[Samba] Access denied to sysvol and netlogon shares and GPOs not working after upgrade

Antonio Trogu a.trogu at gruppoconcorde.it
Mon May 24 13:05:40 UTC 2021

On Mon, 24 May 2021, Rowland penny via samba wrote:

> On 24/05/2021 11:50, Antonio Trogu via samba wrote:
>> I have upgraded a CentOS 7/Samba server AD PDC and file server (it's a 
>> small site) from a compiled Samba 4.1.7 version to the last 4.14.4 release, 
>> then executed samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix 
>> and samba-tool dbcheck --cross-ncs --fix.
> There have been numerous updates between 4.1.7 and 4.14.4 , not least the 
> change to Winbind at 4.2.0

I know, that's why I have checked again all installation steps required 
for new releases and fixed something that wasn't compliant. But I've 
probably missed something.

> How was Samba compiled ?

Samba has been compiled both times with the default options, that is: 
./configure, make, make install.

>> After the upgrade users can logon and access and connect to shares I've 
>> created, but no user except the Domain Admins can connect to sysvol and 
>> netlogon, and nobody can execute gpupdate without errors.
>> CUPS printers are not working, but I still don't know if the 2 issues are 
>> related.
>> At any connection attempt to sysvol or netlogon the server logs an entry 
>> like this:
>> chdir_current_service: 
>> vfs_ChDir(/usr/local/samba/var/locks/sysvol/concorde.gruppoconcorde.it/scripts) 
>> failed: Permission denied. Current token: uid=3000152, gid=100, 9 groups: 
>> 3000152 100 3000116 3000013 3000014 3000003 3000186 3000009 3000016
>> I have checked and fixed permissions and ACLs on the sysvol share via the 
>> samba-tool ntacl sysvolcheck and sysvolreset commands, fixed permissions 
>> from Windows and tried the script from 
>> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh.
>> I've also tried all fixes suggested in the 
>> https://wiki.samba.org/index.php/Sysvolreset guide, deleted all old files - 
>> except config and policies - left in the Samba paths, checked DNS Winbindd, 
>> Kerberos, etc., but nothing solved the problem.
>> I had updated CentOS before Samba and then the gpupdate issue started, but 
>> I have not tested sysvol and netlogon access, so I'm not sure if it worked 
>> or not between the 2 updates.
>> I can provide any other configuration detail or do any required test.
> Can you post your smb.conf, it may still be using some old settings.

Sure; here it is:

         workgroup = MYDOMAIN
         netbios name = MYSERVER
         server role = active directory domain controller
         dns forwarder =
         idmap_ldb:use rfc2307 = yes
         log file = /usr/local/samba/var/%m.log
         log level = 3 auth_audit:3
         rpc_server:spoolss = external
         rpc_daemon:spoolssd = fork
         printing = CUPS
         allow dns updates = nonsecure
         # For archiving app
         unix extensions = no
         follow symlinks = yes
         wide links = yes
         # For Windows Xp clients
         ntlm auth = yes
         server min protocol = NT1

         path = /var/spool/samba
         printable = yes

         path = /var/samba/Printer_drivers
         comment = Printer Drivers
         writeable = yes

         path = /usr/local/samba/var/locks/sysvol/mydomain.my2ndleveldomain.it/scripts
         read only = No

         path = /usr/local/samba/var/locks/sysvol
         read only = No

         path = /finale/dati/atlasconcorde/Home
         read only = No

<other custom working shares follow>

I have changed here just my domain and server names. All options are 
present on other servers working with 4.14.4, except unix extensions = no, 
follow symlinks = yes and wide links = yes. If you tell me I could have 
tried to comment them, well, you're right ;)

Already tried to remove ntlm auth = yes, server min protocol = NT1.



> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.

More information about the samba mailing list