[Samba] Getting 'Access Denied' under Offline mode (Offline Files)

Rowland Penny rpenny at samba.org
Wed Sep 11 07:15:23 UTC 2024 

On Wed, 11 Sep 2024 13:25:08 +1200
June Chong | TechnologyWise via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> Below is the output for testparm -s:

I didn't know you were using a DC as a fileserver, this is not
recommended.
If I had know, I would have asked for the output of 'samba-tool
testparm'.
However, I can work with what you have provided.

> 
> /Server role: ROLE_ACTIVE_DIRECTORY_DC
> /
> 
> /# Global parameters
> [global]
>          ldap server require strong auth = No
>          passdb backend = samba_dsdb
>          realm = SAMBADOM

Is your AD domain really using a single label domain ?
This isn't a good idea, Microsoft doesn't support it, so I suppose
Samba shouldn't either, see here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/single-label-domains-support-policy

>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = SAMBADOM
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap_ldb:use rfc2307 = yes
>          idmap config * : backend = tdb
>          map archive = No
>          vfs objects = dfs_samba4 acl_xattr

Remember that 'vfs objects' line, we will come to it later.

> 
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/sambadom/scripts
>          read only = No
> 
> 
> [pc-admin]
>          path = /data/share_pool/pc_admin
>          read only = No
>          vfs objects = recycle

No need to go further, do you remember the contents of the 'vfs
objects' line above ?
Every time you set 'vfs objects' on a share, it has to contain whatever
is set in '[global]' or you turn off whatever is set in '[global]', in
the instance above the line should be:

vfs objects = dfs_samba4 acl_xattr recycle 

I would suggest you do three things:

1) If you are not already doing so, run a second DC.
2) Stop using a DC as a fileserver, create a Unix domain member and use
that instead.
3) Stop using profiles/offline files, they are yesterdays way of doing
things, use folder redirection instead.

Rowland

More information about the samba mailing list