Since migrating from CentOS to Almalinux, we’ve been unable to get our Samba shares working properly. For a restricted share “Share1” we have permissions set to 771 for user1 : mydomain\group1. In this scenario, user1 can access Share1, but user2 (who is a member of mydomain\group1) cannot. Changing ownership from user1 to user2 reverses the issue, such that user2 can access the share and user1 cannot.
The samba logs show an NT_STATUS_ACCESS_DENIED error:
[2024/12/02 11:58:51.960127, 2] ../../source3/smbd/dosmode.c:138(unix_mode)
unix_mode(.) inherit mode 40771
[2024/12/02 11:58:51.960276, 3] ../../source3/smbd/smb2_server.c:4036(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:361
[2024/12/02 11:58:52.106944, 2] ../../source3/smbd/dosmode.c:138(unix_mode)
unix_mode(.) inherit mode 40771
...
[2024/12/02 11:58:55.378146, 3] ../../source3/smbd/smb2_server.c:4036(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:361
Windows reports that “You do not have permission to access \file.mydomain\share1.”
This appears to be affecting all shares and groups. As a workaround for the limited number of restricted shares, I’ve been able to grant access with ACLs
# file: share1/
# owner: user1
# group: group1
user::rwx
user:user2:rwx
...
user:userN:rwx
group::rwx
mask::rwx
other::--x
but obviously this workaround won’t scale.
Details
We have a Windows 2016 server for AD and an AlmaLinux 9.5 file server running samba 4.20.2. Users are connecting from domain joined Windows 10/11 workstations.
To set this up, I followed the procedure found here to configure samba to use Windows AD.
I’ve verified that groups group1
and getent group group1
produce the correct list of users and that the GID matches the permissions on the share1 directory.
kinit
and klist
show that we can grant and store Kerberos tickets successfully for users and users can authenticate to the file.mydomain server with their AD credentials.
id user2\@mydomain.com
shows the correct group membership.
/etc/samba/smb.conf
[global]
server smb encrypt = required
client smb encrypt = required
log file = /var/log/samba/%m.log
log level = 3
realm = MYDOMAIN.COM
workgroup = MYDOMAIN
security = ads
printing = bsd
printcap name = /dev/null
disable spoolss = yes
kerberos method = secrets and keytab
winbind refresh tickets = Yes
template homedir = /home/users/%U
template shell = /bin/bash
idmap config MYDOMAIN : range = 2000000-2999999
idmap config MYDOMAIN : backend = sss
idmap config * : range = 10000-1999999
idmap config * : backend = tdb
unix extensions = no
wide links = yes
follow symlinks = yes
netbios name = file
[share1]
browsable = yes
path = /path/to/share1
inherit permissions = yes
read only = No
strict locking = no
/etc/nsswitch.conf
passwd: files sss systemd #I tried adding winbind here as well
group: files sss systemd #I tried adding winbind here as well
netgroup: sss files
automount: sss files
services: sss files
alternatives --display cifs-idmap-plugin
cifs-idmap-plugin - status is auto.
link currently points to /usr/lib64/cifs-utils/cifs_idmap_sss.so
/usr/lib64/cifs-utils/cifs_idmap_sss.so - priority 20
/usr/lib64/cifs-utils/idmapwb.so - priority 10
Current `best' version is /usr/lib64/cifs-utils/cifs_idmap_sss.so.
At this point, I’m not sure where else I should be looking to get this resolved. Any help would be greatly appreciated!