samba - Feb 2023 - Logon Script is not executed: STATUS_ACCESS_DENIED

Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far
everything runs smoothly. For now we run 4.15.13 with an old NT-style domain
while we are preparing to migrate to Samba AD-style domain.

Since the upgrade we have the issue that the logon scripts are not executed for
domain users. It works a 100% for domain admins and 0% for non admin users and
we have no idea why.

We tried the various settings without success:

1. setting various registry entries on Windows like: DomainCompatibilityMode,
DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths

2. setting server max protocol = NT1

Our smb.conf of the netlogon looks like this:

[netlogon]
comment = Netlogon Scripts
path = /server/data/samba/netlogon
read only = No
inherit acls = Yes
browseable = yes
guest ok = yes
printable = no
map archive = no
map read only = no
store dos attributes = yes

ACL and Unix permissions for all are at least read. But even after successful
logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat
(smb://dc/netlogon/myuser.bat).

I was unable to get anything from the logs.

A wireshark reveals that the file was found and opened before the access denied.

Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on
interface eth2, id 0
Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14
(00:00:0c:9f:f0:14)
Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack:
10438, Len: 320
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Create Response (0x05)
StructureSize: 0x0059
0000 0000 0101 100. = Fixed Part Length: 44
.... .... .... ...1 = Dynamic Part: True
Oplock: Lease (0xff)
Response Flags: 0x00
Create Action: The file existed and was opened (1)
Create: Jun 8, 2021 11:00:00.000000000 CEST
Last Access: Feb 21, 2023 09:51:50.209504600 CET
Last Write: Jun 8, 2021 11:00:01.000000000 CEST
Last Change: Jun 8, 2021 11:00:01.000000000 CEST
Allocation Size: 8192
End Of File: 2207
File Attributes: 0x00000020
.... .... .... .... .... .... .... ...0 = Read Only: No
.... .... .... .... .... .... .... ..0. = Hidden: No
.... .... .... .... .... .... .... .0.. = System: No
.... .... .... .... .... .... ...0 .... = Directory: No
.... .... .... .... .... .... ..1. .... = Requires archived: Yes
.... .... .... .... .... .... 0... .... = Normal: No
.... .... .... .... .... ...0 .... .... = Temporary: No
.... .... .... .... .... ..0. .... .... = Sparse: No
.... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an
associated reparse point
.... .... .... .... .... 0... .... .... = Compressed: Uncompressed
.... .... .... .... ...0 .... .... .... = Offline: Online
.... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the
content indexing service
.... .... .... .... .0.. .... .... .... = Encrypted: No
.... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have
Integrity Support
.... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from
the data integrity scan
Reserved: 00000000
GUID handle File: meyert.bat
File Id: 89d7e97c-0000-0000-85be-57fa00000000
[Frame handle opened: 147]
Blob Offset: 0x00000098
Blob Length: 164
ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID
SMB2_CREATE_REQUEST_LEASE
Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"

All seems fine:

Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on
interface eth2, id 0
Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d
(00:50:56:93:fb:2d)
Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36
Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack:
53364, Len: 304
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Create Request (0x05)
StructureSize: 0x0039
0000 0000 0011 100. = Fixed Part Length: 28
.... .... .... ...1 = Dynamic Part: True
Oplock: Lease (0xff)
Impersonation level: Impersonation (2)
Create Flags: 0x0000000000000000
Reserved: 0000000000000000
Access Mask: 0x001000a1
.... .... .... .... .... .... .... ...1 = Read: READ access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... .0.. = Append: NO append access
.... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes
access
.... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes
access
.... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
.... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
.... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES
access
.... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes
access
.... .... .... ...0 .... .... .... .... = Delete: NO delete access
.... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT
granted to owner, group and ACL of the SID
.... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the
DAC
.... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take
ownership)
.... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to
SYNCHRONIZE on completion of I/O
.... ...0 .... .... .... .... .... .... = System Security: System security is
NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is
NOT set
...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is
NOT set
.0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT
set
0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
File Attributes: 0x00000080
.... .... .... .... .... .... .... ...0 = Read Only: No
.... .... .... .... .... .... .... ..0. = Hidden: No
.... .... .... .... .... .... .... .0.. = System: No
.... .... .... .... .... .... ...0 .... = Directory: No
.... .... .... .... .... .... ..0. .... = Requires archived: No
.... .... .... .... .... .... 1... .... = Normal: Yes
.... .... .... .... .... ...0 .... .... = Temporary: No
.... .... .... .... .... ..0. .... .... = Sparse: No
.... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an
associated reparse point
.... .... .... .... .... 0... .... .... = Compressed: Uncompressed
.... .... .... .... ...0 .... .... .... = Offline: Online
.... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the
content indexing service
.... .... .... .... .0.. .... .... .... = Encrypted: No
.... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have
Integrity Support
.... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from
the data integrity scan
Share Access: 0x00000005, Read, Delete
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00000060
Filename: meyert.bat
Blob Offset: 0x00000078
Blob Length: 20
Blob Offset: 0x00000090
Blob Length: 156
ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE
Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q"
Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"

