[Samba] group policy client service failed the logon
Shawn Dakin
dakinsh00 at staff.nctschools.org
Tue Jun 5 06:42:52 MDT 2012
here we go, tstudent is a working user - yo.dog is a non working user.
I am not seeing any difference between the two.
SAMBA1:/etc/samba # net rpc user info tstudent -U administrator
Enter administrator's password:
None
Default Staff User Group
SAMBA1:/etc/samba # net rpc user info yo.dog -U administrator
Enter administrator's password:
None
Default Staff User Group
SAMBA1:/etc/samba # groups tstudent
tstudent : All_Staff
SAMBA1:/etc/samba # groups yo.dog
yo.dog : All_Staff
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: tstudent
init_group_from_ldap: Entry found for group: 10000
init_group_from_ldap: Entry found for group: 10000
Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user
tstudent is a User and not a domain group
Forcing Primary Group to 'Domain Users' for tstudent
Unix username: tstudent
NT username: tstudent
Account Flags: [UX ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-21002
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: test Student
Home Directory: \\SAMBA1\tstudent
HomeDir Drive: H:
Logon Script:
Profile Path: \\samba1\profiles\tstudent
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Wed, 09 May 2012 14:32:12 EDT
Password can change: Wed, 09 May 2012 14:32:12 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: yo.dog
init_group_from_ldap: Entry found for group: 10000
init_group_from_ldap: Entry found for group: 10000
Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user
yo.dog is a User and not a domain group
Forcing Primary Group to 'Domain Users' for yo.dog
Unix username: yo.dog
NT username: yo.dog
Account Flags: [UX ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-21006
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: Yo Dog
Home Directory: \\SAMBA1\yo.dog
HomeDir Drive: H:
Logon Script:
Profile Path: \\samba1\profiles\yo.dog
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: Mon, 31 Dec 2029 19:00:00 EST
Password last set: Mon, 04 Jun 2012 14:34:26 EDT
Password can change: Mon, 04 Jun 2012 14:34:26 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
On Mon, Jun 4, 2012 at 8:47 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:
> Maybe the group membership or primary group is getting messed up for the
> new
> users?
>
> Can you compare the unix, ldap and windows group properties for a new and
> an
> older user
>
> #pbdedit -Lv username
>
> # net rpc user info username -U administrator
>
> # groups username
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Shawn Dakin
> Sent: Monday, June 04, 2012 3:07 PM
> To: samba at lists.samba.org
> Subject: [Samba] group policy client service failed the logon
>
> I am in the process of implementing a new SAMBA install Version
> 3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as
> my
> backend and LAM to manage my LDAP accounts. Thing were going well until
> recently. Suddenly any newly created user can not logon (win7). Any
> accounts
> that I created prior to last week can still logon to the workstation.
>
> The only changes I recall making involve add machine script. I moved from
> using useradd to using smbldap-useradd so machine accounts would only be
> created in LDAP and not locally. Also, in yast, I changed the LDAP client
> Naming Context from ou=users,dc=nctschools,dc=org to
> dc=nctschools,dc=org to allow the local LDAP client to find machine
> accounts, as they are not created in the user context.
>
> However, I don't believe any of these changes could be causing the "group
> policy client service failed the logon. Access denied" error I am
> receiving.
> I could be wrong though. Any help would be GREAT.
> Thanks
>
> Here is my smb.conf
>
> [global]
> workgroup = NEVSD
> map to guest = Bad User
> passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
> log level = 3
> log file = /var/log/samba/log.%m
> printcap name = cups
> add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
> -d /var/lib/nobody -s /bin/false %m$
> logon path = \\%L\profiles\%U
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Administrator,dc=nctschools,dc=org
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = yes
> ldap suffix = dc=nctschools,dc=org
> ldap user suffix = ou=Users
> idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
> cups options = raw
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> read only = No
> inherit acls = Yes
> browseable = No
>
>
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
>
>
> --
> Shawn Dakin (CNE)
> Director of Technology
> Newcomerstown Schools
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
659 S. Beaver St.
Newcomerstown Oh, 43832
Office 740-498-4999
Cell 740-227-0339
More information about the samba
mailing list