samba - Jan 2020 - smbclient can access sysvol Windows clients cannot

Hi everyone,

I have two domains with a two way trust (DomA and DomB).

When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using
smbclient everything works:

# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k

  .                                   D        0  Thu Jan  9 13:53:03 2020
  ..                                  D        0  Thu Jan  9 14:28:29 2020
  domb          D        0  Thu Jan  9 13:52:26 2020

                20511312 blocks of size 1024. 18330504 blocks available

However, on a Windows Server 2019 machine joined to DomB when I use explorer to
browse to the share as DomA\user I receive the error "Access is
denied".

Users from DomB can access sysvol from Windows without issue.

When DomA\user tries to connect to DomB's DC\sysvol, authentication is
working as I get this in the logs:

Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan
2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host
[ipv4:xxx.xxx.xxx.xxx:445]

DomB DC's smb.conf is as follows:
# Global parameters
[global]
        workgroup = DOMB
        realm = domb
        netbios name = DC
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
 [netlogon]
        path = /usr/local/samba/var/locks/sysvol/domb/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

If I create directory on the DomB DC named /test and create the following share:

[test]
        path = /test
        read only = No
        acl_xattr:ignore system acls = yes

DomA users can access that through Windows on DomB without issue, but if I set
[sysvol] to "path - /test they cannot".

There appears to be some special magic with [sysvol] I am unaware of. I'm
not seeing any errors in the logs, so I'm lost on why smbclient works and
Windows does not. I've since tested a Windows 10 machine and it has the same
problem.

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Sebastian
Lisic via samba
Sent: Thursday, January 9, 2020 3:06 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: [Samba] smbclient can access sysvol Windows clients cannot

Hi everyone,

I have two domains with a two way trust (DomA and DomB).

When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using
smbclient everything works:

# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k

  .                                   D        0  Thu Jan  9 13:53:03 2020
  ..                                  D        0  Thu Jan  9 14:28:29 2020
  domb          D        0  Thu Jan  9 13:52:26 2020

                20511312 blocks of size 1024. 18330504 blocks available

However, on a Windows Server 2019 machine joined to DomB when I use explorer to
browse to the share as DomA\user I receive the error "Access is
denied".

Users from DomB can access sysvol from Windows without issue.

When DomA\user tries to connect to DomB's DC\sysvol, authentication is
working as I get this in the logs:

Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan
2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host
[ipv4:xxx.xxx.xxx.xxx:445]

DomB DC's smb.conf is as follows:
# Global parameters
[global]
        workgroup = DOMB
        realm = domb
        netbios name = DC
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
 [netlogon]
        path = /usr/local/samba/var/locks/sysvol/domb/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I found a solution. Disabling "RequireMutualAuthentication" with the
HardenedPaths policy on Windows allowed users from a trusted domain to access
sysvol.

https://docs.microsoft.com/en-us/archive/blogs/leesteve/demystifying-the-unc-hardening-dilemma


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Sebastian
Lisic via samba
Sent: Friday, January 10, 2020 1:53 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: Re: [Samba] smbclient can access sysvol Windows clients cannot

If I create directory on the DomB DC named /test and create the following share:

[test]
        path = /test
        read only = No
        acl_xattr:ignore system acls = yes

DomA users can access that through Windows on DomB without issue, but if I set
[sysvol] to "path - /test they cannot".

There appears to be some special magic with [sysvol] I am unaware of. I'm
not seeing any errors in the logs, so I'm lost on why smbclient works and
Windows does not. I've since tested a Windows 10 machine and it has the same
problem.

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Sebastian
Lisic via samba
Sent: Thursday, January 9, 2020 3:06 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: [Samba] smbclient can access sysvol Windows clients cannot

Hi everyone,

I have two domains with a two way trust (DomA and DomB).

When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using
smbclient everything works:

# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k

  .                                   D        0  Thu Jan  9 13:53:03 2020
  ..                                  D        0  Thu Jan  9 14:28:29 2020
  domb          D        0  Thu Jan  9 13:52:26 2020

                20511312 blocks of size 1024. 18330504 blocks available

However, on a Windows Server 2019 machine joined to DomB when I use explorer to
browse to the share as DomA\user I receive the error "Access is
denied".

Users from DomB can access sysvol from Windows without issue.

When DomA\user tries to connect to DomB's DC\sysvol, authentication is
working as I get this in the logs:

Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan
2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host
[ipv4:xxx.xxx.xxx.xxx:445]

DomB DC's smb.conf is as follows:
# Global parameters
[global]
        workgroup = DOMB
        realm = domb
        netbios name = DC
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
 [netlogon]
        path = /usr/local/samba/var/locks/sysvol/domb/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba