[Samba] group policy client service failed the logon

Shawn Dakin · External Since: Jun 04, 2012 Posts: 5

I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1
I am using LDAP as my backend and LAM to manage my LDAP accounts. Thing
were going well until recently. Suddenly any newly created user can not
logon (win7). Any accounts that I created prior to last week can still
logon to the workstation.

The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally. Also, in yast, I changed the LDAP client
Naming Context from ou=users,dc=nctschools,dc=org to
dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.

However, I don't believe any of these changes could be causing the "group
policy client service failed the logon. Access denied" error I am
receiving. I could be wrong though. Any help would be GREAT.
Thanks

Here is my smb.conf

[global]
workgroup = NEVSD
map to guest = Bad User
passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
log level = 3
log file = /var/log/samba/log.%m
printcap name = cups
add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=nctschools,dc=org
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=nctschools,dc=org
ldap user suffix = ou=Users
idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes

--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Gaiseric Vandal · External Since: May 16, 2007 Posts: 16

Maybe the group membership or primary group is getting messed up for the new
users?

Can you compare the unix, ldap and windows group properties for a new and an
older user

#pbdedit -Lv username

# net rpc user info username -U administrator

# groups username

-----Original Message-----
From: samba-bounces.RemoveThis@lists.samba.org [mailto:samba-bounces@lists.samba.org]
On Behalf Of Shawn Dakin
Sent: Monday, June 04, 2012 3:07 PM
To: samba.RemoveThis@lists.samba.org
Subject: [Samba] group policy client service failed the logon

I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as my
backend and LAM to manage my LDAP accounts. Thing were going well until
recently. Suddenly any newly created user can not logon (win7). Any accounts
that I created prior to last week can still logon to the workstation.

The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally. Also, in yast, I changed the LDAP client
Naming Context from ou=users,dc=nctschools,dc=org to
dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.

However, I don't believe any of these changes could be causing the "group
policy client service failed the logon. Access denied" error I am receiving.
I could be wrong though. Any help would be GREAT.
Thanks

Here is my smb.conf

[global]
workgroup = NEVSD
map to guest = Bad User
passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
log level = 3
log file = /var/log/samba/log.%m
printcap name = cups
add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=nctschools,dc=org
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=nctschools,dc=org
ldap user suffix = ou=Users
idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes

--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Shawn Dakin · External Since: Jun 04, 2012 Posts: 5

here we go, tstudent is a working user - yo.dog is a non working user.
I am not seeing any difference between the two.

SAMBA1:/etc/samba # net rpc user info tstudent -U administrator
Enter administrator's password:
None
Default Staff User Group
SAMBA1:/etc/samba # net rpc user info yo.dog -U administrator
Enter administrator's password:
None
Default Staff User Group

SAMBA1:/etc/samba # groups tstudent
tstudent : All_Staff
SAMBA1:/etc/samba # groups yo.dog
yo.dog : All_Staff

StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: tstudent
init_group_from_ldap: Entry found for group: 10000
init_group_from_ldap: Entry found for group: 10000
Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user
tstudent is a User and not a domain group
Forcing Primary Group to 'Domain Users' for tstudent
Unix username: tstudent
NT username: tstudent
Account Flags: [UX ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-21002
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: test Student
Home Directory: \\SAMBA1\tstudent
HomeDir Drive: H:
Logon Script:
Profile Path: \\samba1\profiles\tstudent
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Wed, 09 May 2012 14:32:12 EDT
Password can change: Wed, 09 May 2012 14:32:12 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: yo.dog
init_group_from_ldap: Entry found for group: 10000
init_group_from_ldap: Entry found for group: 10000
Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user
yo.dog is a User and not a domain group
Forcing Primary Group to 'Domain Users' for yo.dog
Unix username: yo.dog
NT username: yo.dog
Account Flags: [UX ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-21006
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: Yo Dog
Home Directory: \\SAMBA1\yo.dog
HomeDir Drive: H:
Logon Script:
Profile Path: \\samba1\profiles\yo.dog
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: Mon, 31 Dec 2029 19:00:00 EST
Password last set: Mon, 04 Jun 2012 14:34:26 EDT
Password can change: Mon, 04 Jun 2012 14:34:26 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

