Markus Huether
2025-Nov-18 13:45 UTC
[Samba] samba ad integrated file server Permission denied
rowland at devstation:~$ getent passwd devstation$ devstation$:*:12657:10515::/home/devstation_:/bin/bash But if I only have one uid, getent doesn't help me. I have already checked all users and computers stored in AD with getent. If I run 'cat /etc/cron.d/sysstat', I get this: # The first element of the path is a directory where the debian-sa1 # script is located PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin # Activity reports every 10 minutes everyday 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1 # Additional run at 23:59 to rotate the statistics file 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2 I get the same result here. The cron runs every 10 minutes and additionally at 11:59 p.m. However, I always receive the syslog entries at 5:15 a.m. and only then. So this has nothing to do with these cron entries. Markus Am 18.11.25 um 13:13 schrieb Rowland Penny via samba:> On Tue, 18 Nov 2025 13:03:38 +0100 > Markus Huether via samba <samba at lists.samba.org> wrote: > >> >> but still have the log entries at 5:15 a.m. >> But the question remains: who triggers these entries at 5:15 a.m.? >> I've looked through all the cron jobs. There is definitely none >> entered for that time. >> The strange thing is that the file server works without any problems. >> I then checked who has the uid 2001103 but couldn't find anything. It >> must be an AD user, but I couldn't find the ID in the AD or on the >> server. How can I resolve the ID to a user? >> fs1$ is the server name. There is no user with fs1 on the server or >> in the domain. However, I can't find anything about the uid or gid in >> the domain or on the server. Is there any way I can query the uid/gid? >> > You are missing the point, an AD computer is a user with an extra > objectclass, the 'computer' objectclass > > rowland at devstation:~$ getent passwd devstation$ > devstation$:*:12657:10515::/home/devstation_:/bin/bash > > If I run 'cat /etc/cron.d/sysstat', I get this: > > # The first element of the path is a directory where the debian-sa1 > # script is located > PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin > > # Activity reports every 10 minutes everyday > 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1 > > # Additional run at 23:59 to rotate the statistics file > 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2 > > Rowland >
Rowland Penny
2025-Nov-18 15:23 UTC
[Samba] samba ad integrated file server Permission denied
On Tue, 18 Nov 2025 14:45:52 +0100 Markus Huether via samba <samba at lists.samba.org> wrote:> rowland at devstation:~$ getent passwd devstation$ > devstation$:*:12657:10515::/home/devstation_:/bin/bash > > But if I only have one uid, getent doesn't help me. I have already > checked all users and computers stored in AD with getent. > > > If I run 'cat /etc/cron.d/sysstat', I get this: > > # The first element of the path is a directory where the debian-sa1 > # script is located > PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin > > # Activity reports every 10 minutes everyday > 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 > 1 1 > > # Additional run at 23:59 to rotate the statistics file > 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2 > > I get the same result here. The cron runs every 10 minutes and > additionally at 11:59 p.m. However, I always receive the syslog > entries at 5:15 a.m. and only then. So this has nothing to do with > these cron entries. >I now think that the cron entry is a blind alley, as I said, it appears to be an 'housekeeping' command run on a regular basis, it just seems to happen before your real problem, I do not think the two are connected. Lets examine the permissions set on your shares directory: drwxrwx--T+ 5 root domain users 4096 Sep 30 18:31 basisordner Working left to right: The 'd' shows it is a directory The first 'rwx' shows that the owner has full permissions on the directory The second 'rwx' shows that the group has full permissions on the directory the final '--T' is a bit special, it shows that 'others' have no permissions on the directory and that the 'sticky bit' is set on the directory. There is also a '+' at the very end, more about this later. The standard permissions shows that the owner (root) and members of the group (Domain Users) have full permisions on the directory (read,write and enter), others cannot even enter the directory. Because the 'sticky bit' is set, then any files in the directory can only be renamed or deleted by the files owner, the directory's owner, or root (in this case the same user) Now something is attempting, via smbd, to change directory into the 'basisordner' directory, that 'something' in your case is the computer fs1. Because 'fs1' is not 'root' or a member of Domain Users it is being denied access. However there is that '+', that shows that there are extended acls set on the directory, what they are, I have no idea, because I haven't seen the output of 'getfacl /mnt/volume1_daten/basisordner', but, from the error you are getting, I doubt they show 'fs1' having permission to enter the directory. Your main problem is tracing the 'something' that is triggering smbd to attempt to chdir, it could be something on the server or something connecting from another computer. Rowland