[Samba] group policy client service failed the logon

Shawn Dakin dakinsh00 at staff.nctschools.org
Mon Jun 4 13:07:23 MDT 2012

I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1
I am using LDAP as my backend and  LAM to manage my LDAP accounts. Thing
were going well until recently. Suddenly any newly created user can not
logon (win7). Any accounts that I created prior to last week can still
logon to the workstation.

The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally.  Also, in yast, I changed the LDAP client
Naming Context from  ou=users,dc=nctschools,dc=org    to
 dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.

However, I don't believe any of these changes could be causing the "group
policy client service failed the logon. Access denied" error I am
receiving. I could be wrong though. Any help would be GREAT.

Here is my smb.conf

        workgroup = NEVSD
        map to guest = Bad User
        passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
        log level = 3
        log file = /var/log/samba/log.%m
        printcap name = cups
        add machine script =  /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
        logon path = \\%L\profiles\%U
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrator,dc=nctschools,dc=org
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = yes
        ldap suffix = dc=nctschools,dc=org
        ldap user suffix = ou=Users
        idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
        cups options = raw

        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No

        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes

Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools

More information about the samba mailing list