[Samba] smbclient can access sysvol Windows clients cannot

Sebastian Lisic lisic at uw.edu
Thu Jan 9 23:06:24 UTC 2020

Hi everyone,

I have two domains with a two way trust (DomA and DomB).

When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using smbclient everything works:

# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k

  .                                   D        0  Thu Jan  9 13:53:03 2020
  ..                                  D        0  Thu Jan  9 14:28:29 2020
  domb          D        0  Thu Jan  9 13:52:26 2020

                20511312 blocks of size 1024. 18330504 blocks available

However, on a Windows Server 2019 machine joined to DomB when I use explorer to browse to the share as DomA\user I receive the error "Access is denied".

Users from DomB can access sysvol from Windows without issue.

When DomA\user tries to connect to DomB's DC\sysvol, authentication is working as I get this in the logs:

Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan 2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host [ipv4:xxx.xxx.xxx.xxx:445]

DomB DC's smb.conf is as follows:
# Global parameters
        workgroup = DOMB
        realm = domb
        netbios name = DC
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        path = /usr/local/samba/var/locks/sysvol/domb/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

More information about the samba mailing list