPrivilege (get an INVALID 
TOKEN error).../
/??? min domain uid = 0/

/[PD-Ambiente]//
//?? ?comment = Documenti Ambiente//
//?? ?path = /srv/samba/PD-Ambiente//
//?? ?read only = no//
///


File user.map:

/!root = DOMAIN\Fastmin DOMAIN\fastmin /

On Wed, 2022-03-09 at 14:02 +0100, Mirko via samba
wrote:
> Hello to everybody.
> 
> 
> I am new to the list and thank you in advance for the time reading.
> 
> If I join a PC to the domain and log in with a user (eg Isabella)
> member 
> of "Domain Users" group, I get a permission error.
> In /var/log/daemon.log I have this:
> 
> /Mar  9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470,  0] 
> ../../source3/smbd/service.c:166(chdir_current_service)//
> //Mar  9 11:38:22 pd-ark smbd[743]:   chdir_current_service: 
> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current 
> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149
> 11157 
> 3003 3004 3006 3001
> 
> If I add the user "Isabella" to the "Domain Admins"
group I can
> lenter, 
> read and write inside the PD-Ambiente share.
> 
> 
> I have correctly set the "Domain Users" group for reading /
writing
> on 
> the "PD-Ambiente" share from within win server (Fastmin user is
an
> administrator).
> 
> I double-checked and redone all configurations (of the guides) from 
> scratch several times with even reinstalls of debian from scratch.
> But I can't get it to work.
> I always have this login error.
> Where am I wrong? What can I try?
> 
> A thousand thanks
> 
> Greetings
> Mirko
> 
> 
> 
> Some verification commands:
> 
> /getent group isabella//
> //isabella:x:11110:isabella//
> //
> //getent group "domain users"//
> //domain users:x:10513://
> //
> //getent group "domain admins"//
> //domain admins:x:10512://
> //
> //getfacl /srv/samba/PD-Ambiente///
> //getfacl: Removing leading '/' from absolute path names//
> //# file: srv/samba/PD-Ambiente///
> //# owner: root//
> //# group: domain\040admins//
> //user::rwx//
> //user:root:rwx//
> //user:domain\040admins:rwx//
> //user:domain\040users:rwx//
> //group::rwx//
> //group:domain\040admins:rwx//
> //group:domain\040users:rwx//
> //mask::rwx//
> //other::rwx//
> //default:user::rwx//
> //default:user:root:rwx//
> //default:user:domain\040users:rwx//
> //default:group::r-x//
> //default:group:domain\040admins:r-x//
> //default:group:domain\040users:rwx//
> //default:mask::rwx//
> //default:other::r-x/
> 
> I followed the guides on the official samba site:
> - 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> - 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> AD server is Windows Server 2019 Std.
> Samba on debian 11.2 version 4.13.13-Debian.
> 
> File smb.conf:
> 
> /[global]//
> //    workgroup = DOMAIN//
> //    security = ADS//
> //    realm = DOMAIN.LAN//
> //
> //    winbind refresh tickets = Yes//
> //    vfs objects = acl_xattr//
> //    map acl inherit = Yes//
> //    #store dos attributes = Yes//
> //
> //    winbind enum users = yes//
> //    winbind enum groups = yes//
> //
> //    # Disable printing...//
> //    load printers = no//
> //    printing = bsd//
> //    printcap name = /dev/null//
> //    disable spoolss = yes//
> //
> //    log file = /var/log/samba/%m.log//
> //    #log level = 1//
> /
> 
> /    log level = 3 passdb:5 auth:5/
> 
> /    idmap config * : backend = tdb/
> /    idmap config * : range = 3000-7999/
> /    idmap config DOMAIN : backend = rid/
> /    idmap config DOMAIN : range = 10000-999999/
> 
> /    username map = /etc/samba/user.map/
> 
> /    # https://www.spinics.net/lists/samba/msg172624.html/
> /    # Without this i cannot set SeDiskOperatorPrivilege (get an
> INVALID 
> TOKEN error).../
> /    min domain uid = 0/
> 
> /[PD-Ambiente]//
> //    comment = Documenti Ambiente//
> //    path = /srv/samba/PD-Ambiente//
> //    read only = no//
> ///
> 
> 
> File user.map:
> 
> /!root = DOMAIN\Fastmin DOMAIN\fastmin /
Just about the only thing wrong is your user.map, it should be:

!root = DOMAIN\Administrator

It maps Administrator to the Unix user 'root'

Rowland

What are the linux permissions on /srv  and /srv/samba ?

