[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login
yoitsmeremember at gmail.com
Wed Aug 16 02:46:21 UTC 2017
On Mon, Aug 14, 2017 at 2:43 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 13 Aug 2017 22:54:38 -0500
> Ian T via samba <samba at lists.samba.org> wrote:
> > On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com>
> > wrote:
> > - I've set the new realm to AD.BLKG.LOCAL,
> I take it you have missed that it is a 'BAD' idea to use '.local' for
> your TLD.
Actually, I did read the wiki on this. Breaking Bonjour is practically a
bonus, and I don't need anything beyond self-signed certs for the AD domain
anyway, so I should be okay.
> > and the workgroup to BLKG
> > (what was previously used as our NT4 domain). However, hosts appear
> > to only be able to join the domain when using ad.blkg.local and not
> > just blkg (as I was hoping to not have to rejoin all of our
> > machines!).
> Not surprising really, a new domain would have a different SID, so you
> will have to join all your computers to the 'new' domain even if you
> have used the same workgroup name.
I've now done this on basically all of our currently in-use machines, but
it's tedious even when scripted. Oh well.
> AD doesn't work like an NT4-style PDC, there are numerous attributes in
> AD for storing things like profile paths, I suggest you read the Samba
> wiki, especially this page:
Yes, I've gone through this now and finally figured out the correct string
to set to get it back to the old behavior: \\PDC\%USERNAME%\profile
However, I now have a new problem. Profiles will synchronize (even after a
delprof), but for most of our users, Windows will barf the error: "The
Group Policy Client service failed the logon. Access is denied." This is
almost identical to the problem I had before, except that was the "User
Digging into it more I've found this is some issue in their profile
itself. I verified this by simply renaming their current profile
(profile.V2) to something else, delprof their machine, and having them log
in again. Windows of course creates a new profile.V2 folder the first
time, and after logging in and out a second time a full working profile is
present (this behavior is identical to what happened in Samba 3.x when
creating new profiles). However, if I delete this new (working) profile,
rename their old (non-working) profile back to profile.V2, delprof the
machine, and have them log in again... well, you guessed it: "The Group
Policy Client service failed the logon. Access is denied."
So clearly it's something buried in their original profile. A SID
somewhere that wasn't updated perhaps? Is there anything I can change or
simply delete from their old profiles to get it working with the new AD
domain, without recreating all their profiles from scratch?
> - Passwordless accounts don't seem to be permitted despite null
> > passwords = true?
> No, that will not work, also why do want blank passwords, they are a
> bad idea.
This is just for guest accounts with mandatory profiles. I'm guessing this
is buried in a GPO somewhere so I'll just hunt around to find out.
More information about the samba