[Samba] (Samba4) Normal users unable to login

Matthieu Patou mat at samba.org
Sat Nov 24 17:35:31 MST 2012 

On 11/24/2012 03:35 PM, Michael Trausch wrote:
> This is a freshly provisioned Samba 4.0.0-rc5 installation.
>
> I provisioned the domain and created shares in the configuration file 
> to match an existing Samba 3.5.x installation that we're moving away 
> from (or at least, that's the plan...) for various reasons.
>
> I then moved all the contents of the shares over from the old server 
> to the new server via rsync, including home directories and user 
> profiles.
>
> I then changed the permissions on the profiles and home directories to 
> match the POSIX IDs which were created by Samba 4 when I created the 
> users using the Active Directory Users and Computers management tool 
> from a workstation that I bound to the domain.
>
> I then created a Group Policy, which applied itself successfully to 
> the workstation.
>
> So far, so good.
>
> However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} 
> where $USER is a user account that has membership in the Domain Admins 
> group.  I am completely unable to login as any user that is not in 
> Domain Admins.  When I attempt to do so, the workstation returns the 
> error message "The Group Policy Client service failed the logon.  
> Access is denied."
>
> There is nothing in the Windows Event Log indicating an access denied 
> message, and there is nothing in the Windows Event Log indicating any 
> other problems at the time that the error message is displayed or 
> within the time that the login process is pending.
>
> There are no messages in the Samba 4 log, either, with the debug level 
> set to 9.
>
> The best that I can come up with is that this is a permissions problem 
> of _some_ sort, but I cannot determine what it is.  The system running 
> Samba has no MAC security systems in the way (e.g., no SELinux or 
> anything like that, just simple UNIX DAC).  The permissions on SYSVOL 
> and NETLOGON are completely unmodified by me.
>
> Can someone give me an idea of where to start looking?  I tried to 
> figure out perhaps what the ID numbers in the ACLs are for the SYSVOL 
> share, but wbinfo doesn't seem to know anything about ID numbers 
> 3000000-3000003, which are the IDs on the share itself. The lowest ID 
> number that I have which appears in user or group lists as returned by 
> wbinfo is 3000004.
>
Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO.

Try to trace and see if there is any kind of denied message (in 
netlogon, smb, smb2 messages).


-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba mailing list