[Samba] (Samba4) Normal users unable to login
Matthieu Patou
mat at samba.org
Sat Nov 24 17:35:31 MST 2012
On 11/24/2012 03:35 PM, Michael Trausch wrote:
> This is a freshly provisioned Samba 4.0.0-rc5 installation.
>
> I provisioned the domain and created shares in the configuration file
> to match an existing Samba 3.5.x installation that we're moving away
> from (or at least, that's the plan...) for various reasons.
>
> I then moved all the contents of the shares over from the old server
> to the new server via rsync, including home directories and user
> profiles.
>
> I then changed the permissions on the profiles and home directories to
> match the POSIX IDs which were created by Samba 4 when I created the
> users using the Active Directory Users and Computers management tool
> from a workstation that I bound to the domain.
>
> I then created a Group Policy, which applied itself successfully to
> the workstation.
>
> So far, so good.
>
> However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER}
> where $USER is a user account that has membership in the Domain Admins
> group. I am completely unable to login as any user that is not in
> Domain Admins. When I attempt to do so, the workstation returns the
> error message "The Group Policy Client service failed the logon.
> Access is denied."
>
> There is nothing in the Windows Event Log indicating an access denied
> message, and there is nothing in the Windows Event Log indicating any
> other problems at the time that the error message is displayed or
> within the time that the login process is pending.
>
> There are no messages in the Samba 4 log, either, with the debug level
> set to 9.
>
> The best that I can come up with is that this is a permissions problem
> of _some_ sort, but I cannot determine what it is. The system running
> Samba has no MAC security systems in the way (e.g., no SELinux or
> anything like that, just simple UNIX DAC). The permissions on SYSVOL
> and NETLOGON are completely unmodified by me.
>
> Can someone give me an idea of where to start looking? I tried to
> figure out perhaps what the ID numbers in the ACLs are for the SYSVOL
> share, but wbinfo doesn't seem to know anything about ID numbers
> 3000000-3000003, which are the IDs on the share itself. The lowest ID
> number that I have which appears in user or group lists as returned by
> wbinfo is 3000004.
>
Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO.
Try to trace and see if there is any kind of denied message (in
netlogon, smb, smb2 messages).
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list