Active Directory groups with Samba suddenly stopped working

Question

Over the past week, our users have been reaching out complaining that they can't upload/modify files on the company file server. Specifically, they'll try dragging files onto the share through Windows Explorer and will be faced with 'Access Denied'.

The fileserver is a Ubuntu VM that's joined to the Windows domain using the following documentation Setting_up_Samba_as_a_Domain_Member. Admittedly I used our old smb.conf( see below ) from the old file server, as my understanding of Linux/Samba is very limited and needing to get the share up and running as soon as possible.

Here's what I've done so far

1. SSHd into the file server and checked the permissions of a folder that was known to be having issues.

ls -ll directory_in_question

drwxrwsr-x 12 root name_of_active_directory_group 4096 Dec 17 15:21./

Noticed that 'name_of_active_directory_group' seems to be correct, however the members of this group still can't upload files to this location through Explorer.

2 . Checked to see if I can even access the group using getent group 'name_of_active_directory_group , and I'm given name_of_active_directory_group:*:10083:username_one,username_two... , I even try running id username_one and It seems to be reaching our AD DC fine.

3. Set the logging level of Samba to 5 and monitor for anything useful in /var/log/samba/. The only line that really jumps out to me is smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] . However I can always provide the full log if it helps.

Temporary Fix

If I run setfacl -Rm u:username:rwX directory_in_question then the user will be able to make changes. Or if I change the permissions of the folder to chmod o+rwx directory_in_question then It works without a hitch. However, chmod g+rwx directory_in_question where I'm specifying the group directly with chmod doesn't work.

The smb.conf looks like this

#======================= Global Settings =======================

[global]

## Browsing/Identification ###
   server string = %h server (Samba, Ubuntu)
   security = ads

   workgroup = COMPANY_A
   realm = COMPANY_A.net

#   dedicated keytab file = /etc/krb5.keytab
   kerberos method = system keytab

   disable netbios = Yes
   load printers = No
   printing = bsd
   printcap name = /dev/null
   disable spoolss = Yes

## User mapping!! (to map old users on server)
   username map = /etc/samba/smbusers

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m
  # log level = 5

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d

# Log level
#   log level = 5

   lm announce = no
   server max protocol = SMB3
   server min protocol = NT1
   client max protocol = SMB3
   client min protocol = NT1

[share]
   comment = Share folder
   path = /mnt/share_name
   read only = no
   guest ok = no
   directory mask = 0744
   force directory mode = 02775
   create mask = 0664
   force create mode = 0664
   follow symlinks = yes
   wide links = no
   veto files = /._*/.DS_Store/
   vfs objects = streams_xattr

Realm List Info

realm list info

company_A.net
  type: kerberos
  realm-name: company_A.NET
  domain-name: company_A.net
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: winbind
  required-package: libpam-winbind
  required-package: samba-common-bin
  login-formats: COMPAND_A\%U
  login-policy: allow-any-login
company_A.net
  type: kerberos
  realm-name: company_A.NET
  domain-name: company_A.net
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: 

Answer 1

Go and read the Samba wiki page again and then setup your smb.conf correctly, this time without sssd.

I also noticed this '## User mapping,, (to map old users on server)'. that isn't what the usermap is for (well, not in an AD domain).