Alexander Harm || ApfelQ
2023-Feb-22 11:29 UTC
[Samba] Logon Script is not executed: STATUS_ACCESS_DENIED
Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain while we are preparing to migrate to Samba AD-style domain. Since the upgrade we have the issue that the logon scripts are not executed for domain users. It works a 100% for domain admins and 0% for non admin users and we have no idea why. We tried the various settings without success: 1. setting various registry entries on Windows like: DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths 2. setting server max protocol = NT1 Our smb.conf of the netlogon looks like this: [netlogon] comment = Netlogon Scripts path = /server/data/samba/netlogon read only = No inherit acls = Yes browseable = yes guest ok = yes printable = no map archive = no map read only = no store dos attributes = yes ACL and Unix permissions for all are at least read. But even after successful logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat). I was unable to get anything from the logs. A wireshark reveals that the file was found and opened before the access denied. Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on interface eth2, id 0 Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14) Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5 Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack: 10438, Len: 320 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Create Response (0x05) StructureSize: 0x0059 0000 0000 0101 100. = Fixed Part Length: 44 .... .... .... ...1 = Dynamic Part: True Oplock: Lease (0xff) Response Flags: 0x00 Create Action: The file existed and was opened (1) Create: Jun 8, 2021 11:00:00.000000000 CEST Last Access: Feb 21, 2023 09:51:50.209504600 CET Last Write: Jun 8, 2021 11:00:01.000000000 CEST Last Change: Jun 8, 2021 11:00:01.000000000 CEST Allocation Size: 8192 End Of File: 2207 File Attributes: 0x00000020 .... .... .... .... .... .... .... ...0 = Read Only: No .... .... .... .... .... .... .... ..0. = Hidden: No .... .... .... .... .... .... .... .0.. = System: No .... .... .... .... .... .... ...0 .... = Directory: No .... .... .... .... .... .... ..1. .... = Requires archived: Yes .... .... .... .... .... .... 0... .... = Normal: No .... .... .... .... .... ...0 .... .... = Temporary: No .... .... .... .... .... ..0. .... .... = Sparse: No .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point .... .... .... .... .... 0... .... .... = Compressed: Uncompressed .... .... .... .... ...0 .... .... .... = Offline: Online .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service .... .... .... .... .0.. .... .... .... = Encrypted: No .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan Reserved: 00000000 GUID handle File: meyert.bat File Id: 89d7e97c-0000-0000-85be-57fa00000000 [Frame handle opened: 147] Blob Offset: 0x00000098 Blob Length: 164 ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid" Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs" All seems fine: Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on interface eth2, id 0 Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d (00:50:56:93:fb:2d) Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36 Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack: 53364, Len: 304 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header Create Request (0x05) StructureSize: 0x0039 0000 0000 0011 100. = Fixed Part Length: 28 .... .... .... ...1 = Dynamic Part: True Oplock: Lease (0xff) Impersonation level: Impersonation (2) Create Flags: 0x0000000000000000 Reserved: 0000000000000000 Access Mask: 0x001000a1 .... .... .... .... .... .... .... ...1 = Read: READ access .... .... .... .... .... .... .... ..0. = Write: NO write access .... .... .... .... .... .... .... .0.. = Append: NO append access .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set File Attributes: 0x00000080 .... .... .... .... .... .... .... ...0 = Read Only: No .... .... .... .... .... .... .... ..0. = Hidden: No .... .... .... .... .... .... .... .0.. = System: No .... .... .... .... .... .... ...0 .... = Directory: No .... .... .... .... .... .... ..0. .... = Requires archived: No .... .... .... .... .... .... 1... .... = Normal: Yes .... .... .... .... .... ...0 .... .... = Temporary: No .... .... .... .... .... ..0. .... .... = Sparse: No .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point .... .... .... .... .... 0... .... .... = Compressed: Uncompressed .... .... .... .... ...0 .... .... .... = Offline: Online .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service .... .... .... .... .0.. .... .... .... = Encrypted: No .