[Samba] Logon Script is not executed: STATUS_ACCESS_DENIED

Alexander Harm || ApfelQ alexander.harm at apfelq.com
Wed Feb 22 11:53:31 UTC 2023 

Yeah, am confused myself since the setting is

> server max protocol = NT1
However, you are right about the permission problem. The logon scripts need to be executable not only readable.

So chmod +x logon.bat does the trick.

Thanks as always for the prompt reply. I will follow up on the rest.

And thanks to https://blog.dummzeuch.de/2018/04/13/if-your-samba-logon-script-does-not-get-executed/

Alexander

> On Wednesday, Feb 22, 2023 at 12:42 PM, Rowland Penny via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>
>
> On 22/02/2023 11:29, Alexander Harm || ApfelQ via samba wrote:
> > Last week we finally upgraded our servers from Samba 3 to Samba 4 and so far everything runs smoothly. For now we run 4.15.13 with an old NT-style domain while we are preparing to migrate to Samba AD-style domain.
> >
> > Since the upgrade we have the issue that the logon scripts are not executed for domain users. It works a 100% for domain admins and 0% for non admin users and we have no idea why.
>
> Sounds like a permission problem.
>
> >
> > We tried the various settings without success:
> >
> > 1. setting various registry entries on Windows like: DomainCompatibilityMode, DNSNameResolutionRequired, RunLogonScriptSync, HardenedPaths
> >
> > 2. setting server max protocol = NT1
> >
> > Our smb.conf of the netlogon looks like this:
>
> But what does the rest of the smb.conf look like ?
>
> >
> > [netlogon]
> > comment = Netlogon Scripts
> > path = /server/data/samba/netlogon
>
> Can your users traverse the path ?
> Can they actually get to your netlogon scripts to read and exacute them ?
>
> > read only = No
> > inherit acls = Yes
> > browseable = yes
> > guest ok = yes
> > printable = no
> > map archive = no
> > map read only = no
> > store dos attributes = yes
>
> You might want to read 'man smb.conf', a couple of those parameters are
> ignored if the last one is set (and it is set by default).
>
> >
> > ACL and Unix permissions for all are at least read. But even after successful logon in Windows I perfectly access and execute \\dc\netlogon\myuser.bat (smb://dc/netlogon/myuser.bat).
> >
> > I was unable to get anything from the logs.
> >
> > A wireshark reveals that the file was found and opened before the access denied.
> >
> > Frame 147: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits) on interface eth2, id 0
> > Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
> > Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> > Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 50753, Ack: 10438, Len: 320
> > NetBIOS Session Service
> > SMB2 (Server Message Block Protocol version 2)
> > SMB2 Header
> > Create Response (0x05)
> > StructureSize: 0x0059
> > 0000 0000 0101 100. = Fixed Part Length: 44
> > .... .... .... ...1 = Dynamic Part: True
> > Oplock: Lease (0xff)
> > Response Flags: 0x00
> > Create Action: The file existed and was opened (1)
> > Create: Jun 8, 2021 11:00:00.000000000 CEST
> > Last Access: Feb 21, 2023 09:51:50.209504600 CET
> > Last Write: Jun 8, 2021 11:00:01.000000000 CEST
> > Last Change: Jun 8, 2021 11:00:01.000000000 CEST
> > Allocation Size: 8192
> > End Of File: 2207
> > File Attributes: 0x00000020
> > .... .... .... .... .... .... .... ...0 = Read Only: No
> > .... .... .... .... .... .... .... ..0. = Hidden: No
> > .... .... .... .... .... .... .... .0.. = System: No
> > .... .... .... .... .... .... ...0 .... = Directory: No
> > .... .... .... .... .... .... ..1. .... = Requires archived: Yes
> > .... .... .... .... .... .... 0... .... = Normal: No
> > .... .... .... .... .... ...0 .... .... = Temporary: No
> > .... .... .... .... .... ..0. .... .... = Sparse: No
> > .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
> > .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> > .... .... .... .... ...0 .... .... .... = Offline: Online
> > .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
> > .... .... .... .... .0.. .... .... .... = Encrypted: No
> > .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
> > .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
> > Reserved: 00000000
> > GUID handle File: meyert.bat
> > File Id: 89d7e97c-0000-0000-85be-57fa00000000
> > [Frame handle opened: 147]
> > Blob Offset: 0x00000098
> > Blob Length: 164
> > ExtraInfo SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID SMB2_CREATE_REQUEST_LEASE
> > Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> > Chain Element: SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
> > Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> >
> > All seems fine:
> >
> > Frame 151: 358 bytes on wire (2864 bits), 358 bytes captured (2864 bits) on interface eth2, id 0
> > Ethernet II, Src: Cisco_d5:d5:fc (00:2a:6a:d5:d5:fc), Dst: VMware_93:fb:2d (00:50:56:93:fb:2d)