Then comes the denied:

Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on
interface eth2, id 0
Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14
(00:00:0c:9f:f0:14)
Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack:
12275, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 1
NT Status: STATUS_ACCESS_DENIED (0xc0000022)
Command: Create (5)
Credits granted: 1
Flags: 0x00000031, Response, Priority
Chain Offset: 0x00000000
Message ID: 67
Process Id: 0x0000feff
Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON
Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678
Signature: 00000000000000000000000000000000
[Response to: 163]
[Time from request: 0.000160938 seconds]
Create Response (0x05)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Error Context Count: 0
Reserved: 0x00
Byte Count: 0
Error Data: 00

Would be great if anyone has any idea or input.

Thanks a lot, Alexander

On 22/02/2023 11:29, Alexander Harm || ApfelQ via samba
wrote:
> Last week we finally upgraded our servers from Samba 3 to Samba 4 and so
far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain
while we are preparing to migrate to Samba AD-style domain.
> 
> Since the upgrade we have the issue that the logon scripts are not executed
for domain users. It works a 100% for domain admins and 0% for non admin users
and we have no idea why.
Sounds like a permission problem.
> 
> We tried the various settings without success:
> 
> 1. setting various registry entries on Windows like:
DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync,
HardenedPaths
> 
> 2. setting server max protocol = NT1
> 
> Our smb.conf of the netlogon looks like this:
But what does the rest of the smb.conf look like ?
> 
> [netlogon]
> comment = Netlogon Scripts
> path = /server/data/samba/netlogon
Can your users traverse the path ?
Can they actually get to your netlogon scripts to read and exacute them ?
> read only = No
> inherit acls = Yes
> browseable = yes
> guest ok = yes
> printable = no
> map archive = no
> map read only = no
> store dos attributes = yes
You might want to read 'man smb.conf', a couple of those parameters are 
ignored if the last one is set (and it is set by default).
> 
> ACL and Unix permissions for all are at least read. But even after
successful logon in Windows I perfectly access and execute
\\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat).
> 
> I was unable to get anything from the logs.
> 
> A wireshark reveals that the file was found and opened before the access
denied.
> 
> Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on
interface eth2, id 0
> Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14
(00:00:0c:9f:f0:14)
> Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753,
Ack: 10438, Len: 320
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> Create Response (0x05)
> StructureSize: 0x0059
> 0000 0000 0101 100. = Fixed Part Length: 44
> .... .... .... ...1 = Dynamic Part: True
> Oplock: Lease (0xff)
> Response Flags: 0x00
> Create Action: The file existed and was opened (1)
> Create: Jun 8, 2021 11:00:00.000000000 CEST
> Last Access: Feb 21, 2023 09:51:50.209504600 CET
> Last Write: Jun 8, 2021 11:00:01.000000000 CEST
> Last Change: Jun 8, 2021 11:00:01.000000000 CEST
> Allocation Size: 8192
> End Of File: 2207
> File Attributes: 0x00000020
> .... .... .... .... .... .... .... ...0 = Read Only: No
> .... .... .... .... .... .... .... ..0. = Hidden: No
> .... .... .... .... .... .... .... .0.. = System: No
> .... .... .... .... .... .... ...0 .... = Directory: No
> .... .... .... .... .... .... ..1. .... = Requires archived: Yes
> .... .... .... .... .... .... 0... .... = Normal: No
> .... .... .... .... .... ...0 .... .... = Temporary: No
> .... .... .... .... .... ..0. .... .... = Sparse: No
> .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an
associated reparse point
> .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> .... .... .... .... ...0 .... .... .... = Offline: Online
> .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed
by the content indexing service
> .... .... .... .... .0.. .... .... .... = Encrypted: No
> .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have
Integrity Support
> .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded
from the data integrity scan
> Reserved: 00000000
> GUID handle File: meyert.bat
> File Id: 89d7e97c-0000-0000-85be-57fa00000000
> [Frame handle opened: 147]
> Blob Offset: 0x00000098
> Blob Length: 164
> ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST
SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE
> Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
> Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> 
> All seems fine:
