Over the past week, our users have been reaching out complaining that they can't upload/modify files on the company file server. Specifically, they'll try dragging files onto the share through Windows Explorer and will be faced with 'Access Denied'.
The fileserver is a Ubuntu VM that's joined to the Windows domain using the following documentation Setting_up_Samba_as_a_Domain_Member. Admittedly I used our old smb.conf( see below ) from the old file server, as my understanding of Linux/Samba is very limited and needing to get the share up and running as soon as possible.
Here's what I've done so far
1. SSHd into the file server and checked the permissions of a folder that was known to be having issues.
ls -ll directory_in_question
drwxrwsr-x 12 root name_of_active_directory_group 4096 Dec 17 15:21./
Noticed that 'name_of_active_directory_group' seems to be correct, however the members of this group still can't upload files to this location through Explorer.
2 . Checked to see if I can even access the group using getent group 'name_of_active_directory_group
, and I'm given name_of_active_directory_group:*:10083:username_one,username_two...
, I even try running id username_one
and It seems to be reaching our AD DC fine.
3. Set the logging level of Samba to 5 and monitor for anything useful in /var/log/samba/. The only line that really jumps out to me is smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED]
. However I can always provide the full log if it helps.
Temporary Fix
If I run setfacl -Rm u:username:rwX directory_in_question
then the user will be able to make changes. Or if I change the permissions of the folder to chmod o+rwx directory_in_question
then It works without a hitch. However, chmod g+rwx directory_in_question
where I'm specifying the group directly with chmod doesn't work.
The smb.conf looks like this
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
server string = %h server (Samba, Ubuntu)
security = ads
workgroup = COMPANY_A
realm = COMPANY_A.net
# dedicated keytab file = /etc/krb5.keytab
kerberos method = system keytab
disable netbios = Yes
load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = Yes
## User mapping!! (to map old users on server)
username map = /etc/samba/smbusers
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# log level = 5
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
# Log level
# log level = 5
lm announce = no
server max protocol = SMB3
server min protocol = NT1
client max protocol = SMB3
client min protocol = NT1
[share]
comment = Share folder
path = /mnt/share_name
read only = no
guest ok = no
directory mask = 0744
force directory mode = 02775
create mask = 0664
force create mode = 0664
follow symlinks = yes
wide links = no
veto files = /._*/.DS_Store/
vfs objects = streams_xattr
Realm List Info
realm list info
company_A.net
type: kerberos
realm-name: company_A.NET
domain-name: company_A.net
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: COMPAND_A\%U
login-policy: allow-any-login
company_A.net
type: kerberos
realm-name: company_A.NET
domain-name: company_A.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups:
Go and read the Samba wiki page again and then setup your smb.conf correctly, this time without sssd.
I also noticed this '## User mapping,, (to map old users on server)'. that isn't what the usermap is for (well, not in an AD domain).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.