[Samba] Intermittent access to Sysvol/Netlogon shares

Mike Ray mray at xes-inc.com
Tue Jul 30 13:14:30 MDT 2013

Hello all- 

Cutting to the chase, I'm noticing varying/intermittent access to the netlogon and sysvol shares. All clients are windows 7 and samba is 4.0.6. Some clients are able to run 'gpupdate /force' and will successfully apply updates. Other clients fail out on this and state that it can't read the default domain policy GPT.INI file from \\<domain>\.... When I try to manually navigate there, I can connect to \\<domain>\ but am denied access to both netlogon and sysvol with an 'access denied, internal error' message. Connecting to either DC via \\<dc>\ works and from there, for the clients that failed \\<domain>\ it seems to be arbitrary if they can browse the entire directory (no relation to nltest /dsgetdc). Additionally, they might not be able to access say netlogon, but if i browse through sysvol, I can get into what is the netlogon folder no problem. Clients that have no issue connecting to \\<domain>\ are equally able to browse all parts of \\<dc>\. 

samba-tool ntacl sysvolcheck, samba-tool drs showrepl, samba_dnsupdate --verbose and samba-tool dbcheck all report zero errors. There is presently nothing in the logs either. 

Of the two DCs, for the last week or so, one of them was panicking internally and crashing to an weird state every few minutes; a patch provided by Andrew Bartlett has since stopped that behavior. If that DC is the only one running or if the other one is running concurrently, seemingly random clients will experience the above issues and some will be fine. If the DC who didn't have that glitch is the only one running, it appears that this issue does not ever occur. 

Anyone have any clue what might be so messed up with that first DC? 

-Mike Ray 

More information about the samba mailing list