On Mon, Jun 4, 2012 at 8:47 PM, Gaiseric Vandal
wrote:

> Maybe the group membership or primary group is getting messed up for the
> new
> users?
>
> Can you compare the unix, ldap and windows group properties for a new and
> an
> older user
>
> #pbdedit -Lv username
>
> # net rpc user info username -U administrator
>
> # groups username
>
>
> -----Original Message-----
> From: samba-bounces.TakeThisOut@lists.samba.org [mailto:samba-bounces@lists.samba.org]
> On Behalf Of Shawn Dakin
> Sent: Monday, June 04, 2012 3:07 PM
> To: samba.TakeThisOut@lists.samba.org
> Subject: [Samba] group policy client service failed the logon
>
> I am in the process of implementing a new SAMBA install Version
> 3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as
> my
> backend and LAM to manage my LDAP accounts. Thing were going well until
> recently. Suddenly any newly created user can not logon (win7). Any
> accounts
> that I created prior to last week can still logon to the workstation.
>
> The only changes I recall making involve add machine script. I moved from
> using useradd to using smbldap-useradd so machine accounts would only be
> created in LDAP and not locally. Also, in yast, I changed the LDAP client
> Naming Context from ou=users,dc=nctschools,dc=org to
> dc=nctschools,dc=org to allow the local LDAP client to find machine
> accounts, as they are not created in the user context.
>
> However, I don't believe any of these changes could be causing the "group
> policy client service failed the logon. Access denied" error I am
> receiving.
> I could be wrong though. Any help would be GREAT.
> Thanks
>
> Here is my smb.conf
>
> [global]
> workgroup = NEVSD
> map to guest = Bad User
> passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
> log level = 3
> log file = /var/log/samba/log.%m
> printcap name = cups
> add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
> -d /var/lib/nobody -s /bin/false %m$
> logon path = \\%L\profiles\%U
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Administrator,dc=nctschools,dc=org
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = yes
> ldap suffix = dc=nctschools,dc=org
> ldap user suffix = ou=Users
> idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
> cups options = raw
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> read only = No
> inherit acls = Yes
> browseable = No
>
>
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
>
>
> --
> Shawn Dakin (CNE)
> Director of Technology
> Newcomerstown Schools
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>

--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools

659 S. Beaver St.
Newcomerstown Oh, 43832
Office 740-498-4999
Cell 740-227-0339
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Shawn Dakin · External Since: Jun 04, 2012 Posts: 5

So after another day of investigation I have discovered it may be a LAM issue.
If I create a new user using smbldap-useradd the new user can login to
my win7 workstations. However, if I create the new user in LAM the new
user receives the error "group policy client service failed the logon.
Access denied"

Any one have an idea what LAM is doing to the user accounts?

Here is a quick comparison.

yo.littledog (GOOD ACCOUNT)
I know the home dir and profile path are wrong.
SAMBA1:/var/log/samba # pdbedit -Lv yo.littledog
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: yo.littledog
init_group_from_ldap: Entry found for group: 513
Unix username: yo.littledog
NT username: yo.littledog
Account Flags: [U ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-1328
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: yo.littledog
Home Directory: \\PDC-SRV\yo.littledog
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\PDC-SRV\profiles\yo.littledog
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set: Wed, 06 Jun 2012 14:52:39 EDT
Password can change: Wed, 06 Jun 2012 14:52:39 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

yo.dog (BAD ACCOUNT)
SAMBA1:/var/log/samba # pdbedit -Lv yo.dog
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: yo.dog
init_group_from_ldap: Entry found for group: 513
Unix username: yo.dog
NT username: yo.dog
Account Flags: [UX ]
User SID: S-1-5-21-1545272169-3882205488-3325164475-21006
Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
Full Name: Yo Dog
Home Directory: \\SAMBA1\yo.dog
HomeDir Drive: H:
Logon Script:
Profile Path: \\samba1\profiles\yo.dog
Domain: NEVSD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: Mon, 31 Dec 2029 19:00:00 EST
Password last set: Wed, 06 Jun 2012 15:19:40 EDT
Password can change: Wed, 06 Jun 2012 15:19:40 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Gaiseric Vandal · External Since: May 21, 2007 Posts: 51

Can you look at the LDAP entries for each user?

