samba - Nov 2025 - samba ad integrated file server Permission denied

On Mon, 17 Nov 2025 15:15:16 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Mon, 17 Nov 2025 15:08:44 +0100
> Markus Huether via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > I am experiencing an issue with an Ubuntu 24.04.3 LTS file server
> > that has samba-ad-dc integrated (4.19.5) as a member server. Every
> > night at 5:10 a.m., I receive the following syslog entries on the
> > file server:
> > 
> > ?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]: 
> >  ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner) 
> > failed: Permission denied. Current token: uid=2001103, gid=2000515,
> > 5 groups: 2001103 2000515 10003 10004 10006 ?
Then I looked closer at the output you provided and I realised why you
are getting the error messages.

It is because the user cannot traverse to the directory, but that is
because the user isn't a member of Domain Users. If you look at the
UID, I feel it is linked to the username fs1$ and that users primary
group is Domain Computers (the '515' at the end of the gid
'2000515'
gives this away), yes, it is your computer (aka 'SYSTEM').

Rowland

I changed the smb.conf

aramis at fs1:~$ testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
 ? ? kerberos method = secrets and keytab
 ? ? realm = IWW.LAN
 ? ? security = ADS
 ? ? template homedir = /home/%U@%D
 ? ? template shell = /bin/bash
 ? ? winbind offline logon = Yes
 ? ? winbind refresh tickets = Yes
 ? ? winbind use default domain = Yes
 ? ? workgroup = IWW
 ? ? idmap config * : range = 3000-7999
 ? ? idmap config iww : backend = rid
 ? ? idmap config iww : range = 2000000-2999999
 ? ? idmap config * : backend = tdb
 ? ? map acl inherit = Yes
 ? ? vfs objects = acl_xattr


[basis]
 ? ? comment = AD Basisordner
 ? ? path = /mnt/volume1_daten/basisordner
 ? ? read only = No

So i deleted the entrys:

winbind enum groups = Yes
winbind enum users = Yes
'acl_xattr:ignore system acls = yes'


but still have the log entries at 5:15 a.m.
But the question remains: who triggers these entries at 5:15 a.m.? I've 
looked through all the cron jobs. There is definitely none entered for 
that time.
The strange thing is that the file server works without any problems.
I then checked who has the uid 2001103 but couldn't find anything. It 
must be an AD user, but I couldn't find the ID in the AD or on the server.
How can I resolve the ID to a user?
fs1$ is the server name. There is no user with fs1 on the server or in 
the domain. However, I can't find anything about the uid or gid in the 
domain or on the server. Is there any way I can query the uid/gid?

Markus


Am 18.11.25 um 10:44 schrieb Rowland Penny via samba:
> On Mon, 17 Nov 2025 15:15:16 +0000
> Rowland Penny via samba<samba at lists.samba.org> wrote:
>
>> On Mon, 17 Nov 2025 15:08:44 +0100
>> Markus Huether via samba<samba at lists.samba.org> wrote:
>>
>>> Hello,
>>> I am experiencing an issue with an Ubuntu 24.04.3 LTS file server
>>> that has samba-ad-dc integrated (4.19.5) as a member server. Every
>>> night at 5:10 a.m., I receive the following syslog entries on the
>>> file server:
>>>
>>> ?2025-11-16T05:15:10.602166+01:00 fs1 smbd[194338]:
>>>   ?chdir_current_service: vfs_ChDir(/mnt/volume1_daten/basisordner)
>>> failed: Permission denied. Current token: uid=2001103, gid=2000515,
>>> 5 groups: 2001103 2000515 10003 10004 10006 ?
> Then I looked closer at the output you provided and I realised why you
> are getting the error messages.
>
> It is because the user cannot traverse to the directory, but that is
> because the user isn't a member of Domain Users. If you look at the
> UID, I feel it is linked to the username fs1$ and that users primary
> group is Domain Computers (the '515' at the end of the gid
'2000515'
> gives this away), yes, it is your computer (aka 'SYSTEM').
>
> Rowland
>
>
>