[Samba] Access denied to sysvol and netlogon shares and GPOs not working after upgrade
Rowland penny
rpenny at samba.org
Mon May 24 11:20:12 UTC 2021
On 24/05/2021 11:50, Antonio Trogu via samba wrote:
> I have upgraded a CentOS 7/Samba server AD PDC and file server (it's a
> small site) from a compiled Samba 4.1.7 version to the last 4.14.4
> release, then executed samba-tool dbcheck --cross-ncs
> --reset-well-known-acls --fix and samba-tool dbcheck --cross-ncs --fix.
There have been numerous updates between 4.1.7 and 4.14.4 , not least
the change to Winbind at 4.2.0
How was Samba compiled ?
>
> After the upgrade users can logon and access and connect to shares
> I've created, but no user except the Domain Admins can connect to
> sysvol and netlogon, and nobody can execute gpupdate without errors.
>
> CUPS printers are not working, but I still don't know if the 2 issues
> are related.
>
> At any connection attempt to sysvol or netlogon the server logs an
> entry like this:
>
> chdir_current_service:
> vfs_ChDir(/usr/local/samba/var/locks/sysvol/concorde.gruppoconcorde.it/scripts)
> failed: Permission denied. Current token: uid=3000152, gid=100, 9
> groups: 3000152 100 3000116 3000013 3000014 3000003 3000186 3000009
> 3000016
>
> I have checked and fixed permissions and ACLs on the sysvol share via
> the samba-tool ntacl sysvolcheck and sysvolreset commands, fixed
> permissions from Windows and tried the script from
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh.
>
> I've also tried all fixes suggested in the
> https://wiki.samba.org/index.php/Sysvolreset guide, deleted all old
> files - except config and policies - left in the Samba paths, checked
> DNS Winbindd, Kerberos, etc., but nothing solved the problem.
>
> I had updated CentOS before Samba and then the gpupdate issue started,
> but I have not tested sysvol and netlogon access, so I'm not sure if
> it worked or not between the 2 updates.
>
> I can provide any other configuration detail or do any required test.
Can you post your smb.conf, it may still be using some old settings.
Rowland
More information about the samba
mailing list