[Samba] Logon at domain after upgrade

Monika Strack monika.strack at fli.bund.de
Thu May 3 02:15:18 MDT 2012

Hallo all,

last weekend, We have installed a new server with debian squeeze and  samba 
3.6.5. This sever replace the old samba-PDC and BDC (samba 3.2.5).  We also 
install new server vor ldap and kerberos with a new ldap structure and the 
move the config from slap.conf to slad.d/. The ldapdatabase ware restore with 
the necessery changes from dump of the old datatabase. Also the kerberos 
database. We only use Kerberos for user authentfication.

Now I have a strangely Problem. Some user can login to our windows domain 
without problems, some user can login sometimes and other user can login only 
at morining or evening, if the most user at home. It soever the same user that 
can login or not to the windows domain.

The errors, that the user see is after authenzification, access denied, can not 
At the windows server (Windowsserver 2003), I found the following log entries.
Login rejectet for DOMAIN\user Unable to obtain Terminal server User 
Configuration. Access denied. In the Debug-Windows I can see the eventid 1219 
and the Programm winlogon.exe.
The eventlog for security show, that the user can login.

I have set the logs for samba to 10, but I cant see anny error.

My smb.conf:
    workgroup = DOMAIN
    server string = samba
    netbios name = fileserver
    wins support = yes
    name resolve order = wins host lmhosts bcast
    dns proxy = no
    interfaces = eth0
    bind interfaces only = yes
    security = user
    encrypt passwords = true
    lanman auth = yes
    passdb backend = ldapsam:"ldap://ldap.mynet.local"
    obey pam restrictions = no
    guest account = nobody
    invalid users = root
    unix password sync = no
    ldap passwd sync = yes
    ldap admin dn = cn=admin,dc=mynet

    ldap ssl = off
    ldap delete dn = no
    ldap suffix = dc=fli
    ldapsam:trusted = no
    ldap timeout = 30
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g" 
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

    domain logons = yes
    domain master = yes
    os level = 200
    preferred master = yes
    local master = yes
    logon path = \\fs1\profiles\%U
    logon drive = H:

    # The script must be stored in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
    logon script = logon.bat

    load printers = yes
    printing = cups
    printcap name = cups
    socket options = TCP_NODELAY

    log file = /var/log/samba/log.%m
    log level = 10
    max log size = 500
    syslog = 0

    comment = Network Logon Service
    path = /home/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no

    comment = Users profiles
    path = /home/samba/profiles
    guest ok = no
    browseable = no
    writable = yes
    share modes = no
    ; Verstecke System-Dateien (16.11.07 - most)
    hide files = /?esktop.ini/ntuser.ini/NTUSER.*/?humbs.db/

I hope someone can halp me. It is necessary for our work here.

Thanks in advance.

Monika Strack
Institut fuer Nutztiergenetik 

31535 Neustadt               e-mail: monika.strack at fli.bund.de
Germany                      Tel: +49 5034 /871 154
                             Fax: +49 5034 /871 239

More information about the samba mailing list