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan Share Access: 0x00000005, Read, Delete Disposition: Open (if file exists open it, else fail) (1) Create Options: 0x00000060 Filename: meyert.bat Blob Offset: 0x00000078 Blob Length: 20 Blob Offset: 0x00000090 Blob Length: 156 ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q" Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs" Then comes the denied: Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface eth2, id 0 Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14) Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5 Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack: 12275, Len: 77 NetBIOS Session Service SMB2 (Server Message Block Protocol version 2) SMB2 Header ProtocolId: 0xfe534d42 Header Length: 64 Credit Charge: 1 NT Status: STATUS_ACCESS_DENIED (0xc0000022) Command: Create (5) Credits granted: 1 Flags: 0x00000031, Response, Priority Chain Offset: 0x00000000 Message ID: 67 Process Id: 0x0000feff Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678 Signature: 00000000000000000000000000000000 [Response to: 163] [Time from request: 0.000160938 seconds] Create Response (0x05) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 4 .... .... .... ...1 = Dynamic Part: True Error Context Count: 0 Reserved: 0x00 Byte Count: 0 Error Data: 00 Would be great if anyone has any idea or input. Thanks a lot, Alexander
Rowland Penny
2023-Feb-22 11:42 UTC
[Samba] Logon Script is not executed: STATUS_ACCESS_DENIED
On 22/02/2023 11:29, Alexander Harm || ApfelQ via samba wrote:> Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain while we are preparing to migrate to Samba AD-style domain. > > Since the upgrade we have the issue that the logon scripts are not executed for domain users. It works a 100% for domain admins and 0% for non admin users and we have no idea why.Sounds like a permission problem.> > We tried the various settings without success: > > 1. setting various registry entries on Windows like: DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths > > 2. setting server max protocol = NT1 > > Our smb.conf of the netlogon looks like this:But what does the rest of the smb.conf look like ?> > [netlogon] > comment = Netlogon Scripts > path = /server/data/samba/netlogonCan your users traverse the path ? Can they actually get to your netlogon scripts to read and exacute them ?> read only = No > inherit acls = Yes > browseable = yes > guest ok = yes > printable = no > map archive = no > map read only = no > store dos attributes = yesYou might want to read 'man smb.conf', a couple of those parameters are ignored if the last one is set (and it is set by default).> > ACL and Unix permissions for all are at least read. But even after successful logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat). > > I was unable to get anything from the logs. > > A wireshark reveals that the file was found and opened before the access denied. > > Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on interface eth2, id 0 > Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14) > Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5 > Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack: 10438, Len: 320 > NetBIOS Session Service > SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Create Response (0x05) > StructureSize: 0x0059 > 0000 0000 0101 100. = Fixed Part Length: 44 > .... .... .... ...1 = Dynamic Part: True > Oplock: Lease (0xff) > Response Flags: 0x00 > Create Action: The file existed and was opened (1) > Create: Jun 8, 2021 11:00:00.000000000 CEST > Last Access: Feb 21, 2023 09:51:50.209504600 CET > Last Write: Jun 8, 2021 11:00:01.000000000 CEST > Last Change: Jun 8, 2021 11:00:01.000000000 CEST > Allocation Size: 8192 > End Of File: 2207 > File Attributes: 0x00000020 > .... .... .... .... .... .... .... ...0 = Read Only: No > .... .... .... .... .... .... .... ..0. = Hidden: No > .... .... .... .... .... .... .... .0.. = System: No > .... .... .... .... .... .... ...0 .... = Directory: No > .... .... .... .... .... .... ..1. .... = Requires archived: Yes > .... .... .... .... .... .... 0... .... = Normal: No > .... .... .... .... .... ...0 .... .... = Temporary: No > .... .... .... .... .... ..0. .... .... = Sparse: No > .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point > .... .... .... .... .... 0... .... .... = Compressed: Uncompressed > .... .... .... .... ...0 .... .... .... = Offline: Online > .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service > .... .... .... .... .0.. .... .... .... = Encrypted: No > .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support > .