[Samba] Logon Script is not executed: STATUS_ACCESS_DENIED

Rowland Penny rpenny at samba.org
Wed Feb 22 11:42:19 UTC 2023 


On 22/02/2023 11:29, Alexander Harm || ApfelQ via samba wrote:
> Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain while we are preparing to migrate to Samba AD-style domain.
> 
> Since the upgrade we have the issue that the logon scripts are not executed for domain users. It works a 100% for domain admins and 0% for non admin users and we have no idea why.

Sounds like a permission problem.

> 
> We tried the various settings without success:
> 
> 1. setting various registry entries on Windows like: DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths
> 
> 2. setting server max protocol = NT1
> 
> Our smb.conf of the netlogon looks like this:

But what does the rest of the smb.conf look like ?

> 
> [netlogon]
> comment = Netlogon Scripts
> path = /server/data/samba/netlogon

Can your users traverse the path ?
Can they actually get to your netlogon scripts to read and exacute them ?

> read only = No
> inherit acls = Yes
> browseable = yes
> guest ok = yes
> printable = no
> map archive = no
> map read only = no
> store dos attributes = yes

You might want to read 'man smb.conf', a couple of those parameters are 
ignored if the last one is set (and it is set by default).

> 
> ACL and Unix permissions for all are at least read. But even after successful logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat).
> 
> I was unable to get anything from the logs.
> 
> A wireshark reveals that the file was found and opened before the access denied.
> 
> Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on interface eth2, id 0
> Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
> Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack: 10438, Len: 320
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> Create Response (0x05)
> StructureSize: 0x0059
> 0000 0000 0101 100. = Fixed Part Length: 44
> .... .... .... ...1 = Dynamic Part: True
> Oplock: Lease (0xff)
> Response Flags: 0x00
> Create Action: The file existed and was opened (1)
> Create: Jun 8, 2021 11:00:00.000000000 CEST
> Last Access: Feb 21, 2023 09:51:50.209504600 CET
> Last Write: Jun 8, 2021 11:00:01.000000000 CEST
> Last Change: Jun 8, 2021 11:00:01.000000000 CEST
> Allocation Size: 8192
> End Of File: 2207
> File Attributes: 0x00000020
> .... .... .... .... .... .... .... ...0 = Read Only: No
> .... .... .... .... .... .... .... ..0. = Hidden: No
> .... .... .... .... .... .... .... .0.. = System: No
> .... .... .... .... .... .... ...0 .... = Directory: No
> .... .... .... .... .... .... ..1. .... = Requires archived: Yes
> .... .... .... .... .... .... 0... .... = Normal: No
> .... .... .... .... .... ...0 .... .... = Temporary: No
> .... .... .... .... .... ..0. .... .... = Sparse: No
> .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
> .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> .... .... .... .... ...0 .... .... .... = Offline: Online
> .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
> .... .... .... .... .0.. .... .... .... = Encrypted: No
> .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
> .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
> Reserved: 00000000
> GUID handle File: meyert.bat
> File Id: 89d7e97c-0000-0000-85be-57fa00000000
> [Frame handle opened: 147]
> Blob Offset: 0x00000098
> Blob Length: 164
> ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE
> Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
> Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> 
> All seems fine:
> 
> Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on interface eth2, id 0
> Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d (00:50:56:93:fb:2d)
> Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36
> Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack: 53364, Len: 304
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> Create Request (0x05)
> StructureSize: 0x0039
> 0000 0000 0011 100. = Fixed Part Length: 28
> .... .... .... ...1 = Dynamic Part: True
> Oplock: Lease (0xff)
> Impersonation level: Impersonation (2)
> Create Flags: 0x0000000000000000
> Reserved: 0000000000000000
> Access Mask: 0x001000a1
> .... .... .... .... .... .... .... ...1 = Read: READ access
> .... .... .... .... .... .... .... ..0. = Write: NO write access
> .... .... .... .... .... .... .... .0.. = Append: NO append access
> .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access
> .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access
> .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
> .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
> .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
> .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access
> .... .... .... ...0 .... .... .... .... = Delete: NO delete access
> .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID
> .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC
> .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)
> .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
> .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
> .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
> ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
> ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
> .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
> 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
> File Attributes: 0x00000080
> .... .... .... .... .... .... .... ...0 = Read Only: No
> .... .... .... .... .... .... .... ..0. = Hidden: No
> .... .... .... .... .... .... .... .0.. = System: No
> .... .... .... .... .... .... ...0 .... = Directory: No
> .... .... .... .... .... .... ..0. .... = Requires archived: No
> .... .... .... .... .... .... 1... .... = Normal: Yes
> .... .... .... .... .... ...0 .... .... = Temporary: No
> .... .... .... .... .... ..0. .... .... = Sparse: No
> .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
> .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> .... .... .... .... ...0 .... .... .... = Offline: Online
> .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
> .... .... .... .... .0.. .... .... .... = Encrypted: No
> .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
> .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
> Share Access: 0x00000005, Read, Delete
> Disposition: Open (if file exists open it, else fail) (1)
> Create Options: 0x00000060
> Filename: meyert.bat
> Blob Offset: 0x00000078
> Blob Length: 20
> Blob Offset: 0x00000090
> Blob Length: 156
> ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE
> Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q"
> Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> 
> Then comes the denied:
> 
> Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface eth2, id 0
> Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
> Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack: 12275, Len: 77
> NetBIOS Session Service
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Header
> ProtocolId: 0xfe534d42
> Header Length: 64
> Credit Charge: 1
> NT Status: STATUS_ACCESS_DENIED (0xc0000022)
> Command: Create (5)
> Credits granted: 1
> Flags: 0x00000031, Response, Priority
> Chain Offset: 0x00000000
> Message ID: 67
> Process Id: 0x0000feff
> Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON
> Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678
> Signature: 00000000000000000000000000000000
> [Response to: 163]
> [Time from request: 0.000160938 seconds]
> Create Response (0x05)
> StructureSize: 0x0009
> 0000 0000 0000 100. = Fixed Part Length: 4
> .... .... .... ...1 = Dynamic Part: True
> Error Context Count: 0
> Reserved: 0x00
> Byte Count: 0
> Error Data: 00
> 
> Would be great if anyone has any idea or input.

Awful lot of 'SMB2' there and, last time I heard, you need SMB1 for an 
NT4_style domain.

Rowland

More information about the samba mailing list