[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login

Ian T yoitsmeremember at gmail.com
Mon Aug 14 03:54:38 UTC 2017

On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com> wrote:

> Finally, it could be down to windows updates, try adding this to your
>> smb.conf:
>> server max protocol = NT1
> Thanks, I'll give this a try shortly.

So when I went to test this I rebuilt samba46 (enough dependencies had
changed since I last built it) and the issue no longer appears, even
without that configuration option.  I suspect that the issue may have been
with an older dependency and not with Samba itself.  However, I ran into a
new issue when trying to join machines: invalid NTLMSSP_MIC / SPNEGO login
failed: NT_STATUS_INVALID_PARAMETER.  After reading through that thread
from October of last year, it appears that NT4 style domains have not
worked in Samba 4 since somewhere between 4.2.12 to 4.2.14 (inclusive),
contrary to the claim that these are still supported in 4.x.  So, I finally
just decided to covert to tdbsam and ultimately upgrade to an AD domain.

To make a very long story short, I have things somewhat working under AD,
though with 4.5 instead of 4.6 due to bugs with provisioning in 4.6.  I
still have a few problems remaining, the most pressing of which I'll list

- I've set the new realm to AD.BLKG.LOCAL, and the workgroup to BLKG (what
was previously used as our NT4 domain).  However, hosts appear to only be
able to join the domain when using ad.blkg.local and not just blkg (as I
was hoping to not have to rejoin all of our machines!). According to the
wiki: "You can enter the NetBIOS name of the domain, if your client is able
to resolve it."  This leads me to two questions; why the netbios name
instead of the workgroup, as I think of that as the host name of the
server, and more importantly, is there any way to work around this that
doesn't involve rejoining every PC by tomorrow morning?  I noticed there
are no SRV records for any domains ending in .BLKG.

- Despite having logon path = \\%N\%U\profile, it is not using the profiles
that are stored in their home directory.  I assume I need to set this
somewhere within active directory itself via rsat, but where?  I'm not even
sure where (if anywhere on the PDC) the profiles are being stored right now.

- Logon scripts are no longer running despite logon script being defined
and relocating the script to the new netlogon share.  I assume again this
is something I have to mess with over rsat?

- Passwordless accounts don't seem to be permitted despite null passwords =

Thanks again for all the help so far,
- Ian

More information about the samba mailing list