[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login

Ian T yoitsmeremember at gmail.com
Wed Aug 16 02:46:21 UTC 2017

On Mon, Aug 14, 2017 at 2:43 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sun, 13 Aug 2017 22:54:38 -0500
> Ian T via samba <samba at lists.samba.org> wrote:
> > On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com>
> > wrote:
> > - I've set the new realm to AD.BLKG.LOCAL,
> I take it you have missed that it is a 'BAD' idea to use '.local' for
> your TLD.

Actually, I did read the wiki on this.  Breaking Bonjour is practically a
bonus, and I don't need anything beyond self-signed certs for the AD domain
anyway, so I should be okay.

> > and the workgroup to BLKG
> > (what was previously used as our NT4 domain).  However, hosts appear
> > to only be able to join the domain when using ad.blkg.local and not
> > just blkg (as I was hoping to not have to rejoin all of our
> > machines!).
> Not surprising really, a new domain would have a different SID, so you
> will have to join all your computers to the 'new' domain even if you
> have used the same workgroup name.

I've now done this on basically all of our currently in-use machines, but
it's tedious even when scripted.  Oh well.

> AD doesn't work like an NT4-style PDC, there are numerous attributes in
> AD for storing things like profile paths, I suggest you read the Samba
> wiki, especially this page:
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Yes, I've gone through this now and finally figured out the correct string
to set to get it back to the old behavior: \\PDC\%USERNAME%\profile

However, I now have a new problem.  Profiles will synchronize (even after a
delprof), but for most of our users, Windows will barf the error: "The
Group Policy Client service failed the logon.  Access is denied."  This is
almost identical to the problem I had before, except that was the "User
Profile Service."

Digging into it more I've found this is some issue in their profile
itself.  I verified this by simply renaming their current profile
(profile.V2) to something else, delprof their machine, and having them log
in again.  Windows of course creates a new profile.V2 folder the first
time, and after logging in and out a second time a full working profile is
present (this behavior is identical to what happened in Samba 3.x when
creating new profiles).  However, if I delete this new (working) profile,
rename their old (non-working) profile back to profile.V2, delprof the
machine, and have them log in again... well, you guessed it: "The Group
Policy Client service failed the logon.  Access is denied."

So clearly it's something buried in their original profile.  A SID
somewhere that wasn't updated perhaps?  Is there anything I can change or
simply delete from their old profiles to get it working with the new AD
domain, without recreating all their profiles from scratch?

> - Passwordless accounts don't seem to be permitted despite null
> > passwords = true?
> No, that will not work, also why do want blank passwords, they are a
> bad idea.

This is just for guest accounts with mandatory profiles.  I'm guessing this
is buried in a GPO somewhere so I'll just hunt around to find out.

Thanks again,
- Ian

More information about the samba mailing list