[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login
Rowland Penny
rpenny at samba.org
Sun Aug 13 13:40:19 UTC 2017
On Sun, 13 Aug 2017 07:37:54 -0500
Ian via samba <samba at lists.samba.org> wrote:
> On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> > Can you start by posting your smb4.conf, without this we are
> > guessing what type of server you have.
> >
> > Rowland
>
> Sure thing. As I stated earlier, except for the two added options
> (client use spnego and acl allow execute always) it's identical to my
> Samba 3 config. Also, I've trimmed down things to just an example
> user as the actual config is over 1K lines.
>
> # Samba 4 config
> [global]
> workgroup = BLKG
> server string = PDC
> encrypt passwords = Yes
> null passwords = true
> log level = 2
> max log size = 5000
> socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
> use sendfile = yes
> load printers = no
> wins support = yes
> security = user
> domain master = yes
> local master = yes
> preferred master = yes
> domain logons = yes
> username map = /usr/local/etc/smbusers
> passdb backend = smbpasswd
> hide dot files = yes
> dns proxy = no
> client use spnego = no
> os level = 65
> printing = BSD
> interfaces = 192.168.192.5 127.0.0.0/8
> hosts allow = 192.168.0.0/16
> time server = yes
> logon script = LOGON.bat
> unix password sync = true
> pam password change = no
> passwd chat = *New*Password* %n\n *Retype*Password* %n\n
> *Changed* passwd program = /usr/bin/passwd %u
> acl allow execute always = true
> # Try Aio
> aio read size = 16384
> aio write size = 16384
> aio write behind = true
> # Weird bug
> client signing = false
> # Cut old smbd
> deadtime = 15
>
> [netlogon]
> comment=Netlogon Share
> path=/home/netlogon
> read only =yes
> write list =@wheel
>
> # A typical user looks like this:
> [testuser]
> comment = Test User
> path = /home/testuser
> create mask = 770
> force directory mode = 0770
> force group = testuser
> valid users = testuser, at test
> vfs object = shadow_copy2
> shadow:sort = desc
> shadow:snapdir = .zfs/snapshot
> shadow:format = %Y%m%d%H%M
> shadow:localtime = yes
> writeable = Yes
> csc policy = disable
>
>
Nothing really wrong with the [global] portion of your smb.conf (there
are a few lines I would remove) but I do not see a profiles share. I
would expect to see something like this:
[profiles]
comment = User Profiles
path = /path/to/where/you/want/store/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = no
csc policy = disable
What I do see is something that looks like a users home directory
'[testuser]'
It has been quite some time since I used an NT4-style domain, but what
I have noticed is that it is getting harder and harder to keep them
working, not from the Samba side, but from the windows side.
One thing I did notice, you are still using the deprecated smbpasswd
passdb backend.
Finally, it could be down to windows updates, try adding this to your
smb.conf:
server max protocol = NT1
Rowland
More information about the samba
mailing list