[Samba] NT4-Style Auth & Roaming Profiles Only?

Dale Schroeder dale at BriannasSaladDressing.com
Wed Jul 27 18:30:46 UTC 2016 

On 07/27/2016 11:18 AM, Jim Seymour wrote:
> On Tue, 26 Jul 2016 13:40:59 -0500
> Dale Schroeder <dale at BriannasSaladDressing.com> wrote:
>
> [snip]
>> Sorry Rowland, but the break happened before the badlock patches when
>> Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.
> [snip]
>> Jim, currently at Debian 4.4.5.  If you search this list, you will
>> find others who have had the same thing happen.  To my knowledge,
>> none have come back to say that their NT4 domain is working again
>> post-4.2.x.
> [snip]
>
> What was the nature/symtoms of the failure(s), Dale?
Jim,

My domain errors were different than yours.  That's why I used the 
phrase "may be your problem" in my initial response.  I was not dealing 
with profiles, just ordinary share access attempts returning 
"NT_STATUS_NO_LOGON_SERVERS.  Win7 users can access shares on a Mint 
member system with 4.2.x post-badlock.  Systems with any version above 
4.2 failed, pre- and post-.  So, it seemed to me that if basic domain 
shares in an NT4 domain >= 4.3.0 failed, then other domain features 
(e.g. roaming profiles) could be broken, too.  I think you get my reasoning.

To avoid hijacking your thread, if you wish, you can view the details of 
my very short thread at: 
https://lists.samba.org/archive/samba/2016-March/198582.html    It has 
the relevant log snippets, etc.  (Note that this time period is before 
the badlock patches were issued.)

I did read the Release Notes and applied the parameter changes for NT4 
members and controllers listed in the 4.2.0 notes 
(https://www.samba.org/samba/history/samba-4.2.0.html).

Like I mentioned previously, no one has yet supplied a working smb.conf 
for a Samba >= 4.3.0 NT4 + LDAP domain.  I'm not currently aware that 
it's possible.

As before, I wish you better luck than I've had.

Dale

>
> What I'm seeing is that network authentication works, but login takes
> an inordinate amount of time: About 40 seconds until I see "Preparing
> your desktop" and another 20 seconds until "You have been logged on
> with a temporary profile."
>
> It doesn't appear to be a network auth problem.  If I put in an invalid
> username or password, I get "The user name or password is incorrect"
> *instantly*.
>
> It's not permissions. Once logged-in, I can access the Profiles share,
> the user's network home directory, and anything else to which the user
> should have access.  And I can write to those places to which I should
> be able.
>
> At least I don't *think* it's permissions.  In perusing the logs, with
> debug turned up, I see things like
>
>      smbd_check_access_rights: file username.V2 requesting 0x20080
>        returning 0x20000 (NT_STATUS_OK)
>      smbd_check_access_rights: file username3.V2 requesting 0x80
>        returning 0x0 (NT_STATUS_OK)
>
> which makes me wonder if the code's not broken.  (The thing's lying.
> The user's id is "Domain User", the directory is group "Domain User"
> and the permissions were "rwxrwxrwt".)
>
> I find more than a little disquieting is that nobody seems able to
> actually *troubleshoot* issues like this. Somebody ought to be able to
> look at logfiles and say "Oh, well, *this* is what's you're doing
> wrong" or "Ah! The code's broken because of <this>", or whatever.
>
> Regards,
> Jim

More information about the samba mailing list