[Samba] group policy client service failed the logon

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Jun 4 18:47:24 MDT 2012


Maybe the group membership or primary group is getting messed up for the new
users?

Can you compare the unix, ldap and windows group properties for a new and an
older user

#pbdedit -Lv username

# net rpc user info username -U administrator

# groups username


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Shawn Dakin
Sent: Monday, June 04, 2012 3:07 PM
To: samba at lists.samba.org
Subject: [Samba] group policy client service failed the logon

I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as my
backend and  LAM to manage my LDAP accounts. Thing were going well until
recently. Suddenly any newly created user can not logon (win7). Any accounts
that I created prior to last week can still logon to the workstation.

The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally.  Also, in yast, I changed the LDAP client
Naming Context from  ou=users,dc=nctschools,dc=org    to
 dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.

However, I don't believe any of these changes could be causing the "group
policy client service failed the logon. Access denied" error I am receiving.
I could be wrong though. Any help would be GREAT.
Thanks

Here is my smb.conf

[global]
        workgroup = NEVSD
        map to guest = Bad User
        passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
        log level = 3
        log file = /var/log/samba/log.%m
        printcap name = cups
        add machine script =  /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
        logon path = \\%L\profiles\%U
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrator,dc=nctschools,dc=org
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = yes
        ldap suffix = dc=nctschools,dc=org
        ldap user suffix = ou=Users
        idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No


[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes


--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list