Can you disable the "password must change" date entry? I don't know if
you can do that via pdbedit. You may be able to clear it out in LDAP.
I think samba calculates that field based on the password policy and
when the user last changed his or her password. I found password
expiration in LDAP tripped me up once because pdbedit did not reset
stuff the way I thought it should.

On 06/06/12 15:31, Shawn Dakin wrote:
> So after another day of investigation I have discovered it may be a LAM issue.
> If I create a new user using smbldap-useradd the new user can login to
> my win7 workstations. However, if I create the new user in LAM the new
> user receives the error "group policy client service failed the logon.
> Access denied"
>
> Any one have an idea what LAM is doing to the user accounts?
>
> Here is a quick comparison.
>
> yo.littledog (GOOD ACCOUNT)
> I know the home dir and profile path are wrong.
> SAMBA1:/var/log/samba # pdbedit -Lv yo.littledog
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
> StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: yo.littledog
> init_group_from_ldap: Entry found for group: 513
> Unix username: yo.littledog
> NT username: yo.littledog
> Account Flags: [U ]
> User SID: S-1-5-21-1545272169-3882205488-3325164475-1328
> Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
> Full Name: yo.littledog
> Home Directory: \\PDC-SRV\yo.littledog
> HomeDir Drive: H:
> Logon Script: logon.bat
> Profile Path: \\PDC-SRV\profiles\yo.littledog
> Domain: NEVSD
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Mon, 18 Jan 2038 22:14:07 EST
> Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
> Password last set: Wed, 06 Jun 2012 14:52:39 EDT
> Password can change: Wed, 06 Jun 2012 14:52:39 EDT
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
>
> yo.dog (BAD ACCOUNT)
> SAMBA1:/var/log/samba # pdbedit -Lv yo.dog
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=NEVSD))]
> StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: yo.dog
> init_group_from_ldap: Entry found for group: 513
> Unix username: yo.dog
> NT username: yo.dog
> Account Flags: [UX ]
> User SID: S-1-5-21-1545272169-3882205488-3325164475-21006
> Primary Group SID: S-1-5-21-1545272169-3882205488-3325164475-513
> Full Name: Yo Dog
> Home Directory: \\SAMBA1\yo.dog
> HomeDir Drive: H:
> Logon Script:
> Profile Path: \\samba1\profiles\yo.dog
> Domain: NEVSD
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: Mon, 31 Dec 2029 19:00:00 EST
> Password last set: Wed, 06 Jun 2012 15:19:40 EDT
> Password can change: Wed, 06 Jun 2012 15:19:40 EDT
> Password must change: Mon, 18 Jan 2038 22:14:07 EST
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Shawn Dakin · External Since: Jun 04, 2012 Posts: 5

Finally, I have settled on the cause of the problem.
The SambaSID is causing problems when created through LAM.
I am not sure why it was working but now has a problem, but the issue
appears to be the SambaSID range that the new users are created in.
However older users in the same range have no issues. I am continuing
to investigate. Any help would be appreciated.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Shawn Dakin · External Since: Jun 04, 2012 Posts: 5

Ok, the problem is that I have a specific sambasid that will not allow
a user to login.
The problem is not with LAM specifically.
Conclusion, the "group policy client service failed the logon" error
occures only when a user has a specific sambasid. I will close this
thread and start a new one.

On Thu, Jun 7, 2012 at 1:24 PM, Shawn Dakin
wrote:
> Finally, I have settled on the cause of the problem.
> The SambaSID is causing problems when created through LAM.
> I am not sure why it was working but now has a problem, but the issue
> appears to be the SambaSID range that the new users are created in.
> However older users in the same range have no issues. I am continuing
> to investigate. Any help would be appreciated.

--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools

659 S. Beaver St.
Newcomerstown Oh, 43832
Office 740-498-4999
Cell 740-227-0339
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba