[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login

[Rowland Penny]

On Sun, 13 Aug 2017 22:54:38 -0500
Ian T via samba <samba at lists.samba.org> wrote:

> On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com>
> wrote:
> 
> >
> > Finally, it could be down to windows updates, try adding this to
> > your
> >> smb.conf:
> >>
> >> server max protocol = NT1
> >>
> >
> > Thanks, I'll give this a try shortly.
> >
> 
> So when I went to test this I rebuilt samba46 (enough dependencies had
> changed since I last built it) and the issue no longer appears, even
> without that configuration option.  I suspect that the issue may have
> been with an older dependency and not with Samba itself.  However, I
> ran into a new issue when trying to join machines: invalid
> NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER.
> After reading through that thread from October of last year, it
> appears that NT4 style domains have not worked in Samba 4 since
> somewhere between 4.2.12 to 4.2.14 (inclusive), contrary to the claim
> that these are still supported in 4.x.  So, I finally just decided to
> covert to tdbsam and ultimately upgrade to an AD domain.
> 
> To make a very long story short, I have things somewhat working under
> AD, though with 4.5 instead of 4.6 due to bugs with provisioning in
> 4.6.  I still have a few problems remaining, the most pressing of
> which I'll list here:
> 
> - I've set the new realm to AD.BLKG.LOCAL,

I take it you have missed that it is a 'BAD' idea to use '.local' for
your TLD.

> and the workgroup to BLKG
> (what was previously used as our NT4 domain).  However, hosts appear
> to only be able to join the domain when using ad.blkg.local and not
> just blkg (as I was hoping to not have to rejoin all of our
> machines!).

Not surprising really, a new domain would have a different SID, so you
will have to join all your computers to the 'new' domain even if you
have used the same workgroup name.

> According to the wiki: "You can enter the NetBIOS name of
> the domain, if your client is able to resolve it."  This leads me to
> two questions; why the netbios name instead of the workgroup, as I
> think of that as the host name of the server, and more importantly,
> is there any way to work around this that doesn't involve rejoining
> every PC by tomorrow morning?  I noticed there are no SRV records for
> any domains ending in .BLKG.

There wont be, all your dns records will end in 'ad.blkg.local'

> 
> - Despite having logon path = \\%N\%U\profile, it is not using the
> profiles that are stored in their home directory.  I assume I need to
> set this somewhere within active directory itself via rsat, but
> where?  I'm not even sure where (if anywhere on the PDC) the profiles
> are being stored right now.

AD doesn't work like an NT4-style PDC, there are numerous attributes in
AD for storing things like profile paths, I suggest you read the Samba
wiki, especially this page:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

> 
> - Logon scripts are no longer running despite logon script being
> defined and relocating the script to the new netlogon share.  I
> assume again this is something I have to mess with over rsat?

Probably, I don't use them, but I am fairly sure Louis does (hint, hint)

> 
> - Passwordless accounts don't seem to be permitted despite null
> passwords = true?

No, that will not work, also why do want blank passwords, they are a
bad idea.

Rowland