samba - Jun 2025 - world-inaccessible home dirs and samba log noise

Hi!

Some of our users changed permissions for their home dirs to
revoke access for everyone, making it 0750 instead of 0755.
This is the default on same linux distributions for quite some
time already, too.

Now, samba logs a lot of noise like this:

[2025/06/08 11:11:02.896807,  0] 
source3/smbd/smb2_service.c:117(chdir_current_service)
   chdir_current_service: vfs_ChDir(/home/jatok) failed: \
       Permission denied. Current token: uid=2100, gid=2000, \
         4 groups: 2000 5000 5001 5002

(the groups comes from the domain controller, these are

   2000 - domain computers
   5000 - BUILTIN\administrators
   5001 - BUILTIN\users
   5002 - BUILTIN\guests

Why each computer is a member of BUILTIN\users group anyway,
when it is not a user but a computer?

So, which permissions should a user home directory have to
avoid this log spam by samba?

Thanks,

/mjt

Hi,

It's Microsoft's decision that everyone and everyTHING is a user and a 
member of BUILTIN\users.

If a service on a workstation running as Local Service tries to access 
something on a network drive it uses the machine account of that 
workstation, leading to the error messages emitted by samba.

It's the [human] user's decision if his workstation shall have access to
their files on a network drive. If they deny such access then services 
like virus scanners cannot access files stored on such network drives. 
That can be good or bad.

And it can be good or bad that Samba writes an error message. IMHO it's 
not an error and much less a Samba error. To the contrary, Samba does 
the needful: rejects access where access shall be rejected. It deservers 
a success message.

regards,
Norbert

On 09.06.2025 16:04, Michael Tokarev via samba wrote:
> Hi!
>
> Some of our users changed permissions for their home dirs to
> revoke access for everyone, making it 0750 instead of 0755.
> This is the default on same linux distributions for quite some
> time already, too.
>
> Now, samba logs a lot of noise like this:
>
> [2025/06/08 11:11:02.896807,? 0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
> ? chdir_current_service: vfs_ChDir(/home/jatok) failed: \
> ????? Permission denied. Current token: uid=2100, gid=2000, \
> ??????? 4 groups: 2000 5000 5001 5002
>
> (the groups comes from the domain controller, these are
>
> ? 2000 - domain computers
> ? 5000 - BUILTIN\administrators
> ? 5001 - BUILTIN\users
> ? 5002 - BUILTIN\guests
>
> Why each computer is a member of BUILTIN\users group anyway,
> when it is not a user but a computer?
>
> So, which permissions should a user home directory have to
> avoid this log spam by samba?
>
> Thanks,
>
> /mjt
>

Mandi! Michael Tokarev via samba
  In chel di` si favelave...
> So, which permissions should a user home directory have to
> avoid this log spam by samba?
Michael, the share use POSIX acl compatibility layer? If yes, try '770';
this because normally the compatibility layer use the 'g' (as in
'ugo')
permission as a mask for ACLs.

So, with 750 you have removed 'x' permission from everyone and have
masked
'w' permission for every group.

--