[Samba] (Samba4) Normal users unable to login

Michael Trausch mbt at naunetcorp.com
Sat Nov 24 16:35:29 MST 2012

This is a freshly provisioned Samba 4.0.0-rc5 installation.

I provisioned the domain and created shares in the configuration file to 
match an existing Samba 3.5.x installation that we're moving away from 
(or at least, that's the plan...) for various reasons.

I then moved all the contents of the shares over from the old server to 
the new server via rsync, including home directories and user profiles.

I then changed the permissions on the profiles and home directories to 
match the POSIX IDs which were created by Samba 4 when I created the 
users using the Active Directory Users and Computers management tool 
from a workstation that I bound to the domain.

I then created a Group Policy, which applied itself successfully to the 

So far, so good.

However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} 
where $USER is a user account that has membership in the Domain Admins 
group.  I am completely unable to login as any user that is not in 
Domain Admins.  When I attempt to do so, the workstation returns the 
error message "The Group Policy Client service failed the logon.  Access 
is denied."

There is nothing in the Windows Event Log indicating an access denied 
message, and there is nothing in the Windows Event Log indicating any 
other problems at the time that the error message is displayed or within 
the time that the login process is pending.

There are no messages in the Samba 4 log, either, with the debug level 
set to 9.

The best that I can come up with is that this is a permissions problem 
of _some_ sort, but I cannot determine what it is.  The system running 
Samba has no MAC security systems in the way (e.g., no SELinux or 
anything like that, just simple UNIX DAC).  The permissions on SYSVOL 
and NETLOGON are completely unmodified by me.

Can someone give me an idea of where to start looking?  I tried to 
figure out perhaps what the ID numbers in the ACLs are for the SYSVOL 
share, but wbinfo doesn't seem to know anything about ID numbers 
3000000-3000003, which are the IDs on the share itself.  The lowest ID 
number that I have which appears in user or group lists as returned by 
wbinfo is 3000004.

Any help would be appreciated, as I have been banging my head against 
this brick wall for hours now, to no avail.



More information about the samba mailing list