[Samba] Re: Logon privilege denied using Samba PDC with terminalservices

Patrick Camilleri patrick_camilleri at yahoo.co.uk
Wed Nov 26 23:50:53 GMT 2008

Finally managed to figure out what the problem was! Somehow in my LDAP 
database I had a corrupted SambaMungedDial entry which the cause of all my 
troubles. I remember vaguely that it was generated by same ldap tool and I 
(foolishly) not knowing what it was just copied (in a wrong format) to all 
the other users.

Actually could anybody point me to some documentation about the purpose of 
the SambaMungedDial entry in the LDAP database? I wasn't able to find any 
useful information in the Samba documentation other than that it's an 
attribute in the samba schema. Is it necessary for joining Windows machines 
to a Samba PDC?


"Patrick Camilleri" <patrick_camilleri at yahoo.co.uk> wrote in message 
> Hello everybody,
> I have a Windows Server 2008 with terminal services enabled joined to a
> Samba domain (SuSe server) and I'm able to login as 'domain\user' when I'm
> physically sitting at the Windows Server 2008 box. The problem arises when 
> I
> try to logon via RDP using 'domain\user' onto the Windows Server machine. 
> I
> get an error message telling me that 'Your interactive logon privilege has
> been disabled. Please contact your administrator.'
> I also tried this with a Windows Server 2003 machine with a similar 
> outcome.
> The error message this time was 'You have been denied permissions to log 
> on
> to terminal servers. To resolve this problem, your administrator must 
> clear
> the Deny this user permissions to log on to any terminal server check box 
> in
> the Terminal Server Profile settings tab.' Of course when checking in the
> 'Group Policy Object Editor' I don't find any restrictions. I'm checking 
> at
> this particular location: Local Computer Policy->Computer
> Configuration->Windows Settings->Security Settings->Local Policies->User
> Rights Assignment->Deny log on through Terminal Services.
> I did add the Samba LDAP group (of the users that I want to give RDP 
> access)
> to the 'Remote Desktop Users' group on the Windows Server (2008 as well as
> 2003) machine, i.e. the domain users DO have permission to access the
> Windows
> Server over RDP but to no avail. The only user I was able to get to logon
> via
> RDP was the user 'domain\root'.
> Could this problem be related to the default groups that need to be 
> defined
> in the Samba PDC, mainly Domain Admins, Domain Users and Domain Guests? Or
> maybe because I'm not setting up any policies in the netlogon Samba 
> folder?
> Any help greatly appreciated!
> Thanks,
> Patrick
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list