[Samba] Access Problems after Update 4.13.13 to 4.17.10

Achim Gottinger achim at ag-web.biz
Tue Sep 5 10:51:48 UTC 2023 

Am 04.09.2023 um 21:41 schrieb Achim Gottinger via samba:
> Hello Group,
>
> Due to the RDP issue I had to update my samba ad dc running on debian bullseye.
> I updated to bullseye-backports 2:4.17.10+dfsg-0+deb12u1~bpo11+1.
> But now the shares are no longer fully accessible.
> The main folder and subfolders can be browsed. Files an folders can be created and changed on the main folder but not on subfolders. Subfolders of subfolders can not be accessed.
>
> Going back to 4.13.13 fixes the issue. I assume some inheritance issue here but could not fine anything similar here in the list.
> Hope you can point me into the right direction here.
>
> Thanks in advance
> Achim~
>
>
> smb.conf
> ========
>
> # Global parameters
> [global]
>         netbios name = DNAME
>         realm = MYREALM.LOCAL
>         workgroup = MYGROUP
>
>         logging = syslog
>         log level = 3
>
>         usershare path =
>
>         bind interfaces only = yes
>         interfaces = 192.168.100.150 127.0.0.1
>
>         tls enabled = true
>         tls keyfile  = /etc/samba/tls/DNAME.MYREALM.LOCAL.key
>         tls certfile = /etc/samba/tls/DNAME.MYREALM.LOCAL.crt
>
>
>         server role = active directory domain controller
>         dns forwarder = 192.168.100.200
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : range = 500-4000000
>
>         ldap server require strong auth = no
>         kccsrv:samba_kcc = no
>
>         wins support = Yes
>         deadtime = 1
>         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60 TCP_KEEPINTVL=10 TCP_KEEPCNT=5
>         csc policy = disable
>
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>
> [netlogon]
>         path = /var/lib/samba/sysvol/MYREALM.LOCAL/scripts
>         root preexec = /etc/samba/scripts/user.py "%U"
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> [homes]
>         read only = no
>
> [profiles]
>         read only = no
>         path = /home/profiles
>
I triedt to update three different bullseye dc's and all show this issue. They are all running as nspawn VM's and the underlying fs is zfs.

Simplest setup has this config:

[global]
        dns forwarder = 192.168.111.200
        netbios name = AD-TEST
        realm = TEST.LOCAL
        server role = active directory domain controller
        workgroup = TEST
        idmap_ldb:use rfc2307 = yes

        log level = 6
        logging = syslog

[netlogon]
        path = /var/lib/samba/sysvol/test.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

>From an Windows 10 client I can connect to the sysvol share and the tes.local subfolder. If I try to access the scripts subfolder I get access denied.

getfacl test.local

# file: test.local/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040Authority\\system:rwx
user:NT\040Authority\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040Authority\\system:rwx
group:NT\040Authority\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040Authority\\system:rwx
default:user:NT\040Authority\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040Authority\\system:rwx
default:group:NT\040Authority\\authenticated\040users:r-x
default:mask::rwx
default:other::---

getfacl scripts

# file: scripts/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040Authority\\system:rwx
user:NT\040Authority\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040Authority\\system:rwx
group:NT\040Authority\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040Authority\\system:rwx
default:user:NT\040Authority\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040Authority\\system:rwx
default:group:NT\040Authority\\authenticated\040users:r-x
default:mask::rwx
default:other::---

More information about the samba mailing list