On 3/9/22 07:02, Mirko via samba wrote:
> Hello to everybody.
> 
> 
> I am new to the list and thank you in advance for the time reading.
> 
> If I join a PC to the domain and log in with a user (eg Isabella) member 
> of "Domain Users" group, I get a permission error.
> In /var/log/daemon.log I have this:
> 
> /Mar? 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470,? 0] 
> ../../source3/smbd/service.c:166(chdir_current_service)//
> //Mar? 9 11:38:22 pd-ark smbd[743]:?? chdir_current_service: 
> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current 
> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 
> 3003 3004 3006 3001
> 
> If I add the user "Isabella" to the "Domain Admins"
group I can lenter,
> read and write inside the PD-Ambiente share.
> 
> 
> I have correctly set the "Domain Users" group for reading /
writing on
> the "PD-Ambiente" share from within win server (Fastmin user is
an
> administrator).
> 
> I double-checked and redone all configurations (of the guides) from 
> scratch several times with even reinstalls of debian from scratch.
> But I can't get it to work.
> I always have this login error.
> Where am I wrong? What can I try?
> 
> A thousand thanks
> 
> Greetings
> Mirko
> 
> 
> 
> Some verification commands:
> 
> /getent group isabella//
> //isabella:x:11110:isabella//
> //
> //getent group "domain users"//
> //domain users:x:10513://
> //
> //getent group "domain admins"//
> //domain admins:x:10512://
> //
> //getfacl /srv/samba/PD-Ambiente///
> //getfacl: Removing leading '/' from absolute path names//
> //# file: srv/samba/PD-Ambiente///
> //# owner: root//
> //# group: domain\040admins//
> //user::rwx//
> //user:root:rwx//
> //user:domain\040admins:rwx//
> //user:domain\040users:rwx//
> //group::rwx//
> //group:domain\040admins:rwx//
> //group:domain\040users:rwx//
> //mask::rwx//
> //other::rwx//
> //default:user::rwx//
> //default:user:root:rwx//
> //default:user:domain\040users:rwx//
> //default:group::r-x//
> //default:group:domain\040admins:r-x//
> //default:group:domain\040users:rwx//
> //default:mask::rwx//
> //default:other::r-x/
> 
> I followed the guides on the official samba site:
> - 
>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain_Member&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GNhkwtzPm2OS2WYDz%2FuhkTXVnfUxR92BFJLLCd1YETw%3D&reserved=0
> 
> - 
>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Windows_ACLs&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=12EMIRvxWgA265KtEPx%2Fa%2FFFOTW4HSlRuweXODSXp0M%3D&reserved=0
> 
> 
> AD server is Windows Server 2019 Std.
> Samba on debian 11.2 version 4.13.13-Debian.
> 
> File smb.conf:
> 
> /[global]//
> //?? ?workgroup = DOMAIN//
> //?? ?security = ADS//
> //?? ?realm = DOMAIN.LAN//
> //
> //?? ?winbind refresh tickets = Yes//
> //?? ?vfs objects = acl_xattr//
> //?? ?map acl inherit = Yes//
> //?? ?#store dos attributes = Yes//
> //
> //?? ?winbind enum users = yes//
> //?? ?winbind enum groups = yes//
> //
> //?? ?# Disable printing...//
> //?? ?load printers = no//
> //?? ?printing = bsd//
> //?? ?printcap name = /dev/null//
> //?? ?disable spoolss = yes//
> //
> //?? ?log file = /var/log/samba/%m.log//
> //?? ?#log level = 1//
> /
> 
> /?? ?log level = 3 passdb:5 auth:5/
> 
> /?? ?idmap config * : backend = tdb/
> /?? ?idmap config * : range = 3000-7999/
> /?? ?idmap config DOMAIN : backend = rid/
> /?? ?idmap config DOMAIN : range = 10000-999999/
> 
> /??? username map = /etc/samba/user.map/
> 
> /?? ?# 
>
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Fsamba%2Fmsg172624.html%2F&data=04%7C01%7C%7Cb4599279a5694d59d47008da01cd1e8d%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824277742379309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FsQ9%2Ff7%2FOmRX95l%2Bg8T3Q%2BIsfWIrTiss1LEpGo1ejDE%3D&reserved=0
> 
> /??? # Without this i cannot set SeDiskOperatorPrivilege (get an INVALID 
> TOKEN error).../
> /??? min domain uid = 0/
> 
> /[PD-Ambiente]//
> //?? ?comment = Documenti Ambiente//
> //?? ?path = /srv/samba/PD-Ambiente//
> //?? ?read only = no//
> ///
> 
> 
> File user.map:
> 
> /!root = DOMAIN\Fastmin DOMAIN\fastmin /