thr3ads.net - samba - [Samba] Trying to add a share to a windows drive letter for a second group on samba file server

If this information is useful, please help other people find it:
Share via:

Jürgen Echter

2023-Sep-29 15:36 UTC

[Samba] Trying to add a share to a windows drive letter for a second group on samba file server - access denied

Hi,

i have share that is mapped to a drive letter via gpo. I now added a second
group with "is member of group 1 OR group2".

Windows seems to try to mount the share but i don't see it in windows
explorer. If i try to mount it manually i get: it's already mapped. If i
browse to the share i get access denied.

I am in a samba AD environment and the ACL's seem to work. I set the
ACL's with a windows machine.

Anything obvious i'm not seeing here?

My smb.conf on the file server:

[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.MY.NET
winbind refresh tickets = Yes
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[share]
comment = a share
path = /srv/samba/share
read only = no
guest ok = no
vfs objects = acl_xattr recycle io_uring
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:directory_mode = 0770
acl_xattr:ignore system acls = yes

Samba Version 4.17.5

getfacl share
# file: share
# owner: root
# group: SAMDOM\\domain\040admins
user::rwx user:SAMDOM\\administrator:rwx
user:SAMDOM\\domain\040admins:rwx
user:SAMDOM\\group1:rwx
user:SAMDOM\\group2:rwx
group::rwx
group:SAMDOM\\domain\040admins:rwx
group:SAMDOM\\domain\040users:---
group:SAMDOM\\group1:rwx
group:SAMDOM\\group2:rwx
other::---
default:user::rwx
default:user:SAMDOM\\administrator:rwx
default:user:SAMDOM\\domain\040admins:rwx
default:user:SAMDOM\\group1:rwx
default:user:SAMDOM\\group2:rwx
default:group::---
default:group:SAMDOM\\domain\040admins:rwx
default:group:SAMDOM\\domain\040users:---
default:group:SAMDOM\\group1:rwx
default:group:SAMDOM\\group2:rwx
default:mask::rwx
default:other::---


Samba AD Server Version 4.18.6

smb.conf:

[global]
netbios name = SMBADDC1
realm = SAMDOM.MY.NET
server role = active directory domain controller
workgroup = SAMDOM
dns forwarder = 192.168.0.1
tls keyfile = tls/SMBADDC1.key
tls certfile = tls/SMBADDC1.crt
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.my.net/scripts
read only = No


Thanks for your input

Juergen

samba - Sep 2023 - Trying to add a share to a windows drive letter for a second group on samba file server - access denied

[Samba] Trying to add a share to a windows drive letter for a second group on samba file server - access denied