samba - Jul 2023 - netlogon does not run

smb.conf

# Global parameters
[global]
	netbios name = DC0
	dns forwarder = 192.168.2.4
	realm = GRANMARMO.INTRANET
	server role = active directory domain controller
	workgroup = GRANMARMO
	ntlm auth = mschapv2-and-ntlmv2-only
	password hash userPassword schemes = CryptSHA256 CryptSHA512
	rpc server dynamic port range = 50000-55000
	loglevel = 30 auth:5 winbind:5 passdb:5
	time server = yes
	security = user

###Numero maximo dec conex?es no winbind
	winbind max domain connections = 10

###Habilitar autentica??o offline
	winbind offline logon = yes

	os level = 34
	logon script = netlogon.bat

[netlogon]
	path = /var/lib/samba/sysvol/granmarmo.intranet/scripts
	read only = Yes
	guest ok = Yes
	browseable = No

chmod 700 /var/lib/samba/sysvol/granmarmo.intranet/scripts

netlogon.bat

@echo on
cls
echo Sincronizando a hora ...
net time \\dc0 /set /yes

echo Mapeando a rede ...
net use * /delete /yes
net use p: \\arquivos\Publico


\\dc0\netlogon\netlogon.bat

If I double click on netlogon.bat it executes

-- 
A persist?ncia ? o caminho do ?xito.
Charles Chaplin

Please see inline notes:

On 05/07/2023 06:03, Edson Wolf via samba wrote:
> 
> smb.conf
> 
> # Global parameters
> [global]
>  ????netbios name = DC0
>  ????dns forwarder = 192.168.2.4
>  ????realm = GRANMARMO.INTRANET
>  ????server role = active directory domain controller
>  ????workgroup = GRANMARMO
>  ????ntlm auth = mschapv2-and-ntlmv2-only
>  ????password hash userPassword schemes = CryptSHA256 CryptSHA512
I take it you are syncing passwords to an external ldap server.
>  ????rpc server dynamic port range = 50000-55000
Can I ask why you are not using the default ports ?
>  ????loglevel = 30 auth:5 winbind:5 passdb:5
>  ????time server = yes
'time server' is an nmbd thing and is not used on an AD DC.
>  ????security = user
I would never set 'security = user' on an AD DC, you should rely on the 
default 'security = auto', which will then force Samba to consult the 
'server role' parameter.
> 
> ###Numero maximo dec conex?es no winbind
>  ????winbind max domain connections = 10
'winbind max domain connections' should not really be used on an AD DC.
> 
> ###Habilitar autentica??o offline
>  ????winbind offline logon = yes
I do not see the point of running this on an AD DC, if it goes offline, 
what is going to connect to it ? It also turns off the 'winbind max 
domain connections' line above.
> 
>  ????os level = 34
'os level' is another nmbd thing that should not be used on an AD DC.
>  ????logon script = netlogon.bat
'logon script' is not used on an AD DC, your Windows clients should find
netlogon via ldap (see the 'scriptPath' attribute), or better still, via
a GPO.
> 
> [netlogon]
>  ????path = /var/lib/samba/sysvol/granmarmo.intranet/scripts
>  ????read only = Yes
>  ????guest ok = Yes
>  ????browseable = No
> 
> chmod 700 /var/lib/samba/sysvol/granmarmo.intranet/scripts
Sorry, but you have just broken the permissions on Sysvol, I suggest you 
run 'samba-tool ntacl sysvolreset'

Speaking of Sysvol, what has happened to the '[sysvol]' share ?
> 
> netlogon.bat
> 
> @echo on
> cls
> echo Sincronizando a hora ...
> net time \\dc0 /set /yes
> 
> echo Mapeando a rede ...
> net use * /delete /yes
> net use p: \\arquivos\Publico
> 
> 
Is that in DOS format ?
> \\dc0\netlogon\netlogon.bat
> 
> If I double click on netlogon.bat it executes
> 

It looks like you are trying to run a Samba AD DC as if it is an old 
NT4-style PDC. Sorry, but this will not work, you need to run it has an 
AD DC.

Rowland