[Samba] smbclient can access sysvol Windows clients cannot
Sebastian Lisic
lisic at uw.edu
Fri Jan 10 21:52:58 UTC 2020
If I create directory on the DomB DC named /test and create the following share:
[test]
path = /test
read only = No
acl_xattr:ignore system acls = yes
DomA users can access that through Windows on DomB without issue, but if I set [sysvol] to "path - /test they cannot".
There appears to be some special magic with [sysvol] I am unaware of. I'm not seeing any errors in the logs, so I'm lost on why smbclient works and Windows does not. I've since tested a Windows 10 machine and it has the same problem.
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Sebastian Lisic via samba
Sent: Thursday, January 9, 2020 3:06 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: [Samba] smbclient can access sysvol Windows clients cannot
Hi everyone,
I have two domains with a two way trust (DomA and DomB).
When users from DomA (on a DomB Linux PC) access sysvol on DomB's DC using smbclient everything works:
# smbclient //DomB /sysvol -Udoma\\user -c 'ls' -k
. D 0 Thu Jan 9 13:53:03 2020
.. D 0 Thu Jan 9 14:28:29 2020
domb D 0 Thu Jan 9 13:52:26 2020
20511312 blocks of size 1024. 18330504 blocks available
However, on a Windows Server 2019 machine joined to DomB when I use explorer to browse to the share as DomA\user I receive the error "Access is denied".
Users from DomB can access sysvol from Windows without issue.
When DomA\user tries to connect to DomB's DC\sysvol, authentication is working as I get this in the logs:
Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan 2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host [ipv4:xxx.xxx.xxx.xxx:445]
DomB DC's smb.conf is as follows:
# Global parameters
[global]
workgroup = DOMB
realm = domb
netbios name = DC
interfaces = lo eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domb/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list