Patrick Goetz
2022-Mar-09 14:17 UTC
[Samba] Samba as Domain Member: user get permission denied accessing share...
The UNIX permissions on the /srv/samba folder indicate that no one outside the domain admins group will have access to anything inside /srv/samba (no matter what POSIX ACLs are set or what the Windows permissions show). # chmod 775 /srv/samba and try again. On 3/9/22 08:07, Mirko via samba wrote:> Hi Patrick. > > root at pd-ark:~# ll / > drwxr-xr-x?? 3 root root? 4096? 9 mar 09.56 srv > > root at pd-ark:~# ll /srv/ > drwxrwx--- 16 root DOMAIN\domain admins 4096? 9 mar 11.35 samba > > Thanks > > Il 09/03/22 14:58, Patrick Goetz via samba ha scritto: >> What are the linux permissions on /srv? and /srv/samba ? >> >> On 3/9/22 07:02, Mirko via samba wrote: >>> Hello to everybody. >>> >>> >>> I am new to the list and thank you in advance for the time reading. >>> >>> If I join a PC to the domain and log in with a user (eg Isabella) >>> member of "Domain Users" group, I get a permission error. >>> In /var/log/daemon.log I have this: >>> >>> /Mar? 9 11:38:22 pd-ark smbd[743]: [2022/03/09 11:38:22.188470, 0] >>> ../../source3/smbd/service.c:166(chdir_current_service)// >>> //Mar? 9 11:38:22 pd-ark smbd[743]:?? chdir_current_service: >>> vfs_ChDir(/srv/samba/PD-Ambiente) failed: Permesso negato. Current >>> token: uid=11110, gid=10513, /9 groups: 11110 10513 11150 11149 11157 >>> 3003 3004 3006 3001 >>> >>> If I add the user "Isabella" to the "Domain Admins" group I can >>> lenter, read and write inside the PD-Ambiente share. >>> >>> >>> I have correctly set the "Domain Users" group for reading / writing >>> on the "PD-Ambiente" share from within win server (Fastmin user is an >>> administrator). >>> >>> I double-checked and redone all configurations (of the guides) from >>> scratch several times with even reinstalls of debian from scratch. >>> But I can't get it to work. >>> I always have this login error. >>> Where am I wrong? What can I try? >>> >>> A thousand thanks >>> >>> Greetings >>> Mirko >>> >>> >>> >>> Some verification commands: >>> >>> /getent group isabella// >>> //isabella:x:11110:isabella// >>> // >>> //getent group "domain users"// >>> //domain users:x:10513:// >>> // >>> //getent group "domain admins"// >>> //domain admins:x:10512:// >>> // >>> //getfacl /srv/samba/PD-Ambiente/// >>> //getfacl: Removing leading '/' from absolute path names// >>> //# file: srv/samba/PD-Ambiente/// >>> //# owner: root// >>> //# group: domain\040admins// >>> //user::rwx// >>> //user:root:rwx// >>> //user:domain\040admins:rwx// >>> //user:domain\040users:rwx// >>> //group::rwx// >>> //group:domain\040admins:rwx// >>> //group:domain\040users:rwx// >>> //mask::rwx// >>> //other::rwx// >>> //default:user::rwx// >>> //default:user:root:rwx// >>> //default:user:domain\040users:rwx// >>> //default:group::r-x// >>> //default:group:domain\040admins:r-x// >>> //default:group:domain\040users:rwx// >>> //default:mask::rwx// >>> //default:other::r-x/ >>> >>> I followed the guides on the official samba site: >>> - >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain_Member&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nU7Cpa32TPTj%2B0hRiLkbyeiZ%2FbLSH3s%2Fg3PwS64fPhU%3D&reserved=0 >>> >>> - >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Windows_ACLs&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eOv1W7T3Z1OeLjdhbO9P8YUQiVekpieQfQwczN%2F0tEI%3D&reserved=0 >>> >>> >>> AD server is Windows Server 2019 Std. >>> Samba on debian 11.2 version 4.13.13-Debian. >>> >>> File smb.conf: >>> >>> /[global]// >>> //?? ?workgroup = DOMAIN// >>> //?? ?security = ADS// >>> //?? ?realm = DOMAIN.LAN// >>> // >>> //?? ?winbind refresh tickets = Yes// >>> //?? ?vfs objects = acl_xattr// >>> //?? ?map acl inherit = Yes// >>> //?? ?#store dos attributes = Yes// >>> // >>> //?? ?winbind enum users = yes// >>> //?? ?winbind enum groups = yes// >>> // >>> //?? ?# Disable printing...// >>> //?? ?load printers = no// >>> //?? ?printing = bsd// >>> //?? ?printcap name = /dev/null// >>> //?? ?disable spoolss = yes// >>> // >>> //?? ?log file = /var/log/samba/%m.log// >>> //?? ?#log level = 1// >>> / >>> >>> /?? ?log level = 3 passdb:5 auth:5/ >>> >>> /?? ?idmap config * : backend = tdb/ >>> /?? ?idmap config * : range = 3000-7999/ >>> /?? ?idmap config DOMAIN : backend = rid/ >>> /?? ?idmap config DOMAIN : range = 10000-999999/ >>> >>> /??? username map = /etc/samba/user.map/ >>> >>> /?? ?# >>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spinics.net%2Flists%2Fsamba%2Fmsg172624.html%2F&data=04%7C01%7C%7C5f30785596194cc476fe08da01d63a92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637824316862460504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DDDX7O1S%2BRulGpgtYM%2FHv0p2kNJnC%2Bwc7%2FVMBOvgV48%3D&reserved=0 >>> >>> /??? # Without this i cannot set SeDiskOperatorPrivilege (get an >>> INVALID TOKEN error).../ >>> /??? min domain uid = 0/ >>> >>> /[PD-Ambiente]// >>> //?? ?comment = Documenti Ambiente// >>> //?? ?path = /srv/samba/PD-Ambiente// >>> //?? ?read only = no// >>> /// >>> >>> >>> File user.map: >>> >>> /!root = DOMAIN\Fastmin DOMAIN\fastmin / >> >
Rowland Penny
2022-Mar-09 14:26 UTC
[Samba] Samba as Domain Member: user get permission denied accessing share...
On Wed, 2022-03-09 at 08:17 -0600, Patrick Goetz via samba wrote:> The UNIX permissions on the /srv/samba folder indicate that no one > outside the domain admins group will have access to anything inside > /srv/samba (no matter what POSIX ACLs are set or what the Windows > permissions show). > > # chmod 775 /srv/samba > > and try again.The idea is that you set the permissions to '0770' and then a member of Domain Admins sets the required permissions from Windows. Rowland