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan > Reserved: 00000000 > GUID handle File: meyert.bat > File Id: 89d7e97c-0000-0000-85be-57fa00000000 > [Frame handle opened: 147] > Blob Offset: 0x00000098 > Blob Length: 164 > ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE > Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" > Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid" > Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs" > > All seems fine: > > Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on interface eth2, id 0 > Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d (00:50:56:93:fb:2d) > Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36 > Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack: 53364, Len: 304 > NetBIOS Session Service > SMB2 (Server Message Block Protocol version 2) > SMB2 Header > Create Request (0x05) > StructureSize: 0x0039 > 0000 0000 0011 100. = Fixed Part Length: 28 > .... .... .... ...1 = Dynamic Part: True > Oplock: Lease (0xff) > Impersonation level: Impersonation (2) > Create Flags: 0x0000000000000000 > Reserved: 0000000000000000 > Access Mask: 0x001000a1 > .... .... .... .... .... .... .... ...1 = Read: READ access > .... .... .... .... .... .... .... ..0. = Write: NO write access > .... .... .... .... .... .... .... .0.. = Append: NO append access > .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access > .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access > .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access > .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access > .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access > .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access > .... .... .... ...0 .... .... .... .... = Delete: NO delete access > .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID > .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC > .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) > .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O > .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set > .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set > ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set > ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set > .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set > 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set > File Attributes: 0x00000080 > .... .... .... .... .... .... .... ...0 = Read Only: No > .... .... .... .... .... .... .... ..0. = Hidden: No > .... .... .... .... .... .... .... .0.. = System: No > .... .... .... .... .... .... ...0 .... = Directory: No > .... .... .... .... .... .... ..0. .... = Requires archived: No > .... .... .... .... .... .... 1... .... = Normal: Yes > .... .... .... .... .... ...0 .... .... = Temporary: No > .... .... .... .... .... ..0. .... .... = Sparse: No > .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point > .... .... .... .... .... 0... .... .... = Compressed: Uncompressed > .... .... .... .... ...0 .... .... .... = Offline: Online > .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service > .... .... .... .... .0.. .... .... .... = Encrypted: No > .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support > .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan > Share Access: 0x00000005, Read, Delete > Disposition: Open (if file exists open it, else fail) (1) > Create Options: 0x00000060 > Filename: meyert.bat > Blob Offset: 0x00000078 > Blob Length: 20 > Blob Offset: 0x00000090 > Blob Length: 156 > ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE > Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q" > Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" > Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs" > > Then comes the denied: > > Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface eth2, id 0 > Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14) > Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5 > Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack: 12275, Len: 77 > NetBIOS Session Service > SMB2 (Server Message Block Protocol version 2) > SMB2 Header > ProtocolId: 0xfe534d42 > Header Length: 64 > Credit Charge: 1 > NT Status: STATUS_ACCESS_DENIED (0xc0000022) > Command: Create (5) > Credits granted: 1 > Flags: 0x00000031, Response, Priority > Chain Offset: 0x00000000 > Message ID: 67 > Process Id: 0x0000feff > Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON > Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678 > Signature: 00000000000000000000000000000000 > [Response to: 163] > [Time from request: 0.000160938 seconds] > Create Response (0x05) > StructureSize: 0x0009 > 0000 0000 0000 100. = Fixed Part Length: 4 > .... .... .... ...1 = Dynamic Part: True > Error Context Count: 0 > Reserved: 0x00 > Byte Count: 0 > Error Data: 00 > > Would be great if anyone has any idea or input.Awful lot of 'SMB2' there and, last time I heard, you need SMB1 for an NT4_style domain. Rowland