samba - Feb 2023 - Member server permissions issue

Hello, 

I just set up a new domain with a separate domain controller and a samba domain
member for a file server.

I am able to set share permissions and ACL permissions through a windows client
on computer management OK. Looking at properties / security tab shows the proper
permissions...

Getfacl in linux shows the proper ACLs ... but when I try to access the share
from a joined windows client I am getting access denied regardless that the user
is in the proper group in ADUC. If I put that same user into Domain Admins group
that user can then access all the shares.

This is the first time I have seen this behavior .. My smb.conf is as follows
for the DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC1
        realm = CORP.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = CORP

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/corp.example.com/scripts
        read only = No

Here is the smb.conf for the member server: 

[global]
       security = ADS
       workgroup = CORP
       realm = CORP.EXAMPLE.COM

       username map = /etc/samba/user.map
       log file = /var/log/samba/%m.log
       log level = 1

       vfs objects = acl_xattr
       map acl inherit = Yes
       # store dos attributes = Yes

       # Default ID mapping configuration using the autorid
       # idmap backend. This will work out of the box for simple setups
       # as well as complex setups with trusted domains.
       idmap config * : backend = autorid
       idmap config * : range = 10000-9999999


[Shared]
        writeable = yes
        path=/server/shared

[Installs]
        writeable = yes
        path=/server/installs

... rest of share definitions ...

Samba version on the domain controller is:  4.15.13-Ubuntu
Samba version on the member server is: 4.15.13-Ubuntu

Any help is greatly appreciated!

Thanks,
Rich

On 10/02/2023 19:47, Rich Webb via samba wrote:
> Hello,
> 
> I just set up a new domain with a separate domain controller and a samba
domain member for a file server.
> 
> I am able to set share permissions and ACL permissions through a windows
client on computer management OK. Looking at properties / security tab shows the
proper permissions...
> 
> Getfacl in linux shows the proper ACLs ... but when I try to access the
share from a joined windows client I am getting access denied regardless that
the user is in the proper group in ADUC. If I put that same user into Domain
Admins group that user can then access all the shares.
> 
> This is the first time I have seen this behavior .. My smb.conf is as
follows for the DC:
> 
> # Global parameters
> [global]
>          dns forwarder = 8.8.8.8
>          netbios name = DC1
>          realm = CORP.EXAMPLE.COM
>          server role = active directory domain controller
>          workgroup = CORP
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/corp.example.com/scripts
>          read only = No
> 
> Here is the smb.conf for the member server:
> 
> [global]
>         security = ADS
>         workgroup = CORP
>         realm = CORP.EXAMPLE.COM
> 
>         username map = /etc/samba/user.map
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         # store dos attributes = Yes
> 
>         # Default ID mapping configuration using the autorid
>         # idmap backend. This will work out of the box for simple setups
>         # as well as complex setups with trusted domains.
>         idmap config * : backend = autorid
>         idmap config * : range = 10000-9999999
> 
> 
> [Shared]
>          writeable = yes
>          path=/server/shared
> 
> [Installs]
>          writeable = yes
>          path=/server/installs
> 
> ... rest of share definitions ...
> 
> Samba version on the domain controller is:  4.15.13-Ubuntu
> Samba version on the member server is: 4.15.13-Ubuntu
> 
> Any help is greatly appreciated!
> 
> Thanks,
> Rich
> 
Can you post the output of the following commands:

ls -ld /server/shared

getfacl /server/shared

samba-tool ntacl get /server/shared --as-sddl

Also, is apparmor running and possibly blocking things ?

Rowland