[Samba] group policy client service failed the logon

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 6 15:54:59 MDT 2012 

Can you look at the LDAP entries for each user?

Can you disable the "password must change" date entry?  I don't know if
you can do that via pdbedit.  You may be able to clear it out in LDAP.  
I think samba calculates that field based on the password policy and
when the user last changed his or her password.    I found password
expiration in LDAP tripped me up once because pdbedit did not reset
stuff the way I thought it should.



On 06/06/12 15:31, Shawn Dakin wrote:
> So after another day of investigation I have discovered it may be a LAM issue.
> If I create a new user using smbldap-useradd the new user can login to
> my win7 workstations. However, if I create the new user in LAM the new
> user receives the error "group policy client service failed the logon.
> Access denied"
>
> Any one have an idea what LAM is doing to the user accounts?
>
> Here is a quick comparison.
>
> yo.littledog (GOOD ACCOUNT)
> I know the home dir and profile path are wrong.
> SAMBA1:/var/log/samba # pdbedit -Lv yo.littledog
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
> StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: yo.littledog
> init_group_from_ldap: Entry found for group: 513
> Unix username:        yo.littledog
> NT username:          yo.littledog
> Account Flags:        [U          ]
> User SID:             S-1-5-21-1545272169-3882205488-3325164475-1328
> Primary Group SID:    S-1-5-21-1545272169-3882205488-3325164475-513
> Full Name:            yo.littledog
> Home Directory:       \\PDC-SRV\yo.littledog
> HomeDir Drive:        H:
> Logon Script:         logon.bat
> Profile Path:         \\PDC-SRV\profiles\yo.littledog
> Domain:               NEVSD
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Mon, 18 Jan 2038 22:14:07 EST
> Kickoff time:         Mon, 18 Jan 2038 22:14:07 EST
> Password last set:    Wed, 06 Jun 2012 14:52:39 EDT
> Password can change:  Wed, 06 Jun 2012 14:52:39 EDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
>
> yo.dog (BAD ACCOUNT)
> SAMBA1:/var/log/samba # pdbedit -Lv yo.dog
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
> StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: yo.dog
> init_group_from_ldap: Entry found for group: 513
> Unix username:        yo.dog
> NT username:          yo.dog
> Account Flags:        [UX         ]
> User SID:             S-1-5-21-1545272169-3882205488-3325164475-21006
> Primary Group SID:    S-1-5-21-1545272169-3882205488-3325164475-513
> Full Name:            Yo Dog
> Home Directory:       \\SAMBA1\yo.dog
> HomeDir Drive:        H:
> Logon Script:
> Profile Path:         \\samba1\profiles\yo.dog
> Domain:               NEVSD
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         Mon, 31 Dec 2029 19:00:00 EST
> Password last set:    Wed, 06 Jun 2012 15:19:40 EDT
> Password can change:  Wed, 06 Jun 2012 15:19:40 EDT
> Password must change: Mon, 18 Jan 2038 22:14:07 EST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

More information about the samba mailing list