Rowland Penny
2025-Nov-17 15:15 UTC
[Samba] samba ad integrated file server Permission denied
On Mon, 17 Nov 2025 15:08:44 +0100 Markus Huether via samba <samba at lists.samba.org> wrote:> Hello, > I am experiencing an issue with an Ubuntu 24.04.3 LTS file server > that has samba-ad-dc integrated (4.19.5) as a member server. Every > night at 5:10 a.m., I receive the following syslog entries on the > file server: > > ?2025-11-16T05:15:01.532768+01:00 fs1 CRON[194336]: (root) CMD > (command -v debian-sa1 > /dev/null && debian-sa1 1 1) > ? > ?2025-11-16T05:15:10.601499+01:00 fs1 smbd[194338]: [2025/11/16 > 05:15:10.599170,? 0] > source3/smbd/smb2_service.c:117(chdir_current_service) > ? > ?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: > ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) > failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 > groups: 2001103 2000515 10003 10004 10006 ? > ?2025-11-16T05:15:10.602389+01:00 fs1 smbd[194338]: [2025/11/16 > 05:15:10.601006,? 0] > source3/smbd/smb2_service.c:117(chdir_current_service) > ? > ?2025-11-16T05:15:10.602615+01:00 fs1 smbd[194338]: > ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) > failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 > groups: 2001103 2000515 10003 10004 10006 ? > ?2025-11-16T05:15:10.602893+01:00 fs1 smbd[194338]: [2025/11/16 > 05:15:10.602047,? 0] > source3/smbd/smb2_service.c:117(chdir_current_service) > ? > ?2025-11-16T05:15:10.603069+01:00 fs1 smbd[194338]: > ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) > failed: Permission denied. Current token: uid=2001103, gid=2000515, 5 > groups: 2001103 2000515 10003 10004 10006 > > However, I don't have a cron job running at that time. The backup > runs at 2 a.m. with borg.You probably do have a cron job, try looking at /etc/cron.d/sysstat> I'm not sure if this has anything to do with smb.conf. > > > root at fs1:/# testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > fallback) > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > ? ? kerberos method = secrets and keytab > ? ? realm = IWW.LAN > ? ? security = ADS > ? ? template homedir = /home/%U@%D > ? ? template shell = /bin/bash > ? ? winbind enum groups = Yes > ? ? winbind enum users = Yes > ? ? winbind offline logon = Yes > ? ? winbind refresh tickets = Yes > ? ? winbind use default domain = Yes > ? ? workgroup = IWW > ? ? idmap config * : range = 10000-999999 > ? ? idmap config iww : backend = rid > ? ? idmap config iww : range = 2000000-2999999 > ? ? idmap config * : backend = tdb > ? ? map acl inherit = Yes > ? ? vfs objects = acl_xattr > > > [basis] > ? ? comment = AD Basisordner > ? ? path = /mnt/volume1_daten/basisordner > ? ? read only = No > ? ? 'acl_xattr:ignore system acls = yes' > > > Is this smb.conf correct?It depends on your definition of correct, yes it will work and yes it could be better. You do not require the 'winbind enum' lines, they do two things, they make 'getent passwd' & 'getent group' work to list all users & groups and potentially slow everything down in large domains. Your default domain '*' range is a bit large. The default domain is meant for anything outside the 'IWW' domain (so really '0') and the Well Known SIDs (there are less than 200 of those), so 989,999 is a bit of an overkill ;-)> Specifically regarding the entries: > > map acl inherit = Yes > ? ? vfs objects = acl_xattrYou need those for extended attributes i.e. Windows permissions> > 'acl_xattr:ignore system acls = yes'That could be your problem, it does what it says, it makes Samba ignore the Linux permissions set on the shares directory and I am fairly sure that 'smbd' needs them to traverse into the directory. Rowland
Rowland Penny
2025-Nov-18 09:44 UTC
[Samba] samba ad integrated file server Permission denied
On Mon, 17 Nov 2025 15:15:16 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 17 Nov 2025 15:08:44 +0100 > Markus Huether via samba <samba at lists.samba.org> wrote: > > > Hello, > > I am experiencing an issue with an Ubuntu 24.04.3 LTS file server > > that has samba-ad-dc integrated (4.19.5) as a member server. Every > > night at 5:10 a.m., I receive the following syslog entries on the > > file server: > > > > ?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: > > ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) > > failed: Permission denied. Current token: uid=2001103, gid=2000515, > > 5 groups: 2001103 2000515 10003 10004 10006 ?Then I looked closer at the output you provided and I realised why you are getting the error messages. It is because the user cannot traverse to the directory, but that is because the user isn't a member of Domain Users. If you look at the UID, I feel it is linked to the username fs1$ and that users primary group is Domain Computers (the '515' at the end of the gid '2000515' gives this away), yes, it is your computer (aka 'SYSTEM'). Rowland