Hi, I'm running Samba 3.5.6 with OpenLDAP 2.4.23 (from Debian Squeeze) as PDC. Everything is working fine (Joining Domains, Log on Users) but I'm not able to Log in as Domain Admin. If I try to, the message "Unable to log on ?The User Profile Service service failed the logon. User profile cannot be loaded." (in german: "Fehler bei der Anmeldung mit dem Benutzerprofildienst. Das Benutzerprofil kann nicht geladen werden.") appears. The Samba Log looks fine. If I change the user to be a normal Domain Users he can log in without problems. I've changed the following Registry-Settings in order to join the domain: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "NtlmMinServerSec"=dword:00000000 "NtlmMinClientSec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] "LDAPServerIntegrity"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RestrictNTLMInDomain"=dword:00000000 "RequireSignOrSeal"=dword:000000001 "RequireStrongKey"=dword:000000001 "DisablePasswordChange"=dword:00000001 "RefusePasswordChange"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP\Parameters] "LDAPClientIntegrity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "LocalProfile"=dword:00000001 This is my smb.conf: [global] workgroup = CATDOM server string = %h netbios name = PDC smb ports = 445 139 passdb backend = ldapsam:ldap://localhost passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/sbin/smbldap-passwd %u log level = 5 log file = /var/log/samba/samba.log max log size = 1000 time server = Yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" logon script = scripts/logon.bat logon path logon drive domain logons = Yes domain master = Yes os level = 210 preferred master = Yes ldap admin dn = cn=admin,dc=ldap,dc=local ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap user suffix = ou=People ldap suffix = dc=ldap,dc=local ldap passwd sync = yes ldap ssl = no panic action = /usr/share/samba/panic-action %d create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/ delete veto files = yes server signing = disabled encrypt passwords = true password server = * wins support = true local master = yes guest account = nobody map to guest = Bad User dns proxy = no panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536 lanman auth = yes client ntlmv2 auth = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon valid users = %U admin users = root browseable = No Any ideas? Regards, Denis Witt
Miguel Medalha
2011-Sep-15 21:36 UTC
[Samba] Samba/LDAP/Win7 Domain Admins could not log in
The Samba wiki page related to the use of Windows 7 with Samba contains
the following statements:
?
There are currently two registry settings required to be added on the
Windows 7 client prior to joining a Samba Domain. These are:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
?
AND:
?
Do *not* edit any other registry parameters (NETLOGON) that have been
seen in the wild. If you have already modified your Windows 7 registry,
please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them
back to '1' as shown below:
?
The quoted page resides here:
http://wiki.samba.org/index.php/Windows7