> 
> Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on
interface eth2, id 0
> Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d
(00:50:56:93:fb:2d)
> Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36
> Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555,
Ack: 53364, Len: 304
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> Create Request (0x05)
> StructureSize: 0x0039
> 0000 0000 0011 100. = Fixed Part Length: 28
> .... .... .... ...1 = Dynamic Part: True
> Oplock: Lease (0xff)
> Impersonation level: Impersonation (2)
> Create Flags: 0x0000000000000000
> Reserved: 0000000000000000
> Access Mask: 0x001000a1
> .... .... .... .... .... .... .... ...1 = Read: READ access
> .... .... .... .... .... .... .... ..0. = Write: NO write access
> .... .... .... .... .... .... .... .0.. = Append: NO append access
> .... .... .... .... .... .... .... 0... = Read EA: NO read extended
attributes access
> .... .... .... .... .... .... ...0 .... = Write EA: NO write extended
attributes access
> .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
> .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child
access
> .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES
access
> .... .... .... .... .... ...0 .... .... = Write Attributes: NO write
attributes access
> .... .... .... ...0 .... .... .... .... = Delete: NO delete access
> .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT
granted to owner, group and ACL of the SID
> .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to
the DAC
> .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner
(take ownership)
> .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle
to SYNCHRONIZE on completion of I/O
> .... ...0 .... .... .... .... .... .... = System Security: System security
is NOT set
> .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed
is NOT set
> ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT
set
> ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute
is NOT set
> .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is
NOT set
> 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT
set
> File Attributes: 0x00000080
> .... .... .... .... .... .... .... ...0 = Read Only: No
> .... .... .... .... .... .... .... ..0. = Hidden: No
> .... .... .... .... .... .... .... .0.. = System: No
> .... .... .... .... .... .... ...0 .... = Directory: No
> .... .... .... .... .... .... ..0. .... = Requires archived: No
> .... .... .... .... .... .... 1... .... = Normal: Yes
> .... .... .... .... .... ...0 .... .... = Temporary: No
> .... .... .... .... .... ..0. .... .... = Sparse: No
> .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an
associated reparse point
> .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> .... .... .... .... ...0 .... .... .... = Offline: Online
> .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed
by the content indexing service
> .... .... .... .... .0.. .... .... .... = Encrypted: No
> .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have
Integrity Support
> .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded
from the data integrity scan
> Share Access: 0x00000005, Read, Delete
> Disposition: Open (if file exists open it, else fail) (1)
> Create Options: 0x00000060
> Filename: meyert.bat
> Blob Offset: 0x00000078
> Blob Length: 20
> Blob Offset: 0x00000090
> Blob Length: 156
> ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE
> Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q"
> Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> 
> Then comes the denied:
> 
> Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on
interface eth2, id 0
> Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14
(00:00:0c:9f:f0:14)
> Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262,
Ack: 12275, Len: 77
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> ProtocolId: 0xfe534d42
> Header Length: 64
> Credit Charge: 1
> NT Status: STATUS_ACCESS_DENIED (0xc0000022)
> Command: Create (5)
> Credits granted: 1
> Flags: 0x00000031, Response, Priority
> Chain Offset: 0x00000000
> Message ID: 67
> Process Id: 0x0000feff
> Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON
> Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678
> Signature: 00000000000000000000000000000000
> [Response to: 163]
> [Time from request: 0.000160938 seconds]
> Create Response (0x05)
> StructureSize: 0x0009
> 0000 0000 0000 100. = Fixed Part Length: 4
> .... .... .... ...1 = Dynamic Part: True
> Error Context Count: 0
> Reserved: 0x00
> Byte Count: 0
> Error Data: 00
> 
> Would be great if anyone has any idea or input.
Awful lot of 'SMB2' there and, last time I heard, you need SMB1 for an 
NT4_style domain.

Rowland