> > Internet Protocol Version 4, Src: 172.31.23.5, Dst: 193.197.33.36
> > Transmission Control Protocol, Src Port: 50495, Dst Port: 445, Seq: 10555, Ack: 53364, Len: 304
> > NetBIOS Session Service
> > SMB2 (Server Message Block Protocol version 2)
> > SMB2 Header
> > Create Request (0x05)
> > StructureSize: 0x0039
> > 0000 0000 0011 100. = Fixed Part Length: 28
> > .... .... .... ...1 = Dynamic Part: True
> > Oplock: Lease (0xff)
> > Impersonation level: Impersonation (2)
> > Create Flags: 0x0000000000000000
> > Reserved: 0000000000000000
> > Access Mask: 0x001000a1
> > .... .... .... .... .... .... .... ...1 = Read: READ access
> > .... .... .... .... .... .... .... ..0. = Write: NO write access
> > .... .... .... .... .... .... .... .0.. = Append: NO append access
> > .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access
> > .... .... .... .... .... .... ...0 .... = Write EA: NO write extended attributes access
> > .... .... .... .... .... .... ..1. .... = Execute: EXECUTE access
> > .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
> > .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
> > .... .... .... .... .... ...0 .... .... = Write Attributes: NO write attributes access
> > .... .... .... ...0 .... .... .... .... = Delete: NO delete access
> > .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID
> > .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC
> > .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)
> > .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
> > .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
> > .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
> > ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
> > ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
> > .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
> > 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
> > File Attributes: 0x00000080
> > .... .... .... .... .... .... .... ...0 = Read Only: No
> > .... .... .... .... .... .... .... ..0. = Hidden: No
> > .... .... .... .... .... .... .... .0.. = System: No
> > .... .... .... .... .... .... ...0 .... = Directory: No
> > .... .... .... .... .... .... ..0. .... = Requires archived: No
> > .... .... .... .... .... .... 1... .... = Normal: Yes
> > .... .... .... .... .... ...0 .... .... = Temporary: No
> > .... .... .... .... .... ..0. .... .... = Sparse: No
> > .... .... .... .... .... .0.. .... .... = Reparse Point: Does NOT have an associated reparse point
> > .... .... .... .... .... 0... .... .... = Compressed: Uncompressed
> > .... .... .... .... ...0 .... .... .... = Offline: Online
> > .... .... .... .... ..0. .... .... .... = Not Content Indexed: Is indexed by the content indexing service
> > .... .... .... .... .0.. .... .... .... = Encrypted: No
> > .... .... .... .... 0... .... .... .... = Integrity Stream: Does NOT have Integrity Support
> > .... .... .... ..0. .... .... .... .... = No Scrub Data: Is not excluded from the data integrity scan
> > Share Access: 0x00000005, Read, Delete
> > Disposition: Open (if file exists open it, else fail) (1)
> > Create Options: 0x00000060
> > Filename: meyert.bat
> > Blob Offset: 0x00000078
> > Blob Length: 20
> > Blob Offset: 0x00000090
> > Blob Length: 156
> > ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_REQUEST_LEASE
> > Chain Element: SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 "DH2Q"
> > Chain Element: SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
> > Chain Element: SMB2_CREATE_REQUEST_LEASE "RqLs"
> >
> > Then comes the denied:
> >
> > Frame 164: 131 bytes on wire (1048 bits), 131 bytes captured (1048 bits) on interface eth2, id 0
> > Ethernet II, Src: VMware_93:fb:2d (00:50:56:93:fb:2d), Dst: Cisco_9f:f0:14 (00:00:0c:9f:f0:14)
> > Internet Protocol Version 4, Src: 193.197.33.36, Dst: 172.31.23.5
> > Transmission Control Protocol, Src Port: 445, Dst Port: 50495, Seq: 54262, Ack: 12275, Len: 77
> > NetBIOS Session Service
> > SMB2 (Server Message Block Protocol version 2)
> > SMB2 Header
> > ProtocolId: 0xfe534d42
> > Header Length: 64
> > Credit Charge: 1
> > NT Status: STATUS_ACCESS_DENIED (0xc0000022)
> > Command: Create (5)
> > Credits granted: 1
> > Flags: 0x00000031, Response, Priority
> > Chain Offset: 0x00000000
> > Message ID: 67
> > Process Id: 0x0000feff
> > Tree Id: 0x7d40ce3a \\BRAZILIA\NETLOGON
> > Session Id: 0x00000000fea05c28 Acct:meyert Domain:DLAN Host:R0678
> > Signature: 00000000000000000000000000000000
> > [Response to: 163]
> > [Time from request: 0.000160938 seconds]
> > Create Response (0x05)
> > StructureSize: 0x0009
> > 0000 0000 0000 100. = Fixed Part Length: 4
> > .... .... .... ...1 = Dynamic Part: True
> > Error Context Count: 0
> > Reserved: 0x00
> > Byte Count: 0
> > Error Data: 00
> >
> > Would be great if anyone has any idea or input.
>
> Awful lot of 'SMB2' there and, last time I heard, you need SMB1 for an
> NT4_style domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list