[Samba] Samba/LDAP/Win7 Domain Admins could not log in

Denis Witt denis.witt at concepts-and-training.de
Thu Sep 15 11:46:56 MDT 2011 

Hi,

I'm running Samba 3.5.6 with OpenLDAP 2.4.23 (from Debian Squeeze) as 
PDC. Everything is working fine (Joining Domains, Log on Users) but I'm 
not able to Log in as Domain Admin. If I try to, the message "Unable to 
log on „The User Profile Service service failed the logon. User profile 
cannot be loaded." (in german: "Fehler bei der Anmeldung mit dem 
Benutzerprofildienst. Das Benutzerprofil kann nicht geladen werden.") 
appears.

The Samba Log looks fine. If I change the user to be a normal Domain 
Users he can log in without problems.

I've changed the following Registry-Settings in order to join the domain:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] 

"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"NtlmMinServerSec"=dword:00000000
"NtlmMinClientSec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"LDAPServerIntegrity"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RestrictNTLMInDomain"=dword:00000000
"RequireSignOrSeal"=dword:000000001
"RequireStrongKey"=dword:000000001
"DisablePasswordChange"=dword:00000001
"RefusePasswordChange"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP\Parameters]
"LDAPClientIntegrity"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"LocalProfile"=dword:00000001

This is my smb.conf:

[global]
	workgroup = CATDOM
	server string = %h
	netbios name = PDC
	smb ports = 445 139
	passdb backend = ldapsam:ldap://localhost
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/sbin/smbldap-passwd %u
	log level = 5
	log file = /var/log/samba/samba.log
	max log size = 1000
	time server = Yes
	add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
	logon script = scripts/logon.bat
	logon path =
	logon drive =
	domain logons = Yes
	domain master = Yes
	os level = 210
	preferred master = Yes
	ldap admin dn = cn=admin,dc=ldap,dc=local
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Machines
	ldap user suffix = ou=People
	ldap suffix = dc=ldap,dc=local
	ldap passwd sync = yes
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	create mask = 0775
	force create mode = 0775
	directory mask = 0775
	force directory mode = 0775
	veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network 
Trash Folder/Temporary 
Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/
	delete veto files = yes
	server signing = disabled
	encrypt passwords = true
	password server = *
	wins support = true
	local master = yes
	guest account = nobody
	map to guest = Bad User
	dns proxy = no
	panic action = /usr/share/samba/panic-action %d
	socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536
	lanman auth = yes
	client ntlmv2 auth = yes

[netlogon]
	comment = Network Logon Service
	path = /home/samba/netlogon
	valid users = %U
	admin users = root
	browseable = No

Any ideas?

Regards,
Denis Witt

More information about the samba mailing list