[Samba] (Samba4) Normal users unable to login
Michael Trausch
mbt at naunetcorp.com
Sat Nov 24 16:35:29 MST 2012
This is a freshly provisioned Samba 4.0.0-rc5 installation.
I provisioned the domain and created shares in the configuration file to
match an existing Samba 3.5.x installation that we're moving away from
(or at least, that's the plan...) for various reasons.
I then moved all the contents of the shares over from the old server to
the new server via rsync, including home directories and user profiles.
I then changed the permissions on the profiles and home directories to
match the POSIX IDs which were created by Samba 4 when I created the
users using the Active Directory Users and Computers management tool
from a workstation that I bound to the domain.
I then created a Group Policy, which applied itself successfully to the
workstation.
So far, so good.
However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER}
where $USER is a user account that has membership in the Domain Admins
group. I am completely unable to login as any user that is not in
Domain Admins. When I attempt to do so, the workstation returns the
error message "The Group Policy Client service failed the logon. Access
is denied."
There is nothing in the Windows Event Log indicating an access denied
message, and there is nothing in the Windows Event Log indicating any
other problems at the time that the error message is displayed or within
the time that the login process is pending.
There are no messages in the Samba 4 log, either, with the debug level
set to 9.
The best that I can come up with is that this is a permissions problem
of _some_ sort, but I cannot determine what it is. The system running
Samba has no MAC security systems in the way (e.g., no SELinux or
anything like that, just simple UNIX DAC). The permissions on SYSVOL
and NETLOGON are completely unmodified by me.
Can someone give me an idea of where to start looking? I tried to
figure out perhaps what the ID numbers in the ACLs are for the SYSVOL
share, but wbinfo doesn't seem to know anything about ID numbers
3000000-3000003, which are the IDs on the share itself. The lowest ID
number that I have which appears in user or group lists as returned by
wbinfo is 3000004.
Any help would be appreciated, as I have been banging my head against
this brick wall for hours now, to no avail.
Thanks,
Mike
More information about the samba
mailing list