[Samba] smbclient can access sysvol Windows clients cannot

Sebastian Lisic lisic at uw.edu
Fri Jan 10 21:52:58 UTC 2020

If I create directory on the DomB DC named /test and create the following share:

        path = /test
        read only = No
        acl_xattr:ignore system acls = yes

DomA users can access that through Windows on DomB without issue, but if I set [sysvol] to "path - /test they cannot".

There appears to be some special magic with [sysvol] I am unaware of. I'm not seeing any errors in the logs, so I'm lost on why smbclient works and Windows does not. I've since tested a Windows 10 machine and it has the same problem. 

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Sebastian Lisic via samba
Sent: Thursday, January 9, 2020 3:06 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: [Samba] smbclient can access sysvol Windows clients cannot

Hi everyone,

I have two domains with a two way trust (DomA and DomB).

When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using smbclient everything works:

# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k

  .                                   D        0  Thu Jan  9 13:53:03 2020
  ..                                  D        0  Thu Jan  9 14:28:29 2020
  domb          D        0  Thu Jan  9 13:52:26 2020

                20511312 blocks of size 1024. 18330504 blocks available

However, on a Windows Server 2019 machine joined to DomB when I use explorer to browse to the share as DomA\user I receive the error "Access is denied".

Users from DomB can access sysvol from Windows without issue.

When DomA\user tries to connect to DomB's DC\sysvol, authentication is working as I get this in the logs:

Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan 2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host [ipv4:xxx.xxx.xxx.xxx:445]

DomB DC's smb.conf is as follows:
# Global parameters
        workgroup = DOMB
        realm = domb
        netbios name = DC
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        path = /usr/local/samba/var/locks/sysvol/domb/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list