Bug 15304 - Multiple permission denied vfs_ChDir for machine accounts
Summary: Multiple permission denied vfs_ChDir for machine accounts
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.17.5
Hardware: x64 Linux
: P5 minor (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-02-09 10:08 UTC by Deadpete
Modified: 2023-02-09 10:08 UTC (History)
0 users

See Also:

smb.conf and log excerpts (8.03 KB, text/plain)
2023-02-09 10:08 UTC, Deadpete
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Deadpete 2023-02-09 10:08:33 UTC
Created attachment 17756 [details]
smb.conf and log excerpts


I recently set up a domain member server with Debian Bookworm and Samba 4.17.5, and I have noted frequent and lots of permission denied errors in the journal (the same errors as in log.smbd). Example of the errors are found in the attachment under heading Journal dump. Essentially the error pairs is as shown below with variations, depending on machine account and share:

Feb 09 09:51:37 konsrvfast smbd[805904]:   chdir_current_service: vfs_ChDir(/data/samba/Publishing) failed: Permission denied. Current token: uid=11155, gid=10515, 5 groups: 11155 10515 3003 3004 3006
Feb 09 09:51:37 konsrvfast smbd[805904]: [2023/02/09 09:51:37.557723,  0, effective(11155, 10515), real(11155, 0)] ../../source3/smbd/smb2_service.c:168(chdir_current_service)

The uid 11155 is an existing AD machine account, and gid 10515 is the standard AD group Computers

I have also noted other errors in some of the samba log files.

In log.samba-dcerpcd smbd tries to connect to a pipe in /run/samba/ncalrpc/EPMAPPER. The pipe exists, but in the directory /run/samba/ncalrpc/np/epmapper

Further, in the log file log.wb-SAMDOM is recorded, that smbd tries to access the file /var/lib/samba/private/secrets.ldb, which does not exist. However, the file /var/lib/samba/private/secrets.tdb exists.

Finally, in the log file log.winbindd there are numerous errors where winbind cannot convert sid S-0-0, which raises the error NT_STATUS_NONE_MAPPED and furtner on the error Failed with NT_STATUS_INVALID_SID

The shares of the member server were basically set up according to the Samba Wiki for use with Windows ACLs, and then all management is made through the RSAT tool suite.

As otherwise everything seems to be working, I have put a minor severity on the bug report. The users do not complain, and the roaming profiles seem to work.

Best regards,