[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login

[Ian T]

I posted this a while ago on the FreeBSD forums but received no response so
I thought I'd ask here.  If things are out of date, it's simply due to the
length of time between my original post and now.  A few updates I've noted
since the saga began.

I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've tried
all available 4.x releases from ports, 4.2, 4.3, and 4.4 [edit: the issue
still appears when testing with 4.6]), and I've run into the very strange
error message in the title of this post.

I'm still trying to, for the time being, keep the NT4 style domain, and do
as minimal changes as necessary to perform the upgrade. Everything is
working swimmingly with 3.6 (aside from its age and lack of support), and
I'm hoping for the same with samba 4. To upgrade, I took the following
steps, more or less in order:

1. Stop and remove samba36 from ports
2. Install samba4x (I've tried all the current samba 4.x releases in ports)
3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf
4. Rename samba_enable to samba_server_enable in rc.conf
5. Moved the smbpasswd file into where samba 4 looks for it,
/var/db/samba4/private/
6. Added acl allow execute always = true to my smb4.conf file, in case it
was needed.
7. Started samba4_server

Now here's where it gets a little weird. Almost everything was working at
this point. I could (and did on a test machine) leave and rejoin the domain
on our Win7 desktops. Files could be downloaded/uploaded and I could open
shares when I logged in on a local account on these desktops. But, if I try
to log in on any user account, I get the cryptic error "User Profile
Service Failed the Login."

At first I thought this was an issue with profile synchronization, but
after investigating, I don't believe it is. Why? I cleared all the cached
profiles off the Windows box with delprof, and then tried to log the user
in, paying careful attention to log.smbd. And, sure enough, I could see it
download the entire profile via samba, and it was only *after* it
downloaded the profile did I get the error.

So what gives? I looked a little deeper at higher verbosity levels of
logging, and I did see one curious error relating to SPNEGO, and found a
few other users had issues with a change to the defaults from 3.x to 4.x,
so I tried adding client use spnego = no to my smb4.conf in the global
section, but this hasn't changed anything. I also tried renaming the user's
existing profile, so it would create a new one upon logging in, but this
hasn't helped things either.

If you have any ideas or suggestions on where to start, I'm all ears, as
I'm stumped at how to proceed. Things appear to basically be functioning
correctly on samba's end, but Windows refuses to let accounts log in.

P.S. - I've since been looking at packet traces, and increasingly verbose
levels of logging, but my knowledge of the SMB protocol is limited.

Thanks,
- Ian