[Samba] Trouble with access to sysvol share using SMB2 or SMB3 protocol on client PC

Yaroslav Yurta yaroslav.tarasovuch at gmail.com
Tue Dec 27 17:21:34 UTC 2016 

Hi, guys.
I have an issue with accessing to my sysvol share with smb2 or smb3
clients. I have an issue with editing my Group Policy from Windows
7,8,8.1,10 or Windows Server 2012 clients with RSAT installed and
everything works fine when I edit group policy from Windows XP machine.
I disable SMB2 & SMB3 in my Windows server machine and it fix the problem,
but is it a correct workaround for my problem or something going wrong in
my Samba DC?
In logs I see many records like this:
Dec 27 19:17:14 potter samba[12831]: [2016/12/27 19:17:14.599455,  0,
pid=12831, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Dec 27 19:17:14 potter samba[12831]:  [0000] D4 9D DA 0E 91 76 54 45   98
53 02 60 4C 07 DD 09   .....vTE .S.`L...
Dec 27 19:17:14 potter samba[12831]: [2016/12/27 19:17:14.601839,  0,
pid=12831, effective(0, 0), real(0, 0)]
../source4/libcli/smb2/signing.c:116(smb2_check_signature)
Dec 27 19:17:14 potter samba[12831]:  Bad SMB2 signature for message of
size 202
Dec 27 19:17:14 potter samba[12831]: [2016/12/27 19:17:14.601880,  0,
pid=12831, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Dec 27 19:17:14 potter samba[12831]:  [0000] A2 9E 95 E2 CE 4B E6 E6   D5
07 F4 72 E6 4C CF 98   .....K.. ...r.L..
Dec 27 19:17:14 potter samba[12831]: [2016/12/27 19:17:14.601925,  0,
pid=12831, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Dec 27 19:17:14 potter samba[12831]:  [0000] FB 60 13 76 92 88 56 4F   AA
9C 35 4C D5 AB F2 1B   .`.v..VO ..5L....
Dec 27 19:17:15 potter samba[12831]: [2016/12/27 19:17:15.113853,  0,
pid=12831, effective(0, 0), real(0, 0)]
../source4/libcli/smb2/signing.c:116(smb2_check_signature)
Dec 27 19:17:15 potter samba[12831]:  Bad SMB2 signature for message of
size 202
Dec 27 19:17:15 potter samba[12831]: [2016/12/27 19:17:15.113894,  0,
pid=12831, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Dec 27 19:17:15 potter samba[12831]:  [0000] 73 43 48 69 04 3B 67 C1   DF
D4 46 E8 F1 E0 52 C5   sCHi.;g. ..F...R.
Dec 27 19:17:15 potter samba[12831]: [2016/12/27 19:17:15.113940,  0,
pid=12831, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Dec 27 19:17:15 potter samba[12831]:  [0000] CF C1 F3 45 2A 8E 01 E3   D0
E1 1E 84 EE ED 6D B5   ...E*... ......m.
Dec 27 19:17:17 potter samba[12831]: [2016/12/27 19:17:17.625580,  0,
pid=12831, effective(0, 0), real(0, 0)]
../source4/libcli/smb2/signing.c:116(smb2_check_signature)
Dec 27 19:17:17 potter samba[12831]:  Bad SMB2 signature for message of
size 202
Dec 27 19:17:19 potter samba[12831]: [2016/12/27 19:17:19.638596,  0,
pid=12831, effective(0, 0), real(0, 0)]
../source4/libcli/smb2/signing.c:116(smb2_check_signature)
Dec 27 19:17:19 potter samba[12831]:  Bad SMB2 signature for message of
size 312

permissions on sysvol:
getfacl sysvol

# file: sysvol


# owner: root


# group: 3000000


user::rwx


user:root:rwx


user:3000000:rwx


user:3000009:r-x


user:3000175:r-x


user:3000176:rwx


group::rwx


group:3000000:rwx


group:3000009:r-x


group:3000175:r-x


group:3000176:rwx


mask::rwx


other::---


default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000009:r-x
default:user:3000175:r-x
default:user:3000176:rwx
default:group::---
default:group:3000000:rwx
default:group:3000009:r-x
default:group:3000175:r-x
default:group:3000176:rwx
default:mask::rwx
default:other::---

My smb.conf:
# Global parameters
[global]
       debug level = 10
       syslog = 10
       netbios name = POTTER
       realm = DEV.COM.UA
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, smb
       workgroup = DEVCOM
       server role = active directory domain controller
       dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver, winreg, srvsvc
       idmap_ldb:use rfc2307 = yes
       kerberos method = system keytab
       #ldap ssl = off
       #ldap ssl ads = no
       ldap server require strong auth = no
       client ldap sasl wrapping = sign
       allow dns updates = nonsecure and secure
       nsupdate command =  /usr/bin/nsupdate -g -d
       #nsupdate command =  /usr/local/samba/sbin/samba_dnsupdate -d 3
[netlogon]
       path = /usr/local/samba/var/locks/sysvol/dev.com.ua/scripts
       read only = No
       write ok = Yes
[sysvol]
       path = /usr/local/samba/var/locks/sysvol
       read only = No
       write ok = Yes


-- 



*----------З повагою!Юрта Ярослав Тарасович.*

More information about the samba mailing list