[Samba] Access denied to sysvol and netlogon shares and GPOs not working after upgrade
a.trogu at gruppoconcorde.it
Mon May 24 13:05:40 UTC 2021
On Mon, 24 May 2021, Rowland penny via samba wrote:
> On 24/05/2021 11:50, Antonio Trogu via samba wrote:
>> I have upgraded a CentOS 7/Samba server AD PDC and file server (it's a
>> small site) from a compiled Samba 4.1.7 version to the last 4.14.4 release,
>> then executed samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
>> and samba-tool dbcheck --cross-ncs --fix.
> There have been numerous updates between 4.1.7 and 4.14.4 , not least the
> change to Winbind at 4.2.0
I know, that's why I have checked again all installation steps required
for new releases and fixed something that wasn't compliant. But I've
probably missed something.
> How was Samba compiled ?
Samba has been compiled both times with the default options, that is:
./configure, make, make install.
>> After the upgrade users can logon and access and connect to shares I've
>> created, but no user except the Domain Admins can connect to sysvol and
>> netlogon, and nobody can execute gpupdate without errors.
>> CUPS printers are not working, but I still don't know if the 2 issues are
>> At any connection attempt to sysvol or netlogon the server logs an entry
>> like this:
>> failed: Permission denied. Current token: uid=3000152, gid=100, 9 groups:
>> 3000152 100 3000116 3000013 3000014 3000003 3000186 3000009 3000016
>> I have checked and fixed permissions and ACLs on the sysvol share via the
>> samba-tool ntacl sysvolcheck and sysvolreset commands, fixed permissions
>> from Windows and tried the script from
>> I've also tried all fixes suggested in the
>> https://wiki.samba.org/index.php/Sysvolreset guide, deleted all old files -
>> except config and policies - left in the Samba paths, checked DNS Winbindd,
>> Kerberos, etc., but nothing solved the problem.
>> I had updated CentOS before Samba and then the gpupdate issue started, but
>> I have not tested sysvol and netlogon access, so I'm not sure if it worked
>> or not between the 2 updates.
>> I can provide any other configuration detail or do any required test.
> Can you post your smb.conf, it may still be using some old settings.
Sure; here it is:
workgroup = MYDOMAIN
realm = MYDOMAIN.MY2NDLEVELDOMAIN.IT
netbios name = MYSERVER
server role = active directory domain controller
dns forwarder = 192.168.0.20
idmap_ldb:use rfc2307 = yes
log file = /usr/local/samba/var/%m.log
log level = 3 auth_audit:3
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
printing = CUPS
allow dns updates = nonsecure
# For archiving app
unix extensions = no
follow symlinks = yes
wide links = yes
# For Windows Xp clients
ntlm auth = yes
server min protocol = NT1
path = /var/spool/samba
printable = yes
path = /var/samba/Printer_drivers
comment = Printer Drivers
writeable = yes
path = /usr/local/samba/var/locks/sysvol/mydomain.my2ndleveldomain.it/scripts
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
path = /finale/dati/atlasconcorde/Home
read only = No
<other custom working shares follow>
I have changed here just my domain and server names. All options are
present on other servers working with 4.14.4, except unix extensions = no,
follow symlinks = yes and wide links = yes. If you tell me I could have
tried to comment them, well, you're right ;)
Already tried to remove ntlm auth = yes, server min protocol = NT1.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.
More information about the samba