[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login
rpenny at samba.org
Mon Aug 14 07:43:07 UTC 2017
On Sun, 13 Aug 2017 22:54:38 -0500
Ian T via samba <samba at lists.samba.org> wrote:
> On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com>
> > Finally, it could be down to windows updates, try adding this to
> > your
> >> smb.conf:
> >> server max protocol = NT1
> > Thanks, I'll give this a try shortly.
> So when I went to test this I rebuilt samba46 (enough dependencies had
> changed since I last built it) and the issue no longer appears, even
> without that configuration option. I suspect that the issue may have
> been with an older dependency and not with Samba itself. However, I
> ran into a new issue when trying to join machines: invalid
> NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER.
> After reading through that thread from October of last year, it
> appears that NT4 style domains have not worked in Samba 4 since
> somewhere between 4.2.12 to 4.2.14 (inclusive), contrary to the claim
> that these are still supported in 4.x. So, I finally just decided to
> covert to tdbsam and ultimately upgrade to an AD domain.
> To make a very long story short, I have things somewhat working under
> AD, though with 4.5 instead of 4.6 due to bugs with provisioning in
> 4.6. I still have a few problems remaining, the most pressing of
> which I'll list here:
> - I've set the new realm to AD.BLKG.LOCAL,
I take it you have missed that it is a 'BAD' idea to use '.local' for
> and the workgroup to BLKG
> (what was previously used as our NT4 domain). However, hosts appear
> to only be able to join the domain when using ad.blkg.local and not
> just blkg (as I was hoping to not have to rejoin all of our
Not surprising really, a new domain would have a different SID, so you
will have to join all your computers to the 'new' domain even if you
have used the same workgroup name.
> According to the wiki: "You can enter the NetBIOS name of
> the domain, if your client is able to resolve it." This leads me to
> two questions; why the netbios name instead of the workgroup, as I
> think of that as the host name of the server, and more importantly,
> is there any way to work around this that doesn't involve rejoining
> every PC by tomorrow morning? I noticed there are no SRV records for
> any domains ending in .BLKG.
There wont be, all your dns records will end in 'ad.blkg.local'
> - Despite having logon path = \\%N\%U\profile, it is not using the
> profiles that are stored in their home directory. I assume I need to
> set this somewhere within active directory itself via rsat, but
> where? I'm not even sure where (if anywhere on the PDC) the profiles
> are being stored right now.
AD doesn't work like an NT4-style PDC, there are numerous attributes in
AD for storing things like profile paths, I suggest you read the Samba
wiki, especially this page:
> - Logon scripts are no longer running despite logon script being
> defined and relocating the script to the new netlogon share. I
> assume again this is something I have to mess with over rsat?
Probably, I don't use them, but I am fairly sure Louis does (hint, hint)
> - Passwordless accounts don't seem to be permitted despite null
> passwords = true?
No, that will not work, also why do want blank passwords, they are a
More information about the samba