samba - Jan 2012 - The Group Policy Client service failed the logon. Access is denied.

Hello all,

          Let give the background.  We replaced our PDC with a new
machine.  Both old and new machines are running Debian 6.0 Squeeze and
Samba 3.5.6.  moved all data and user accounts to new server.  New
server has the exact same configuration files as the old server.  All
machines have been rejoined to the domain both WinXP and Win7.  The
WinXP machines work perfectly all domain users can login with their
roaming profiles and all is good.  However on the Win7 machines none
of the network users can log in to the machine.  Upon attempting you
get the this error "The Group Policy Client service failed the logon.
Access is denied."  After Googling around for a solution I have
attempted the following solutions:

1) Delete the roaming profile
       Machine recreates the roaming profile but denies login
2) Delete registry key from
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>Current
Version>Profilelist>[USERSKEY]
       Machine recreates the key but denies login
3) Both 1&2 at the same time
       Machine recreates the roaming profile and the key but denies login

Any pointers would be greatly appreciated see smb.conf file below.


[global]
	smb passwd file = /etc/samba/passdb.tdb
	enable privileges = yes
	logon drive = H:
	domain master = yes
	encrypt passwords = true
	logon home = \\%L\%U
	netbios name = ARDVARC
	server string = Gaudior's PDC
	logon script = logon.bat
	local master = yes
	workgroup = GAUACA
	logon path = \\%L\%U\profile
	os level = 99
	security = user
	add machine script = /usr/sbin/useradd -s /bin/false \-d /dev/null %u
	preferred master = yes
	domain logons = yes
	hide files = /desktop.ini/$RECYCLE.BIN/profile/profile.V2/
	guest account = nobody
	map to guest = bad user
	wins support = yes

[staff]
	comment = staff share drive
	path = /home/staff/share
	read only = no
	;valid users 
[student]
	comment = student share by level
	path = /home/student/share
	read only = no

[netlogon]
	comment = Net Logon Service
	path = /home/netlogon
	read only = yes
	write list = root
	public = yes
	guest ok = yes
	browsable = no

[homes]
	comment = Home
	valid users = %S
	read only = no
	browsable = no


-- 
Mathew E. Enders

"Where once Samba and Apache sold Linux to the world they are now just
part of the plumbing. ?But that's OK, plumbers make good money."
--Jeremy Allison

From: Mat Enders <mat.enders at gmail.com>
Date: Wed, 4 Jan 2012 02:38:57 -0500
>           Let give the background.  We replaced our PDC with a new
> machine.  Both old and new machines are running Debian 6.0 Squeeze and
> Samba 3.5.6.  moved all data and user accounts to new server.
(snip)
> However on the Win7 machines none
> of the network users can log in to the machine.  Upon attempting you
> get the this error "The Group Policy Client service failed the logon.
> Access is denied."  After Googling around for a solution I have
> attempted the following solutions:
You re-created all Samba users?
I met same issue when I re-used passdb.tdb from old machine, because
old machine's SID and new machine's SID was not same.

Or to edit all users' SID manually, the issue will be solved, I think.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

Hey There Mat,

Have You Changed The Windows 7 Laman Compatilibility and that stuff on 
Windows 7?

Best Regards,
Vasco Le?nidas Pinto Leal
IT Director
JUZO - Inform?tica e Servi?os, Lda

Mozilla Thunderbird, The Mail Rebirth!

Still Stucked With Windows? Give Linux a Try And Enhance Your Work!


Em 04-01-2012 07:38, Mat Enders escreveu:
> Hello all,
>
>            Let give the background.  We replaced our PDC with a new
> machine.  Both old and new machines are running Debian 6.0 Squeeze and
> Samba 3.5.6.  moved all data and user accounts to new server.  New
> server has the exact same configuration files as the old server.  All
> machines have been rejoined to the domain both WinXP and Win7.  The
> WinXP machines work perfectly all domain users can login with their
> roaming profiles and all is good.  However on the Win7 machines none
> of the network users can log in to the machine.  Upon attempting you
> get the this error "The Group Policy Client service failed the logon.
> Access is denied."  After Googling around for a solution I have
> attempted the following solutions:
>
> 1) Delete the roaming profile
>         Machine recreates the roaming profile but denies login
> 2) Delete registry key from
> HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>Current
> Version>Profilelist>[USERSKEY]
>         Machine recreates the key but denies login
> 3) Both 1&2 at the same time
>         Machine recreates the roaming profile and the key but denies login
>
> Any pointers would be greatly appreciated see smb.conf file below.
>
>
> [global]
> 	smb passwd file = /etc/samba/passdb.tdb
> 	enable privileges = yes
> 	logon drive = H:
> 	domain master = yes
> 	encrypt passwords = true
> 	logon home = \\%L\%U
> 	netbios name = ARDVARC
> 	server string = Gaudior's PDC
> 	logon script = logon.bat
> 	local master = yes
> 	workgroup = GAUACA
> 	logon path = \\%L\%U\profile
> 	os level = 99
> 	security = user
> 	add machine script = /usr/sbin/useradd -s /bin/false \-d /dev/null %u
> 	preferred master = yes
> 	domain logons = yes
> 	hide files = /desktop.ini/$RECYCLE.BIN/profile/profile.V2/
> 	guest account = nobody
> 	map to guest = bad user
> 	wins support = yes
>
> [staff]
> 	comment = staff share drive
> 	path = /home/staff/share
> 	read only = no
> 	;valid users >
> [student]
> 	comment = student share by level
> 	path = /home/student/share
> 	read only = no
>
> [netlogon]
> 	comment = Net Logon Service
> 	path = /home/netlogon
> 	read only = yes
> 	write list = root
> 	public = yes
> 	guest ok = yes
> 	browsable = no
>
> [homes]
> 	comment = Home
> 	valid users = %S
> 	read only = no
> 	browsable = no
>
>

I did not ruse the old tdb I recreated all of the users from scratch and moved
their home directory data then chown their home directories to give correct
owner and group of files. I do not create the  Samba users I have it set so when
I create a new Linux user the Samba user is created. If it where the tdb
wouldn't their be problems when logging in to an XP machine.
------Original Message------
From: TAKAHASHI Motonobu
To: Menders
Cc: samba at lists.samba.org
Subject: Re: [Samba] The Group Policy Client service failed the logon. Access is
denied.
Sent: Jan 4, 2012 04:20

From: Mat Enders <mat.enders at gmail.com>
Date: Wed, 4 Jan 2012 02:38:57 -0500
>           Let give the background.  We replaced our PDC with a new
> machine.  Both old and new machines are running Debian 6.0 Squeeze and
> Samba 3.5.6.  moved all data and user accounts to new server.
(snip)
> However on the Win7 machines none
> of the network users can log in to the machine.  Upon attempting you
> get the this error "The Group Policy Client service failed the logon.
> Access is denied."  After Googling around for a solution I have
> attempted the following solutions:
You re-created all Samba users?
I met same issue when I re-used passdb.tdb from old machine, because
old machine's SID and new machine's SID was not same.

Or to edit all users' SID manually, the issue will be solved, I think.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

Mat Enders from my BlackBerry?