[Samba] Logon privilege denied using Samba PDC with terminal services

[Patrick Camilleri]

Hello everybody, 



I have a Windows Server 2008 with terminal services enabled joined to a 
Samba domain (SuSe server) and I'm able to login as 'domain\user' when I'm 
physically sitting at the Windows Server 2008 box. The problem arises when I

try to logon via RDP using 'domain\user' onto the Windows Server machine. I 
get an error message telling me that 'Your interactive logon privilege has 
been disabled. Please contact your administrator.' 

I also tried this with a Windows Server 2003 machine with a similar outcome.

The error message this time was 'You have been denied permissions to log on 
to terminal servers. To resolve this problem, your administrator must clear 
the Deny this user permissions to log on to any terminal server check box in

the Terminal Server Profile settings tab.' Of course when checking in the 
'Group Policy Object Editor' I don't find any restrictions. I'm checking at 
this particular location: Local Computer Policy->Computer 
Configuration->Windows Settings->Security Settings->Local Policies->User 
Rights Assignment->Deny log on through Terminal Services. 

I did add the Samba LDAP group (of the users that I want to give RDP access)

to the 'Remote Desktop Users' group on the Windows Server (2008 as well as 
2003) machine, i.e. the domain users DO have permission to access the
Windows 
Server over RDP but to no avail. The only user I was able to get to logon
via 
RDP was the user 'domain\root'. 

Could this problem be related to the default groups that need to be defined 
in the Samba PDC, mainly Domain Admins, Domain Users and Domain Guests? Or 
maybe because I'm not setting up any policies in the netlogon Samba folder? 

Any help greatly appreciated! 

Thanks, 
Patrick