June Chong | TechnologyWise
2024-Sep-11 01:25 UTC
[Samba] Getting 'Access Denied' under Offline mode (Offline Files)
Hi Rowland, Below is the output for testparm -s: /Server role: ROLE_ACTIVE_DIRECTORY_DC / /# Global parameters [global] ??????? ldap server require strong auth = No ??????? passdb backend = samba_dsdb ??????? realm = SAMBADOM ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??????? workgroup = SAMBADOM ??????? rpc_server:tcpip = no ??????? rpc_daemon:spoolssd = embedded ??????? rpc_server:spoolss = embedded ??????? rpc_server:winreg = embedded ??????? rpc_server:ntsvcs = embedded ??????? rpc_server:eventlog = embedded ??????? rpc_server:srvsvc = embedded ??????? rpc_server:svcctl = embedded ??????? rpc_server:default = external ??????? winbindd:use external pipes = true ??????? idmap_ldb:use rfc2307 = yes ??????? idmap config * : backend = tdb ??????? map archive = No ??????? vfs objects = dfs_samba4 acl_xattr [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No [netlogon] ??????? path = /var/lib/samba/sysvol/sambadom/scripts ??????? read only = No [pc-admin] ??????? path = /data/share_pool/pc_admin ??????? read only = No ??????? vfs objects = recycle ??????? recycle:versions = yes ??????? recycle:keeptree = yes ??????? recycle:repository = .recycle [openvpn_share] ??????? path = /data/vpncerts ??????? read only = No ??????? vfs objects = recycle ??????? recycle:versions = yes ??????? recycle:keeptree = yes ??????? recycle:repository = .recycle [usr_profiles] ??????? path = /data/usr_profiles ??????? read only = No ??????? vfs objects = recycle acl_xattr ??????? recycle:versions = yes ??????? recycle:keeptree = yes ??????? recycle:repository = .recycle [usr_homes] ??????? path = /data/usr_homes ??????? read only = No ??????? vfs objects = recycle acl_xattr ??????? recycle:versions = yes ??????? recycle:keeptree = yes ??????? recycle:repository = .recycle [general] ??????? path = /data/share_pool/general ??????? read only = No ??????? vfs objects = recycle full_audit acl_xattr ??????? full_audit:failure = none ??????? full_audit:success = mkdirat renameat write read readdir open connect chdir disconnect ??????? full_audit:syslog = true ??????? full_audit:prefix = %u|%I|%S ??????? recycle:versions = yes ??????? recycle:keeptree = yes ??????? recycle:repository = .recycle/ Kind regards, -- *June Chong* *Engineer | TechnologyWise* Basestation 148 Durham St Tauranga, NZ *E:* june at tw.co.nz | *P:* +64 (0)7 571 1060 | *W:* technologywise.co.nz <https://www.technologywise.co.nz> On 10/09/2024 7:36 pm, Rowland Penny via samba wrote:> On Tue, 10 Sep 2024 15:32:46 +1200 > June Chong | TechnologyWise via samba<samba at lists.samba.org> wrote: > >> Hi team, >> >> Hoping someone from the community would be able to help. >> >> Samba version *: 4.19.5* >> >> OS *: Ubuntu 24.04* >> >> We have a perculiar situation where users are getting /Access Denied/ >> on their roaming user profiles. These profiles are redirected using >> Windows GPOs with Offline Files enabled. We could replicate these on >> several instances that we manage. >> >> On version 4.15.13, when 'Offline Files' are in /offline mode /users >> can still work on their files under their profile and once /online/, >> the files will be synced back with the new changes. >> >> Now on Samba 4.19.5, users are getting these errors /Access Denied/ / >> /You will need permission to make changes onto the folder /under >> /offline mode/. However, if it is a file within the top level folder, >> they are ok to make changes to. >> >> E.g.? \\server\profiles\user\Desktop\Folder 1??? (Changes can't be >> made. Access Denied.) >> >> ??? ??? \\server\profiles\user\Desktop\File 1??? (Changes can't be >> made. Access Denied.) >> >> ??? ??? \\server\profiles\user\Desktop\Folder 1\File 1 (Changes can >> be made. No issues. Same thing goes for another folder instead of >> file.) >> >> Once the Sync Centre is shown to be back in /Online mode/ everything >> works fine. >> >> Nothing in the Windows Event Logs could specify. SMB connections are >> using version SMB3 as it should be on both versions (seen via >> smbstatus). The release notes did not mention anything that might >> effect this. >> >> Would someone be able to point us in the right direction? >> >> Kind regards, >> > I think we need to see your smb.conf (to see just how you are sharing > the profiles), please post the output of 'testparm -s' > > Rowland > >
Rowland Penny
2024-Sep-11 07:15 UTC
[Samba] Getting 'Access Denied' under Offline mode (Offline Files)
On Wed, 11 Sep 2024 13:25:08 +1200 June Chong | TechnologyWise via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > Below is the output for testparm -s:I didn't know you were using a DC as a fileserver, this is not recommended. If I had know, I would have asked for the output of 'samba-tool testparm'. However, I can work with what you have provided.> > /Server role: ROLE_ACTIVE_DIRECTORY_DC > / > > /# Global parameters > [global] > ??????? ldap server require strong auth = No > ??????? passdb backend = samba_dsdb > ??????? realm = SAMBADOMIs your AD domain really using a single label domain ? This isn't a good idea, Microsoft doesn't support it, so I suppose Samba shouldn't either, see here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/single-label-domains-support-policy> ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > ??????? workgroup = SAMBADOM > ??????? rpc_server:tcpip = no > ??????? rpc_daemon:spoolssd = embedded > ??????? rpc_server:spoolss = embedded > ??????? rpc_server:winreg = embedded > ??????? rpc_server:ntsvcs = embedded > ??????? rpc_server:eventlog = embedded > ??????? rpc_server:srvsvc = embedded > ??????? rpc_server:svcctl = embedded > ??????? rpc_server:default = external > ??????? winbindd:use external pipes = true > ??????? idmap_ldb:use rfc2307 = yes > ??????? idmap config * : backend = tdb > ??????? map archive = No > ??????? vfs objects = dfs_samba4 acl_xattrRemember that 'vfs objects' line, we will come to it later.> > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > > [netlogon] > ??????? path = /var/lib/samba/sysvol/sambadom/scripts > ??????? read only = No > > > [pc-admin] > ??????? path = /data/share_pool/pc_admin > ??????? read only = No > ??????? vfs objects = recycleNo need to go further, do you remember the contents of the 'vfs objects' line above ? Every time you set 'vfs objects' on a share, it has to contain whatever is set in '[global]' or you turn off whatever is set in '[global]', in the instance above the line should be: vfs objects = dfs_samba4 acl_xattr recycle I would suggest you do three things: 1) If you are not already doing so, run a second DC. 2) Stop using a DC as a fileserver, create a Unix domain member and use that instead. 3) Stop using profiles/offline files, they are yesterdays way of doing things, use folder redirection instead. Rowland