samba - Sep 2024 - Getting 'Access Denied' under Offline mode (Offline Files)

Hi Rowland,

Below is the output for testparm -s:

/Server role: ROLE_ACTIVE_DIRECTORY_DC
/

/# Global parameters
[global]
 ??????? ldap server require strong auth = No
 ??????? passdb backend = samba_dsdb
 ??????? realm = SAMBADOM
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? workgroup = SAMBADOM
 ??????? rpc_server:tcpip = no
 ??????? rpc_daemon:spoolssd = embedded
 ??????? rpc_server:spoolss = embedded
 ??????? rpc_server:winreg = embedded
 ??????? rpc_server:ntsvcs = embedded
 ??????? rpc_server:eventlog = embedded
 ??????? rpc_server:srvsvc = embedded
 ??????? rpc_server:svcctl = embedded
 ??????? rpc_server:default = external
 ??????? winbindd:use external pipes = true
 ??????? idmap_ldb:use rfc2307 = yes
 ??????? idmap config * : backend = tdb
 ??????? map archive = No
 ??????? vfs objects = dfs_samba4 acl_xattr


[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No


[netlogon]
 ??????? path = /var/lib/samba/sysvol/sambadom/scripts
 ??????? read only = No


[pc-admin]
 ??????? path = /data/share_pool/pc_admin
 ??????? read only = No
 ??????? vfs objects = recycle
 ??????? recycle:versions = yes
 ??????? recycle:keeptree = yes
 ??????? recycle:repository = .recycle


[openvpn_share]
 ??????? path = /data/vpncerts
 ??????? read only = No
 ??????? vfs objects = recycle
 ??????? recycle:versions = yes
 ??????? recycle:keeptree = yes
 ??????? recycle:repository = .recycle


[usr_profiles]
 ??????? path = /data/usr_profiles
 ??????? read only = No
 ??????? vfs objects = recycle acl_xattr
 ??????? recycle:versions = yes
 ??????? recycle:keeptree = yes
 ??????? recycle:repository = .recycle


[usr_homes]
 ??????? path = /data/usr_homes
 ??????? read only = No
 ??????? vfs objects = recycle acl_xattr
 ??????? recycle:versions = yes
 ??????? recycle:keeptree = yes
 ??????? recycle:repository = .recycle


[general]
 ??????? path = /data/share_pool/general
 ??????? read only = No
 ??????? vfs objects = recycle full_audit acl_xattr
 ??????? full_audit:failure = none
 ??????? full_audit:success = mkdirat renameat write read readdir open 
connect chdir disconnect
 ??????? full_audit:syslog = true
 ??????? full_audit:prefix = %u|%I|%S
 ??????? recycle:versions = yes
 ??????? recycle:keeptree = yes
 ??????? recycle:repository = .recycle/

Kind regards,

-- 
*June Chong*
*Engineer | TechnologyWise*

Basestation
148 Durham St
Tauranga, NZ

*E:* june at tw.co.nz | *P:* +64 (0)7 571 1060 | *W:* technologywise.co.nz 
<https://www.technologywise.co.nz>

On 10/09/2024 7:36 pm, Rowland Penny via samba wrote:
> On Tue, 10 Sep 2024 15:32:46 +1200
> June Chong | TechnologyWise via samba<samba at lists.samba.org>
wrote:
>
>> Hi team,
>>
>> Hoping someone from the community would be able to help.
>>
>> Samba version *: 4.19.5*
>>
>> OS *: Ubuntu 24.04*
>>
>> We have a perculiar situation where users are getting /Access Denied/
>> on their roaming user profiles. These profiles are redirected using
>> Windows GPOs with Offline Files enabled. We could replicate these on
>> several instances that we manage.
>>
>> On version 4.15.13, when 'Offline Files' are in /offline mode
/users
>> can still work on their files under their profile and once /online/,
>> the files will be synced back with the new changes.
>>
>> Now on Samba 4.19.5, users are getting these errors /Access Denied/ /
>> /You will need permission to make changes onto the folder /under
>> /offline mode/. However, if it is a file within the top level folder,
>> they are ok to make changes to.
>>
>> E.g.? \\server\profiles\user\Desktop\Folder 1??? (Changes can't be
>> made. Access Denied.)
>>
>>   ??? ??? \\server\profiles\user\Desktop\File 1??? (Changes can't
be
>> made. Access Denied.)
>>
>>   ??? ??? \\server\profiles\user\Desktop\Folder 1\File 1 (Changes can
>> be made. No issues. Same thing goes for another folder instead of
>> file.)
>>
>> Once the Sync Centre is shown to be back in /Online mode/ everything
>> works fine.
>>
>> Nothing in the Windows Event Logs could specify. SMB connections are
>> using version SMB3 as it should be on both versions (seen via
>> smbstatus). The release notes did not mention anything that might
>> effect this.
>>
>> Would someone be able to point us in the right direction?
>>
>> Kind regards,
>>
> I think we need to see your smb.conf (to see just how you are sharing
> the profiles), please post the output of 'testparm -s'
>
> Rowland
>
>

On Wed, 11 Sep 2024 13:25:08 +1200
June Chong | TechnologyWise via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Below is the output for testparm -s:
I didn't know you were using a DC as a fileserver, this is not
recommended.
If I had know, I would have asked for the output of 'samba-tool
testparm'.
However, I can work with what you have provided.
> 
> /Server role: ROLE_ACTIVE_DIRECTORY_DC
> /
> 
> /# Global parameters
> [global]
>  ??????? ldap server require strong auth = No
>  ??????? passdb backend = samba_dsdb
>  ??????? realm = SAMBADOM
Is your AD domain really using a single label domain ?
This isn't a good idea, Microsoft doesn't support it, so I suppose
Samba shouldn't either, see here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/single-label-domains-support-policy
>  ??????? server role = active directory domain controller
>  ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>  ??????? workgroup = SAMBADOM
>  ??????? rpc_server:tcpip = no
>  ??????? rpc_daemon:spoolssd = embedded
>  ??????? rpc_server:spoolss = embedded
>  ??????? rpc_server:winreg = embedded
>  ??????? rpc_server:ntsvcs = embedded
>  ??????? rpc_server:eventlog = embedded
>  ??????? rpc_server:srvsvc = embedded
>  ??????? rpc_server:svcctl = embedded
>  ??????? rpc_server:default = external
>  ??????? winbindd:use external pipes = true
>  ??????? idmap_ldb:use rfc2307 = yes
>  ??????? idmap config * : backend = tdb
>  ??????? map archive = No
>  ??????? vfs objects = dfs_samba4 acl_xattr
Remember that 'vfs objects' line, we will come to it later.
> 
> 
> [sysvol]
>  ??????? path = /var/lib/samba/sysvol
>  ??????? read only = No
> 
> 
> [netlogon]
>  ??????? path = /var/lib/samba/sysvol/sambadom/scripts
>  ??????? read only = No
> 
> 
> [pc-admin]
>  ??????? path = /data/share_pool/pc_admin
>  ??????? read only = No
>  ??????? vfs objects = recycle
No need to go further, do you remember the contents of the 'vfs
objects' line above ?
Every time you set 'vfs objects' on a share, it has to contain whatever
is set in '[global]' or you turn off whatever is set in
'[global]', in
the instance above the line should be:

vfs objects = dfs_samba4 acl_xattr recycle 

I would suggest you do three things:

1) If you are not already doing so, run a second DC.
2) Stop using a DC as a fileserver, create a Unix domain member and use
that instead.
3) Stop using profiles/offline files, they are yesterdays way of doing
things, use folder redirection instead.

Rowland