thr3ads.net - samba - [Samba] samba ad integrated file server Permission denied [Nov 2025]

If this information is useful, please help other people find it:
Share via:

Markus Huether

2025-Nov-17 14:08 UTC

[Samba] samba ad integrated file server Permission denied

Hello,
I am experiencing an issue with an Ubuntu 24.04.3 LTS file server that 
has samba-ad-dc integrated (4.19.5) as a member server. Every night at 
5:10 a.m., I receive the following syslog entries on the file server:

?2025-11-16T05:15:01.532768+01:00 fs1 CRON[194336]: (root) CMD (command 
-v debian-sa1 > /dev/null && debian-sa1 1 1) ? ? ? ? ? ? ? ? ? ? ? ?
? ?
 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
?2025-11-16T05:15:10.601499+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.599170,? 0] 
source3/smbd/smb2_service.c:117(chdir_current_service) ? ? ? ? ? ? ? ? ? 
 ? ? ??
?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: 
 ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006 ?
?2025-11-16T05:15:10.602389+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.601006,? 0] 
source3/smbd/smb2_service.c:117(chdir_current_service) ? ? ? ? ? ? ? ? ? 
 ? ? ??
?2025-11-16T05:15:10.602615+01:00 fs1 smbd[194338]: 
 ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006 ?
?2025-11-16T05:15:10.602893+01:00 fs1 smbd[194338]: [2025/11/16 
05:15:10.602047,? 0] 
source3/smbd/smb2_service.c:117(chdir_current_service) ? ? ? ? ? ? ? ? ? 
 ? ? ??
?2025-11-16T05:15:10.603069+01:00 fs1 smbd[194338]: 
 ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
groups: 2001103 2000515 10003 10004 10006

However, I don't have a cron job running at that time. The backup runs 
at 2 a.m. with borg.
I'm not sure if this has anything to do with smb.conf.


root at fs1:/# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
 ? ? kerberos method = secrets and keytab
 ? ? realm = IWW.LAN
 ? ? security = ADS
 ? ? template homedir = /home/%U@%D
 ? ? template shell = /bin/bash
 ? ? winbind enum groups = Yes
 ? ? winbind enum users = Yes
 ? ? winbind offline logon = Yes
 ? ? winbind refresh tickets = Yes
 ? ? winbind use default domain = Yes
 ? ? workgroup = IWW
 ? ? idmap config * : range = 10000-999999
 ? ? idmap config iww : backend = rid
 ? ? idmap config iww : range = 2000000-2999999
 ? ? idmap config * : backend = tdb
 ? ? map acl inherit = Yes
 ? ? vfs objects = acl_xattr


[basis]
 ? ? comment = AD Basisordner
 ? ? path = /mnt/volume1_daten/basisordner
 ? ? read only = No
 ? ? 'acl_xattr:ignore system acls = yes'


Is this smb.conf correct?
Specifically regarding the entries:

map acl inherit = Yes
 ? ? vfs objects = acl_xattr

'acl_xattr:ignore system acls = yes'


The file server is working as it should. I can access it with Windows 
clients and the ACLs are also error-free when accessing the file server.
The path to the share has the following permissions:
drwxr-xr-x? ?3 root root? ? ? ?4096 Mai 12? 2025 mnt
drwxr-xr-x 3 root root 4096 Mai 15? 2025 volume1_daten
drwxrwx--T+ 5 root domain users 4096 Sep 30 18:31 basisordner

Can anyone help me with this?

Markus

Rowland Penny

2025-Nov-17 15:15 UTC

head link

[Samba] samba ad integrated file server Permission denied

On Mon, 17 Nov 2025 15:08:44 +0100
Markus Huether via samba <samba at lists.samba.org> wrote:
> Hello,
> I am experiencing an issue with an Ubuntu 24.04.3 LTS file server
> that has samba-ad-dc integrated (4.19.5) as a member server. Every
> night at 5:10 a.m., I receive the following syslog entries on the
> file server:
> 
> ?2025-11-16T05:15:01.532768+01:00 fs1 CRON[194336]: (root) CMD
> (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
> ?
> ?2025-11-16T05:15:10.601499+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.599170,? 0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
> ?
> ?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: 
>  ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006 ?
> ?2025-11-16T05:15:10.602389+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.601006,? 0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
> ?
> ?2025-11-16T05:15:10.602615+01:00 fs1 smbd[194338]: 
>  ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006 ?
> ?2025-11-16T05:15:10.602893+01:00 fs1 smbd[194338]: [2025/11/16 
> 05:15:10.602047,? 0] 
> source3/smbd/smb2_service.c:117(chdir_current_service)
> ?
> ?2025-11-16T05:15:10.603069+01:00 fs1 smbd[194338]: 
>  ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 
> groups: 2001103 2000515 10003 10004 10006
> 
> However, I don't have a cron job running at that time. The backup
> runs at 2 a.m. with borg.
You probably do have a cron job, try looking at /etc/cron.d/sysstat
> I'm not sure if this has anything to do with smb.conf.
> 
> 
> root at fs1:/# testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>  ? ? kerberos method = secrets and keytab
>  ? ? realm = IWW.LAN
>  ? ? security = ADS
>  ? ? template homedir = /home/%U@%D
>  ? ? template shell = /bin/bash
>  ? ? winbind enum groups = Yes
>  ? ? winbind enum users = Yes
>  ? ? winbind offline logon = Yes
>  ? ? winbind refresh tickets = Yes
>  ? ? winbind use default domain = Yes
>  ? ? workgroup = IWW
>  ? ? idmap config * : range = 10000-999999
>  ? ? idmap config iww : backend = rid
>  ? ? idmap config iww : range = 2000000-2999999
>  ? ? idmap config * : backend = tdb
>  ? ? map acl inherit = Yes
>  ? ? vfs objects = acl_xattr
> 
> 
> [basis]
>  ? ? comment = AD Basisordner
>  ? ? path = /mnt/volume1_daten/basisordner
>  ? ? read only = No
>  ? ? 'acl_xattr:ignore system acls = yes'
> 
> 
> Is this smb.conf correct?
It depends on your definition of correct, yes it will work and yes it
could be better.

You do not require the 'winbind enum' lines, they do two things, they
make 'getent passwd' & 'getent group' work to list all users
& groups
and potentially slow everything down in large domains.

Your default domain '*' range is a bit large. The default domain is
meant for anything outside the 'IWW' domain (so really '0') and
the
Well Known SIDs (there are less than 200 of those), so 989,999 is a bit
of an overkill ;-)
 > Specifically regarding the entries:
> 
> map acl inherit = Yes
>  ? ? vfs objects = acl_xattr
You need those for extended attributes i.e. Windows permissions
> 
> 'acl_xattr:ignore system acls = yes'
That could be your problem, it does what it says, it makes Samba ignore
the Linux permissions set on the shares directory and I am fairly sure
that 'smbd' needs them to traverse into the directory.

Rowland

samba - Nov 2025 - samba ad integrated file server Permission denied

[Samba] samba ad integrated file server Permission denied

[Samba] samba ad integrated file server Permission denied