[Samba] Problems with several accounts after Samba 2.x to 3.5.8 migration

[Marc Richter]

Hi everyone,

my last question was some kind of bumpy and hard to understand. So I
will try a better explanation of the issue this time.

I was running a Samba 3.0.26a and tdbsam based PDC with roaming profiles
for several years. Now the need came up to serve Windows Vista and up
with roaming profiles, too.

I patched all Vista, 7 and Server 2008 R2 nodes with the .reg provided
in $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg .

On the PDC side, I copied all *.tdb Databases from the old node to the
new one and saved them in /etc/samba/private .
When I restarted the new samba, I could see all the "old" users,
successfully by issuing "pdbedit -L" .

I joined the new domain with all clients successfully, too.

Since the logon-errors seem to be identically in Windows Vista, 7 and
Server 2008 R2, I'll refer these machines as "new profile" in common
from now on.

Now I have the following issue:
We do have round about 50 users using this PDC for login to their
computers and roaming. When 10 of them try to login on a new profile
machine, they usually get one of two errors. Either, they do logoff
after Windows has tried to logon them after round about one minute
without even displaying the Desktop once or displaying an errormessage,
or they get the error displayed, that they do not have permission to
connect to the group policy service.

I have traced this for two weeks now, but cannot find any hint. Neither
in the logfiles, nor by using google, nor by trail & error. I have to
admit that I cannot really understand what is happening when I have a
look at the logfiles, since they seem to be very cryptic and do not
offer their meaning to not-developers; at least not to me.

What I have tried so far:

1)
It has to be some issue with the accounts, since the users, having this
problems do have them on any machine running a new profile OS, while
others can logon to these machines seamless.

2)
Those users, having these issues at new profile machines can logon in 2K
and XP machines without a problem.

3)
I had the suspicion that it has something to do with the profiles
already saved either in the client or the PDC. So I have done the following:
First, I logged into a new profile machine as local administrator and
deleted all the user's subfolders in "Documents and Settings" (for
example: when the user's login is "ab" I delete "ab", "ab.domain",
"ab.domain0", ...). After that, I removed all the directories in the
folder on the PDC, which contains the user's roaming profiles. Then I
set the user's (empty) roaming profile directory on the PDC to
permission 777 to be completely sure that every right exists which the
logon process might need.
Then I logged in with the user's account on a new profile machine and
got the same error behavior of the client.

4)
I deleted the user from the samba tdb database using "smbpasswd -x
username" and validated the success with "pdbedit -Lv username", which
displayed "not found" then.
After that, I recreated the user by issuing "smbpasswd -a username" and
giving his password. I validated the success by issuing "pdbedit -Lv
username" again and get:

Unix username:        Username
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-3657164528-3206697869-1154195925-1172
Primary Group SID:    S-1-5-21-3657164528-3206697869-1154195925-513
Full Name:            Name Surname
Home Directory:       \\thalos\%u
HomeDir Drive:        Z:
Logon Script:         netlogon.cmd
Profile Path:         \\thalos\profiles\username\UNKNOWN.msprofile
Domain:               MFC2
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 16:06:39 CET
Kickoff time:         Wed, 06 Feb 2036 16:06:39 CET
Password last set:    Thu, 26 May 2011 14:31:36 CEST
Password can change:  Thu, 26 May 2011 14:31:36 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Everything is right with this; this is truely my domain's name and SID.
What makes me wonder a little bit is, that strange time in 2036 for
"Kickoff time" and "Logoff time", but cannot tell if this is right or not.
The error when logging on to a new profile machine stays the same.

5)
Please find my PDC configuration here: http://pastebin.com/3KU5ruHt

For 6) I repeated the steps 2) and 3) for a better comparison:

6)
Since the generated output is way too big to have it copied to pastebin
or even into this mail, please find a log of a _failing_ logon (user:
mr) from a Windows 7 machine (named "MFCDOMTEST7") at
http://www.marc-richter.info/20110527_mr_fail.log
This ends up with an empty folder created in the nt profile dir of that
user on the PDC, named "Vista.msprofile.V2" and the message, that the
user has been loged on with a temporary profile only.

Since this mail is already long enough, I'd like to focus on this single
failing logon first, instead of describing all the failures.

Thank you for your help!

Best regards,
Marc Richter