[Samba] Access denied to sysvol and netlogon shares and GPOs not working after upgrade

Mon May 24 10:50:21 UTC 2021

I have upgraded a CentOS 7/Samba server AD PDC and file server (it's a 
small site) from a compiled Samba 4.1.7 version to the last 4.14.4 
release, then executed samba-tool dbcheck --cross-ncs 
--reset-well-known-acls --fix and samba-tool dbcheck --cross-ncs --fix.

After the upgrade users can logon and access and connect to shares I've 
created, but no user except the Domain Admins can connect to sysvol and 
netlogon, and nobody can execute gpupdate without errors.

CUPS printers are not working, but I still don't know if the 2 issues are 
related.

At any connection attempt to sysvol or netlogon the server logs an entry 
like this:

chdir_current_service: 
vfs_ChDir(/usr/local/samba/var/locks/sysvol/concorde.gruppoconcorde.it/scripts) 
failed: Permission denied. Current token: uid=3000152, gid=100, 9 groups: 
3000152 100 3000116 3000013 3000014 3000003 3000186 3000009 3000016

I have checked and fixed permissions and ACLs on the sysvol share via the 
samba-tool ntacl sysvolcheck and sysvolreset commands, fixed permissions 
from Windows and tried the script from 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh.

I've also tried all fixes suggested in the 
https://wiki.samba.org/index.php/Sysvolreset guide, deleted all old 
files - except config and policies - left in the Samba paths, checked DNS 
Winbindd, Kerberos, etc., but nothing solved the problem.

I had updated CentOS before Samba and then the gpupdate issue started, but 
I have not tested sysvol and netlogon access, so I'm not sure if it worked 
or not between the 2 updates.

I can provide any other configuration detail or do any required test.

Does anybody have suggestions to solve this?

Thanks in advance.

Antonio

The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.