[Samba] Access Problems after Update 4.13.13 to 4.17.10

Achim Gottinger achim at ag-web.biz
Tue Sep 5 12:55:26 UTC 2023 


Am 05.09.2023 um 12:51 schrieb Achim Gottinger via samba:
> Am 04.09.2023 um 21:41 schrieb Achim Gottinger via samba:
>> Hello Group,
>>
>> Due to the RDP issue I had to update my samba ad dc running on debian bullseye.
>> I updated to bullseye-backports 2:4.17.10+dfsg-0+deb12u1~bpo11+1.
>> But now the shares are no longer fully accessible.
>> The main folder and subfolders can be browsed. Files an folders can be created and changed on the main folder but not on subfolders. Subfolders of subfolders can not be accessed.
>>
>> Going back to 4.13.13 fixes the issue. I assume some inheritance issue here but could not fine anything similar here in the list.
>> Hope you can point me into the right direction here.
>>
>> Thanks in advance
>> Achim~
>>
>>
>> smb.conf
>> ========
>>
>> # Global parameters
>> [global]
>>         netbios name = DNAME
>>         realm = MYREALM.LOCAL
>>         workgroup = MYGROUP
>>
>>         logging = syslog
>>         log level = 3
>>
>>         usershare path =
>>
>>         bind interfaces only = yes
>>         interfaces = 192.168.100.150 127.0.0.1
>>
>>         tls enabled = true
>>         tls keyfile  = /etc/samba/tls/DNAME.MYREALM.LOCAL.key
>>         tls certfile = /etc/samba/tls/DNAME.MYREALM.LOCAL.crt
>>
>>
>>         server role = active directory domain controller
>>         dns forwarder = 192.168.100.200
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config * : range = 500-4000000
>>
>>         ldap server require strong auth = no
>>         kccsrv:samba_kcc = no
>>
>>         wins support = Yes
>>         deadtime = 1
>>         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60 TCP_KEEPINTVL=10 TCP_KEEPCNT=5
>>         csc policy = disable
>>
>>         load printers = no
>>         printing = bsd
>>         printcap name = /dev/null
>>         disable spoolss = yes
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/MYREALM.LOCAL/scripts
>>         root preexec = /etc/samba/scripts/user.py "%U"
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>>
>> [homes]
>>         read only = no
>>
>> [profiles]
>>         read only = no
>>         path = /home/profiles
>>
> I triedt to update three different bullseye dc's and all show this issue. They are all running as nspawn VM's and the underlying fs is zfs.
>
> Simplest setup has this config:
>
> [global]
>         dns forwarder = 192.168.111.200
>         netbios name = AD-TEST
>         realm = TEST.LOCAL
>         server role = active directory domain controller
>         workgroup = TEST
>         idmap_ldb:use rfc2307 = yes
>
>         log level = 6
>         logging = syslog
>
> [netlogon]
>         path = /var/lib/samba/sysvol/test.local/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> From an Windows 10 client I can connect to the sysvol share and the tes.local subfolder. If I try to access the scripts subfolder I get access denied.
>
> getfacl test.local
>
> # file: test.local/
> # owner: root
> # group: BUILTIN\\administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\\administrators:rwx
> user:BUILTIN\\server\040operators:r-x
> user:NT\040Authority\\system:rwx
> user:NT\040Authority\\authenticated\040users:r-x
> group::rwx
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\server\040operators:r-x
> group:NT\040Authority\\system:rwx
> group:NT\040Authority\\authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\\administrators:rwx
> default:user:BUILTIN\\server\040operators:r-x
> default:user:NT\040Authority\\system:rwx
> default:user:NT\040Authority\\authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN\\administrators:rwx
> default:group:BUILTIN\\server\040operators:r-x
> default:group:NT\040Authority\\system:rwx
> default:group:NT\040Authority\\authenticated\040users:r-x
> default:mask::rwx
> default:other::---
>
> getfacl scripts
>
> # file: scripts/
> # owner: root
> # group: BUILTIN\\administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\\administrators:rwx
> user:BUILTIN\\server\040operators:r-x
> user:NT\040Authority\\system:rwx
> user:NT\040Authority\\authenticated\040users:r-x
> group::rwx
> group:BUILTIN\\administrators:rwx
> group:BUILTIN\\server\040operators:r-x
> group:NT\040Authority\\system:rwx
> group:NT\040Authority\\authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\\administrators:rwx
> default:user:BUILTIN\\server\040operators:r-x
> default:user:NT\040Authority\\system:rwx
> default:user:NT\040Authority\\authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN\\administrators:rwx
> default:group:BUILTIN\\server\040operators:r-x
> default:group:NT\040Authority\\system:rwx
> default:group:NT\040Authority\\authenticated\040users:r-x
> default:mask::rwx
> default:other::---
>
I build samba 4.19 packages from debian unstable. Now the shares are empty and I can not create an file or folder inside. No error shown on the windows side but nothing happens if I create an folder
or file in such an empty share.
Will backport the RDP patch to 4.13 now to get along.

More information about the samba mailing list