[Samba] (Samba4) Normal users unable to login

Matthieu Patou mat at samba.org
Sat Nov 24 17:35:31 MST 2012

On 11/24/2012 03:35 PM, Michael Trausch wrote:
> This is a freshly provisioned Samba 4.0.0-rc5 installation.
> I provisioned the domain and created shares in the configuration file 
> to match an existing Samba 3.5.x installation that we're moving away 
> from (or at least, that's the plan...) for various reasons.
> I then moved all the contents of the shares over from the old server 
> to the new server via rsync, including home directories and user 
> profiles.
> I then changed the permissions on the profiles and home directories to 
> match the POSIX IDs which were created by Samba 4 when I created the 
> users using the Active Directory Users and Computers management tool 
> from a workstation that I bound to the domain.
> I then created a Group Policy, which applied itself successfully to 
> the workstation.
> So far, so good.
> However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} 
> where $USER is a user account that has membership in the Domain Admins 
> group.  I am completely unable to login as any user that is not in 
> Domain Admins.  When I attempt to do so, the workstation returns the 
> error message "The Group Policy Client service failed the logon.  
> Access is denied."
> There is nothing in the Windows Event Log indicating an access denied 
> message, and there is nothing in the Windows Event Log indicating any 
> other problems at the time that the error message is displayed or 
> within the time that the login process is pending.
> There are no messages in the Samba 4 log, either, with the debug level 
> set to 9.
> The best that I can come up with is that this is a permissions problem 
> of _some_ sort, but I cannot determine what it is.  The system running 
> Samba has no MAC security systems in the way (e.g., no SELinux or 
> anything like that, just simple UNIX DAC).  The permissions on SYSVOL 
> and NETLOGON are completely unmodified by me.
> Can someone give me an idea of where to start looking?  I tried to 
> figure out perhaps what the ID numbers in the ACLs are for the SYSVOL 
> share, but wbinfo doesn't seem to know anything about ID numbers 
> 3000000-3000003, which are the IDs on the share itself. The lowest ID 
> number that I have which appears in user or group lists as returned by 
> wbinfo is 3000004.
Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO.

Try to trace and see if there is any kind of denied message (in 
netlogon, smb, smb2 messages).

Matthieu Patou
Samba Team

More information about the samba mailing list