[Samba] Logon Script is not executed: STATUS_ACCESS_DENIED

Alexander Harm || ApfelQ alexander.harm at apfelq.com
Wed Feb 22 11:29:36 UTC 2023 

Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain while we are preparing to migrate to Samba AD-style domain.

Since the upgrade we have the issue that the logon scripts are not executed for domain users. It works a 100% for domain admins and 0% for non admin users and we have no idea why.

We tried the various settings without success:

1. setting various registry entries on Windows like: DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths

2. setting server max protocol = NT1

Our smb.conf of the netlogon looks like this:

[netlogon]
comment = Netlogon Scripts
path = /server/data/samba/netlogon
read only = No
inherit acls = Yes
browseable = yes
guest ok = yes
printable = no
map archive = no
map read only = no
store dos attributes = yes

ACL and Unix permissions for all are at least read. But even after successful logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat).

I was unable to get anything from the logs.

A wireshark reveals that the file was found and opened before the access denied.

Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on interface eth2, id 0
Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack: 10438, Len: 320
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Create Response (0x05)
StructureSize: 0x0059
0000 0000 0101 100. = Fixed Part Length: 44
.... .... .... ...1 = Dynamic Part: True
Oplock: Lease (0xff)
Response Flags: 0x00
Create Action: The file existed and was opened (1)
Create: Jun 8, 2021 11:00:00.000000000 CEST
Last Access: Feb 21, 2023 09:51:50.209504600 CET
Last Write: Jun 8, 2021 11:00:01.000000000 CEST
Last Change: Jun 8, 2021 11:00:01.000000000 CEST
Allocation Size: 8192
End Of File: 2207
File Attributes: 0x00000020
.... .... .... .... .... .... .... ...0 = Read Only: No
.... .... .... .... .... .... .... ..0. = Hidden: No
.... .... .... .... .... .... .... .0.. = System: No
.... .... .... .... .... .... ...0 .... = Directory: No
.... .... .... .... .... .... ..1. .... = Requires archived: Yes
.... .... .... .... .... .... 0... .... = Normal: No
.... .... .... .... .... ...0 .... .... = Temporary: No
.... .... .... .... .... ..0. .... .... = Sparse: No
.... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
.... .... .... .... .... 0... .... .... = Compressed: Uncompressed
.... .... .... .... ...0 .... .... .... = Offline: Online
.... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
.... .... .... .... .0.. .... .... .... = Encrypted: No
.... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
.... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
Reserved: 00000000
GUID handle File: meyert.bat
File Id: 89d7e97c-0000-0000-85be-57fa00000000
[Frame handle opened: 147]
Blob Offset: 0x00000098
Blob Length: 164
ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE
Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"

All seems fine:

Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on interface eth2, id 0
Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d (00:50:56:93:fb:2d)
Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36
Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack: 53364, Len: 304
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Create Request (0x05)
StructureSize: 0x0039
0000 0000 0011 100. = Fixed Part Length: 28
.... .... .... ...1 = Dynamic Part: True
Oplock: Lease (0xff)
Impersonation level: Impersonation (2)
Create Flags: 0x0000000000000000
Reserved: 0000000000000000
Access Mask: 0x001000a1
.... .... .... .... .... .... .... ...1 = Read: READ access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... .0.. = Append: NO append access
.... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access
.... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access
.... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
.... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
.... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
.... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access
.... .... .... ...0 .... .... .... .... = Delete: NO delete access
.... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID
.... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC
.... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)
.... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
.... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
File Attributes: 0x00000080
.... .... .... .... .... .... .... ...0 = Read Only: No
.... .... .... .... .... .... .... ..0. = Hidden: No
.... .... .... .... .... .... .... .0.. = System: No
.... .... .... .... .... .... ...0 .... = Directory: No
.... .... .... .... .... .... ..0. .... = Requires archived: No
.... .... .... .... .... .... 1... .... = Normal: Yes
.... .... .... .... .... ...0 .... .... = Temporary: No
.... .... .... .... .... ..0. .... .... = Sparse: No
.... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
.... .... .... .... .... 0... .... .... = Compressed: Uncompressed
.... .... .... .... ...0 .... .... .... = Offline: Online
.... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
.... .... .... .... .0.. .... .... .... = Encrypted: No
.... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
.... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
Share Access: 0x00000005, Read, Delete
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00000060
Filename: meyert.bat
Blob Offset: 0x00000078
Blob Length: 20
Blob Offset: 0x00000090
Blob Length: 156
ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE
Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q"
Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"

Then comes the denied:

Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface eth2, id 0
Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack: 12275, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 1
NT Status: STATUS_ACCESS_DENIED (0xc0000022)
Command: Create (5)
Credits granted: 1
Flags: 0x00000031, Response, Priority
Chain Offset: 0x00000000
Message ID: 67
Process Id: 0x0000feff
Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON
Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678
Signature: 00000000000000000000000000000000
[Response to: 163]
[Time from request: 0.000160938 seconds]
Create Response (0x05)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Error Context Count: 0
Reserved: 0x00
Byte Count: 0
Error Data: 00

Would be great if anyone has any idea or input.

Thanks a lot, Alexander

More information about the samba mailing list