samba - Nov 2025 - After upgrade from Debian Bookworm to Trixie we get access denied for group users

Hello,

We have a running working Samba configuration on a Debian Bookworm (Samba
4.17.12).
All authentication and authorization management is done via openLDAP.

Samba is only used for file services for Windows clients. There is one personal
share [homes]
and 2 shares (share1 and share2) that are accessed via groups configured in
openLDAP.

Now we have upgrade our server to Debian Trixie (Samba version 4.22.6).
The personal share can still be accessed by all the users, but access to the
shares [share1] and [share2] is denied.
All users and groups (group1, group2, group3) are defined in openLDAP

When I use (as a test) a group locally on the server, it works.


Under you see the config in smb.conf

preferred master = no
domain master = no

passdb backend = ldapsam:ldaps://openldap.domain.com

ldap admin dn = cn=admin,dc=domain,dc=com
ldap delete dn = no

ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
idmap config * : backend = ldap
idmap config * : range = 30000-40000

[homes]
         comment = Home Directories
	path = /home/%S
         valid users = %S
         read only = no
         browseable = no
         writable = yes
         create mask = 0660
         directory mask = 0770

[share1]
         comment = Shared Directory for groups
         path = /data/share1
         valid users = @group1, at group2
         read only = No
         browseable = no
         writeable = yes
         public = no
         guest ok = no
         create mask = 755
         directory mask = 2775

[share2]
         comment = Shared Directory for groups
         path = /data/share2
         valid users = @group2, at group3
         read only = No
         browseable = no
         writeable = yes
         public = no
         guest ok = no
         create mask = 755
         directory mask = 2775

What did change in samba that users defined in a group get denied.

The error we get: tree connect failed: NT_STATUS_ACCESS_DENIED

Anyone an idea in which direction wie should look?

Many thanks in advance

On Thu, 20 Nov 2025 11:50:50 +0100
Wim De Geeter via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> We have a running working Samba configuration on a Debian Bookworm
> (Samba 4.17.12). All authentication and authorization management is
> done via openLDAP.
> 
> Samba is only used for file services for Windows clients. 
Are the Windows clients in an AD domain, if so, why are you using ldap,
why not just join the fileserver to the domain and use 'security = ADS'
?
> There is
> one personal share [homes] and 2 shares (share1 and share2) that are
> accessed via groups configured in openLDAP.
> 
> Now we have upgrade our server to Debian Trixie (Samba version
> 4.22.6). The personal share can still be accessed by all the users,
> but access to the shares [share1] and [share2] is denied. All users
> and groups (group1, group2, group3) are defined in openLDAP
> 
> When I use (as a test) a group locally on the server, it works.
> 
> 
At a guess and it has been quite sometime since I had to do this (it
works out of the box with AD), I think you need to map the groups to
local groups.

It may be that the ldap searches are failing for some reason, have you
tried a manual search ?

Rowland