Wim De Geeter
2025-Nov-23 14:37 UTC
[Samba] After upgrade from Debian Bookworm to Trixie we get access denied for group users
In the logs we see that the user1 (belongs to group1 and group2) are found /[2025/11/23 15:20:55.651217,? 2] source3/passdb/pdb_ldap.c:2415(init_group_from_ldap) ? init_group_from_ldap: Entry found for group: 20000 [2025/11/23 15:20:55.653778,? 2] source3/passdb/pdb_ldap.c:2415(init_group_from_ldap) ? init_group_from_ldap: Entry found for group: 20001 [2025/11/23 15:20:55.653836,? 1] source3/smbd/smb2_service.c:337(create_connection_session_info) ? create_connection_session_info: user 'user1' (from session setup) not permitted to access this share (share) [2025/11/23 15:20:55.653856,? 1] source3/smbd/smb2_service.c:519(make_connection_snum) ? make_connection_snum: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/ Anyone an idea why we get /NT_STATUS_ACCESS_DENIED?/ Before the upgrade it worked for at least 10 years. Many thanks for advice where we have to look or what has changed in the new version regarding ldap authentication/authorization / / On 11/20/25 13:48, Wim De Geeter wrote:> Rowland, thanks for the quick reply > > On 11/20/25 12:34, Rowland Penny wrote: >> On Thu, 20 Nov 2025 11:50:50 +0100 >> Wim De Geeter via samba<samba at lists.samba.org> wrote: >> >>> Hello, >>> >>> We have a running working Samba configuration on a Debian Bookworm >>> (Samba 4.17.12). All authentication and authorization management is >>> done via openLDAP. >>> >>> Samba is only used for file services for Windows clients. >> Are the Windows clients in an AD domain, if so, why are you using ldap, >> why not just join the fileserver to the domain and use 'security = ADS' >> ? > > The clients are in an AD Domain. Technically we can (and will) not do > this. > > Our department is working under Linux (no AD). Only the windows users > (not many) should > > also?have access to these shares. > >>> There is >>> one personal share [homes] and 2 shares (share1 and share2) that are >>> accessed via groups configured in openLDAP. >>> >>> Now we have upgrade our server to Debian Trixie (Samba version >>> 4.22.6). The personal share can still be accessed by all the users, >>> but access to the shares [share1] and [share2] is denied. All users >>> and groups (group1, group2, group3) are defined in openLDAP >>> >>> When I use (as a test) a group locally on the server, it works. >>> >>> >> At a guess and it has been quite sometime since I had to do this (it >> works out of the box with AD), I think you need to map the groups to >> local groups. >> >> It may be that the ldap searches are failing for some reason, have you >> tried a manual search ? > > With the version in Bookworm (4.17.12) it worked flawless. The user > could access his personal share and the group shares. > > After upgrade to version 4.22.6 (Trixie) the user can still access his > peronal share but for groups something changed andwecan'tfigureoutwhat. > > Any other ideas where to look? > > Many Thanks!! > >> >> Rowland >> >> >> >
Rowland Penny
2025-Nov-24 10:45 UTC
[Samba] After upgrade from Debian Bookworm to Trixie we get access denied for group users
On Sun, 23 Nov 2025 15:37:26 +0100 Wim De Geeter <wim.de-geeter at uni-graz.at> wrote:> In the logs we see that the user1 (belongs to group1 and group2) are > found > > > /[2025/11/23 15:20:55.651217,? 2] > source3/passdb/pdb_ldap.c:2415(init_group_from_ldap) > ? init_group_from_ldap: Entry found for group: 20000 > [2025/11/23 15:20:55.653778,? 2]I had another look at this and if you read the code around line 2415 in source3/passdb/pdb_ldap.c you find this: temp = smbldap_talloc_single_attribute( smbldap_get_ldap(ldap_state->smbldap_state), entry, get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), ctx); if (!temp) { DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n", get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER))); TALLOC_FREE(ctx); return false; } DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp)); Which from my understanding means, find a gidNumber, which it is doing, it is returning '20000'. You also have this line in your smb.conf: idmap config * : range = 30000-40000 '20000' is less than '30000' I think Samba is ignoring your groups. Rowland