[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login

Rowland Penny rpenny at samba.org
Sun Aug 13 13:40:19 UTC 2017 

On Sun, 13 Aug 2017 07:37:54 -0500
Ian via samba <samba at lists.samba.org> wrote:

> On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> > Can you start by posting your smb4.conf, without this we are
> > guessing what type of server you have.
> >
> > Rowland
> 
> Sure thing.  As I stated earlier, except for the two added options 
> (client use spnego and acl allow execute always) it's identical to my 
> Samba 3 config.  Also, I've trimmed down things to just an example
> user as the actual config is over 1K lines.
> 
> # Samba 4 config
> [global]
>       workgroup = BLKG
>       server string = PDC
>       encrypt passwords = Yes
>       null passwords = true
>       log level = 2
>       max log size = 5000
>       socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
>       use sendfile = yes
>       load printers = no
>       wins support = yes
>       security = user
>       domain master = yes
>       local master = yes
>       preferred master = yes
>       domain logons = yes
>       username map = /usr/local/etc/smbusers
>       passdb backend = smbpasswd
>       hide dot files = yes
>       dns proxy = no
>       client use spnego = no
>       os level = 65
>       printing = BSD
>       interfaces = 192.168.192.5 127.0.0.0/8
>       hosts allow = 192.168.0.0/16
>       time server = yes
>       logon script = LOGON.bat
>       unix password sync = true
>       pam password change = no
>       passwd chat = *New*Password* %n\n *Retype*Password* %n\n
> *Changed* passwd program = /usr/bin/passwd %u
>       acl allow execute always = true
> # Try Aio
>       aio read size = 16384
>       aio write size = 16384
>       aio write behind = true
> # Weird bug
>       client signing = false
> # Cut old smbd
>       deadtime = 15
> 
> [netlogon]
>       comment=Netlogon Share
>       path=/home/netlogon
>       read only  =yes
>       write list =@wheel
> 
> # A typical user looks like this:
> [testuser]
>       comment = Test User
>       path = /home/testuser
>       create mask = 770
>       force directory mode = 0770
>       force group = testuser
>       valid users = testuser, at test
>       vfs object = shadow_copy2
>       shadow:sort = desc
>       shadow:snapdir = .zfs/snapshot
>       shadow:format = %Y%m%d%H%M
>       shadow:localtime = yes
>       writeable = Yes
>       csc policy = disable
> 
> 

Nothing really wrong with the [global] portion of your smb.conf (there
are a few lines I would remove) but I do not see a profiles share. I
would expect to see something like this:

[profiles]
    comment = User Profiles
    path = /path/to/where/you/want/store/profiles
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = no
    csc policy = disable

What I do see is something that looks like a users home directory
'[testuser]'

It has been quite some time since I used an NT4-style domain, but what
I have noticed is that it is getting harder and harder to keep them
working, not from the Samba side, but from the windows side.

One thing I did notice, you are still using the deprecated smbpasswd
passdb backend.

Finally, it could be down to windows updates, try adding this to your
smb.conf:

server max protocol = NT1

Rowland

More information about the samba mailing list