samba - Sep 2024 - Getting 'Access Denied' under Offline mode (Offline Files)

On Wed, 11 Sep 2024 13:25:08 +1200
June Chong | TechnologyWise via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Below is the output for testparm -s:
I didn't know you were using a DC as a fileserver, this is not
recommended.
If I had know, I would have asked for the output of 'samba-tool
testparm'.
However, I can work with what you have provided.
> 
> /Server role: ROLE_ACTIVE_DIRECTORY_DC
> /
> 
> /# Global parameters
> [global]
>  ??????? ldap server require strong auth = No
>  ??????? passdb backend = samba_dsdb
>  ??????? realm = SAMBADOM
Is your AD domain really using a single label domain ?
This isn't a good idea, Microsoft doesn't support it, so I suppose
Samba shouldn't either, see here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/single-label-domains-support-policy
>  ??????? server role = active directory domain controller
>  ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>  ??????? workgroup = SAMBADOM
>  ??????? rpc_server:tcpip = no
>  ??????? rpc_daemon:spoolssd = embedded
>  ??????? rpc_server:spoolss = embedded
>  ??????? rpc_server:winreg = embedded
>  ??????? rpc_server:ntsvcs = embedded
>  ??????? rpc_server:eventlog = embedded
>  ??????? rpc_server:srvsvc = embedded
>  ??????? rpc_server:svcctl = embedded
>  ??????? rpc_server:default = external
>  ??????? winbindd:use external pipes = true
>  ??????? idmap_ldb:use rfc2307 = yes
>  ??????? idmap config * : backend = tdb
>  ??????? map archive = No
>  ??????? vfs objects = dfs_samba4 acl_xattr
Remember that 'vfs objects' line, we will come to it later.
> 
> 
> [sysvol]
>  ??????? path = /var/lib/samba/sysvol
>  ??????? read only = No
> 
> 
> [netlogon]
>  ??????? path = /var/lib/samba/sysvol/sambadom/scripts
>  ??????? read only = No
> 
> 
> [pc-admin]
>  ??????? path = /data/share_pool/pc_admin
>  ??????? read only = No
>  ??????? vfs objects = recycle
No need to go further, do you remember the contents of the 'vfs
objects' line above ?
Every time you set 'vfs objects' on a share, it has to contain whatever
is set in '[global]' or you turn off whatever is set in
'[global]', in
the instance above the line should be:

vfs objects = dfs_samba4 acl_xattr recycle 

I would suggest you do three things:

1) If you are not already doing so, run a second DC.
2) Stop using a DC as a fileserver, create a Unix domain member and use
that instead.
3) Stop using profiles/offline files, they are yesterdays way of doing
things, use folder redirection instead.

Rowland

Hi Rowland,

Many thanks for your reply and assistance.

On 11/09/2024 7:15 pm, Rowland Penny via samba wrote:
> Is your AD domain really using a single label domain ?
> This isn't a good idea, Microsoft doesn't support it, so I suppose
> Samba shouldn't either, see here:
>
>
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/single-label-domains-support-policy
My apologies. I was sanitizing private information out and did not think 
it would cause a confusion. We are definitely not using single label 
domains.
> I would suggest you do three things:
>
> 1) If you are not already doing so, run a second DC.
> 2) Stop using a DC as a fileserver, create a Unix domain member and use
> that instead.
We are aware of having the DC as a fileserver is not recommened. 
Unfortunately this is an inherited setup for us. But we are planning on 
changing the structure, just not immediately.
> 3) Stop using profiles/offline files, they are yesterdays way of doing
> things, use folder redirection instead.
We are using folder redirection just with a combination of offline 
files. The situation is that we have remote users connecting back which 
would have their profiles cached, else they get a message that their 
profile is not available until it is connected to the domain controller 
via VPN.
This was working on 4.15.13 and we thought perhaps something has changed 
in between versions up to 4.19.5 that would effect this behaviour.

Kind regards,
-- 
*June Chong*
*Engineer | TechnologyWise*

Basestation
148 Durham St
Tauranga, NZ

*E:* june at tw.co.nz | *P:* +64 (0)7 571 1060 | *W:* technologywise.co.nz 
<https://www.technologywise.co.nz>