Rowland Penny
2025-Nov-20 11:34 UTC
[Samba] After upgrade from Debian Bookworm to Trixie we get access denied for group users
On Thu, 20 Nov 2025 11:50:50 +0100 Wim De Geeter via samba <samba at lists.samba.org> wrote:> Hello, > > We have a running working Samba configuration on a Debian Bookworm > (Samba 4.17.12). All authentication and authorization management is > done via openLDAP. > > Samba is only used for file services for Windows clients.Are the Windows clients in an AD domain, if so, why are you using ldap, why not just join the fileserver to the domain and use 'security = ADS' ?> There is > one personal share [homes] and 2 shares (share1 and share2) that are > accessed via groups configured in openLDAP. > > Now we have upgrade our server to Debian Trixie (Samba version > 4.22.6). The personal share can still be accessed by all the users, > but access to the shares [share1] and [share2] is denied. All users > and groups (group1, group2, group3) are defined in openLDAP > > When I use (as a test) a group locally on the server, it works. > >At a guess and it has been quite sometime since I had to do this (it works out of the box with AD), I think you need to map the groups to local groups. It may be that the ldap searches are failing for some reason, have you tried a manual search ? Rowland
Wim De Geeter
2025-Nov-20 12:48 UTC
[Samba] After upgrade from Debian Bookworm to Trixie we get access denied for group users
Rowland, thanks for the quick reply On 11/20/25 12:34, Rowland Penny wrote:> On Thu, 20 Nov 2025 11:50:50 +0100 > Wim De Geeter via samba<samba at lists.samba.org> wrote: > >> Hello, >> >> We have a running working Samba configuration on a Debian Bookworm >> (Samba 4.17.12). All authentication and authorization management is >> done via openLDAP. >> >> Samba is only used for file services for Windows clients. > Are the Windows clients in an AD domain, if so, why are you using ldap, > why not just join the fileserver to the domain and use 'security = ADS' > ?The clients are in an AD Domain. Technically we can (and will) not do this. Our department is working under Linux (no AD). Only the windows users (not many) should also?have access to these shares.>> There is >> one personal share [homes] and 2 shares (share1 and share2) that are >> accessed via groups configured in openLDAP. >> >> Now we have upgrade our server to Debian Trixie (Samba version >> 4.22.6). The personal share can still be accessed by all the users, >> but access to the shares [share1] and [share2] is denied. All users >> and groups (group1, group2, group3) are defined in openLDAP >> >> When I use (as a test) a group locally on the server, it works. >> >> > At a guess and it has been quite sometime since I had to do this (it > works out of the box with AD), I think you need to map the groups to > local groups. > > It may be that the ldap searches are failing for some reason, have you > tried a manual search ?With the version in Bookworm (4.17.12) it worked flawless. The user could access his personal share and the group shares. After upgrade to version 4.22.6 (Trixie) the user can still access his peronal share but for groups something changed andwecan'tfigureoutwhat. Any other ideas where to look? Many Thanks!!> > Rowland > > >