thr3ads.net - samba - [Samba] Problem Reading GPT.INI: Permission Denied [Sep 2025]

If this information is useful, please help other people find it:
Share via:

Joshua Kramer

2025-Sep-10 01:25 UTC

[Samba] Problem Reading GPT.INI: Permission Denied

Hello All-

I have a Samba 4.22.2 server running as an AD controller on Almalinux 10.
While diagnosing a login error on a different Linux box, I came to discover
the following error in the gpo_child.log (under /var/log/sssd) on the
client machine:

  *  (2025-08-02 23:23:36): [gpo_child[2889]] [copy_smb_file_to_gpo_cache]
(0x0400): [RID#7] smb_uri: smb://
dc.noosphere.as/sysvol/noosphere.as/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
   *  (2025-08-02 23:23:36): [gpo_child[2889]] [copy_smb_file_to_gpo_cache]
(0x0020): [RID#7] smbc_getFunctionOpen failed [13][Permission denied]

So, I go look for this same transaction on the Samba server.  The only
thing I see that could be the problem is this:

2025/09/09 21:20:40.533226,  5]
../../source3/smbd/dosmode.c:420(fget_ea_dos_attribute)
  fget_ea_dos_attribute: Cannot get attribute from EA on file
noosphere.as/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI: Error
= No data
 available

I do not believe that this is a Linux user issue since Samba is running as
root.  (Bad, I know!)  Also, SELinux is disabled.  The underlying
filesystem is XFS and I have verified that user extended attributes work
properly on that filesystem.

What could be causing this permission denied issue?

My smb.conf is as follows:

[global]
        netbios name = DC
        realm = NOOSPHERE.AS
        server role = active directory domain controller
        workgroup = NOOSPHERE
        bind interfaces only = yes
        interfaces = 192.168.2.6 192.168.2.4 127.0.0.1
        dns forwarder = 192.168.2.2
        ldap server require strong auth = no
        vfs objects = acl_xattr dfs_samba4
        force unknown acl user = false
        map acl inherit = yes
        ea support = yes
        store dos attributes = yes
        log file = /var/log/samba4-AD-DC/samba-main.log
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
        log level = 9 passdb:1 auth:9 winbind:9 full_audit:9 gpo:9
        browseable = yes
        tls enabled  = yes
        tls keyfile  = (redacted)
        tls certfile = (redacted)
        tls cafile   = (redacted)

[sysvol]
        path = /opt/samba4-AD-DC/var/locks/sysvol
        read only = No

[netlogon]
        path = /opt/samba4-AD-DC/var/locks/sysvol/noosphere.as/scripts
        read only = No

Thanks!
-JK

Luis Peromarta

2025-Sep-10 04:32 UTC

head link

[Samba] Problem Reading GPT.INI: Permission Denied

Try

samba-tool ntacl sysvolreset
On 10 Sep 2025 at 03:26 +0200, Joshua Kramer via samba <samba at
lists.samba.org>, wrote:> Hello All-
>
> I have a Samba 4.22.2 server running as an AD controller on Almalinux 10.
> While diagnosing a login error on a different Linux box, I came to discover
> the following error in the gpo_child.log (under /var/log/sssd) on the
> client machine:
>
> * (2025-08-02 23:23:36): [gpo_child[2889]] [copy_smb_file_to_gpo_cache]
> (0x0400): [RID#7] smb_uri: smb://
>
dc.noosphere.as/sysvol/noosphere.as/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
> * (2025-08-02 23:23:36): [gpo_child[2889]] [copy_smb_file_to_gpo_cache]
> (0x0020): [RID#7] smbc_getFunctionOpen failed [13][Permission denied]
>
> So, I go look for this same transaction on the Samba server. The only
> thing I see that could be the problem is this:
>
> 2025/09/09 21:20:40.533226, 5]
> ../../source3/smbd/dosmode.c:420(fget_ea_dos_attribute)
> fget_ea_dos_attribute: Cannot get attribute from EA on file
> noosphere.as/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI: Error
> = No data
> available
>
> I do not believe that this is a Linux user issue since Samba is running as
> root. (Bad, I know!) Also, SELinux is disabled. The underlying
> filesystem is XFS and I have verified that user extended attributes work
> properly on that filesystem.
>
> What could be causing this permission denied issue?
>
> My smb.conf is as follows:
>
> [global]
> netbios name = DC
> realm = NOOSPHERE.AS
> server role = active directory domain controller
> workgroup = NOOSPHERE
> bind interfaces only = yes
> interfaces = 192.168.2.6 192.168.2.4 127.0.0.1
> dns forwarder = 192.168.2.2
> ldap server require strong auth = no
> vfs objects = acl_xattr dfs_samba4
> force unknown acl user = false
> map acl inherit = yes
> ea support = yes
> store dos attributes = yes
> log file = /var/log/samba4-AD-DC/samba-main.log
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
> log level = 9 passdb:1 auth:9 winbind:9 full_audit:9 gpo:9
> browseable = yes
> tls enabled = yes
> tls keyfile = (redacted)
> tls certfile = (redacted)
> tls cafile = (redacted)
>
> [sysvol]
> path = /opt/samba4-AD-DC/var/locks/sysvol
> read only = No
>
> [netlogon]
> path = /opt/samba4-AD-DC/var/locks/sysvol/noosphere.as/scripts
> read only = No
>
> Thanks!
> -JK
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

samba - Sep 2025 - Problem Reading GPT.INI: Permission Denied

[Samba] Problem Reading GPT.INI: Permission Denied

[Samba] Problem Reading GPT.INI: Permission Denied