Peter Milesson
2024-Jan-09 20:31 UTC
[Samba] Write access to shares denied for domain user(s)
Hi folks, I have got a strange error, where create/modify/write is denied on file server shares for domain users, even if the users in question are assigned full permission to the shares via RSAT. Create/modify/write is denied to the share root folder, or sub folders in all Windows versions from 7 and up to 11. Reading is OK, except for a hidden share, which is not accessible at all, but create/modify/write is denied. All share administration is made through RSAT. The domain consists of one Samba AD DC, and one member server, where the shared folders reside. I have checked documentation in the Samba Wiki, and also the instructions on Luis Peromarta's blog, and I cannot find anything out of the way. OS in both the AD DC and member server is Debian Bookworm, with Samba from backports 4.19.3. Any help would be much appreciated. smb.conf from the member server in the end of this message. All shares have got the same configuration as the one in displayed below. Best regards, Peter [global] ??????? workgroup = PRIVATE ??????? realm = PRIVATE.SPLAT ??????? security = ADS ??????? server role = member server ??????? kerberos method = secrets and keytab ??????? dedicated keytab file = /etc/krb5.keytab ??????? disable netbios = yes ??????? smb ports = 445 ??????? debug pid = yes ??????? debug uid = yes ??????? disable spoolss = yes ??????? printcap name = /dev/null ??????? log level = 1 ??????? restrict anonymous = 2 ??????? template homedir = /home/%U ??????? template shell = /bin/bash #?????? username map = /etc/samba/user.map #?????? min domain uid = 0 ??????? winbind refresh tickets = yes ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-9999 ??????? idmap config PRIVATE : backend = rid ??????? idmap config PRIVATE : range = 10000-99999 ??????? idmap config PRIVATE : unix_primary_group = yes ??????? inherit acls = yes ??????? map acl inherit = yes ??????? vfs objects = acl_xattr ??????? apply group policies = yes ??????? winbind use default domain = yes [public] ??????? comment = Public folders ??????? path = /data/public-access/ ??????? read only = no ??????? acl_xattr:ignore system acls = yes ??????? hide dot files = no