Antonio Trogu
2021-May-24 13:05 UTC
[Samba] Access denied to sysvol and netlogon shares and GPOs not working after upgrade
On Mon, 24 May 2021, Rowland penny via samba wrote:> On 24/05/2021 11:50, Antonio Trogu via samba wrote: >> I have upgraded a CentOS 7/Samba server AD PDC and file server (it's a >> small site) from a compiled Samba 4.1.7 version to the last 4.14.4 release, >> then executed samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix >> and samba-tool dbcheck --cross-ncs --fix. > > > There have been numerous updates between 4.1.7 and 4.14.4 , not least the > change to Winbind at 4.2.0I know, that's why I have checked again all installation steps required for new releases and fixed something that wasn't compliant. But I've probably missed something.> > How was Samba compiled ?Samba has been compiled both times with the default options, that is: ./configure, make, make install.> >> >> After the upgrade users can logon and access and connect to shares I've >> created, but no user except the Domain Admins can connect to sysvol and >> netlogon, and nobody can execute gpupdate without errors. >> >> CUPS printers are not working, but I still don't know if the 2 issues are >> related. >> >> At any connection attempt to sysvol or netlogon the server logs an entry >> like this: >> >> chdir_current_service: >> vfs_ChDir(/usr/local/samba/var/locks/sysvol/concorde.gruppoconcorde.it/scripts) >> failed: Permission denied. Current token: uid=3000152, gid=100, 9 groups: >> 3000152 100 3000116 3000013 3000014 3000003 3000186 3000009 3000016 >> >> I have checked and fixed permissions and ACLs on the sysvol share via the >> samba-tool ntacl sysvolcheck and sysvolreset commands, fixed permissions >> from Windows and tried the script from >> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh. >> >> I've also tried all fixes suggested in the >> https://wiki.samba.org/index.php/Sysvolreset guide, deleted all old files - >> except config and policies - left in the Samba paths, checked DNS Winbindd, >> Kerberos, etc., but nothing solved the problem. >> >> I had updated CentOS before Samba and then the gpupdate issue started, but >> I have not tested sysvol and netlogon access, so I'm not sure if it worked >> or not between the 2 updates. >> >> I can provide any other configuration detail or do any required test. > > > Can you post your smb.conf, it may still be using some old settings.Sure; here it is: [global] workgroup = MYDOMAIN realm = MYDOMAIN.MY2NDLEVELDOMAIN.IT netbios name = MYSERVER server role = active directory domain controller dns forwarder = 192.168.0.20 idmap_ldb:use rfc2307 = yes log file = /usr/local/samba/var/%m.log log level = 3 auth_audit:3 rpc_server:spoolss = external rpc_daemon:spoolssd = fork printing = CUPS allow dns updates = nonsecure # For archiving app unix extensions = no follow symlinks = yes wide links = yes # For Windows Xp clients ntlm auth = yes server min protocol = NT1 [printers] path = /var/spool/samba printable = yes [print$] path = /var/samba/Printer_drivers comment = Printer Drivers writeable = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.my2ndleveldomain.it/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /finale/dati/atlasconcorde/Home read only = No <other custom working shares follow> I have changed here just my domain and server names. All options are present on other servers working with 4.14.4, except unix extensions = no, follow symlinks = yes and wide links = yes. If you tell me I could have tried to comment them, well, you're right ;) Already tried to remove ntlm auth = yes, server min protocol = NT1. Thanks, Antonio> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.