Patrick Camilleri
2008-Nov-25 22:17 UTC
[Samba] Logon privilege denied using Samba PDC with terminal services
Hello everybody, I have a Windows Server 2008 with terminal services enabled joined to a Samba domain (SuSe server) and I'm able to login as 'domain\user' when I'm physically sitting at the Windows Server 2008 box. The problem arises when I try to logon via RDP using 'domain\user' onto the Windows Server machine. I get an error message telling me that 'Your interactive logon privilege has been disabled. Please contact your administrator.' I also tried this with a Windows Server 2003 machine with a similar outcome. The error message this time was 'You have been denied permissions to log on to terminal servers. To resolve this problem, your administrator must clear the Deny this user permissions to log on to any terminal server check box in the Terminal Server Profile settings tab.' Of course when checking in the 'Group Policy Object Editor' I don't find any restrictions. I'm checking at this particular location: Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Deny log on through Terminal Services. I did add the Samba LDAP group (of the users that I want to give RDP access) to the 'Remote Desktop Users' group on the Windows Server (2008 as well as 2003) machine, i.e. the domain users DO have permission to access the Windows Server over RDP but to no avail. The only user I was able to get to logon via RDP was the user 'domain\root'. Could this problem be related to the default groups that need to be defined in the Samba PDC, mainly Domain Admins, Domain Users and Domain Guests? Or maybe because I'm not setting up any policies in the netlogon Samba folder? Any help greatly appreciated! Thanks, Patrick
Patrick Camilleri
2008-Nov-27 00:00 UTC
[Samba] Re: Logon privilege denied using Samba PDC with terminalservices
Finally managed to figure out what the problem was! Somehow in my LDAP database I had a corrupted SambaMungedDial entry which the cause of all my troubles. I remember vaguely that it was generated by same ldap tool and I (foolishly) not knowing what it was just copied (in a wrong format) to all the other users. Actually could anybody point me to some documentation about the purpose of the SambaMungedDial entry in the LDAP database? I wasn't able to find any useful information in the Samba documentation other than that it's an attribute in the samba schema. Is it necessary for joining Windows machines to a Samba PDC? Thanks, Patrick "Patrick Camilleri" <patrick_camilleri@yahoo.co.uk> wrote in message news:004f01c94f4a$a7edbf00$f7c93d00$@co.uk...> Hello everybody, > > > > I have a Windows Server 2008 with terminal services enabled joined to a > Samba domain (SuSe server) and I'm able to login as 'domain\user' when I'm > physically sitting at the Windows Server 2008 box. The problem arises when > I > > try to logon via RDP using 'domain\user' onto the Windows Server machine. > I > get an error message telling me that 'Your interactive logon privilege has > been disabled. Please contact your administrator.' > > I also tried this with a Windows Server 2003 machine with a similar > outcome. > > The error message this time was 'You have been denied permissions to log > on > to terminal servers. To resolve this problem, your administrator must > clear > the Deny this user permissions to log on to any terminal server check box > in > > the Terminal Server Profile settings tab.' Of course when checking in the > 'Group Policy Object Editor' I don't find any restrictions. I'm checking > at > this particular location: Local Computer Policy->Computer > Configuration->Windows Settings->Security Settings->Local Policies->User > Rights Assignment->Deny log on through Terminal Services. > > I did add the Samba LDAP group (of the users that I want to give RDP > access) > > to the 'Remote Desktop Users' group on the Windows Server (2008 as well as > 2003) machine, i.e. the domain users DO have permission to access the > Windows > Server over RDP but to no avail. The only user I was able to get to logon > via > RDP was the user 'domain\root'. > > Could this problem be related to the default groups that need to be > defined > in the Samba PDC, mainly Domain Admins, Domain Users and Domain Guests? Or > maybe because I'm not setting up any policies in the netlogon Samba > folder? > > Any help greatly appreciated! > > Thanks, > Patrick > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >