I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1
I am using LDAP as my backend and LAM to manage my LDAP accounts. Thing
were going well until recently. Suddenly any newly created user can not
logon (win7). Any accounts that I created prior to last week can still
logon to the workstation.
The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally. Also, in yast, I changed the LDAP client
Naming Context from ou=users,dc=nctschools,dc=org to
dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.
However, I don't believe any of these changes could be causing the
"group
policy client service failed the logon. Access denied" error I am
receiving. I could be wrong though. Any help would be GREAT.
Thanks
Here is my smb.conf
[global]
workgroup = NEVSD
map to guest = Bad User
passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
log level = 3
log file = /var/log/samba/log.%m
printcap name = cups
add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=nctschools,dc=org
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=nctschools,dc=org
ldap user suffix = ou=Users
idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
Gaiseric Vandal
2012-Jun-05 00:47 UTC
[Samba] group policy client service failed the logon
Maybe the group membership or primary group is getting messed up for the new
users?
Can you compare the unix, ldap and windows group properties for a new and an
older user
#pbdedit -Lv username
# net rpc user info username -U administrator
# groups username
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Shawn Dakin
Sent: Monday, June 04, 2012 3:07 PM
To: samba at lists.samba.org
Subject: [Samba] group policy client service failed the logon
I am in the process of implementing a new SAMBA install Version
3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as my
backend and LAM to manage my LDAP accounts. Thing were going well until
recently. Suddenly any newly created user can not logon (win7). Any accounts
that I created prior to last week can still logon to the workstation.
The only changes I recall making involve add machine script. I moved from
using useradd to using smbldap-useradd so machine accounts would only be
created in LDAP and not locally. Also, in yast, I changed the LDAP client
Naming Context from ou=users,dc=nctschools,dc=org to
dc=nctschools,dc=org to allow the local LDAP client to find machine
accounts, as they are not created in the user context.
However, I don't believe any of these changes could be causing the
"group
policy client service failed the logon. Access denied" error I am
receiving.
I could be wrong though. Any help would be GREAT.
Thanks
Here is my smb.conf
[global]
workgroup = NEVSD
map to guest = Bad User
passdb backend = ldapsam:ldap://SAMBA1.nctschools.org
log level = 3
log file = /var/log/samba/log.%m
printcap name = cups
add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine
-d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=nctschools,dc=org
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=nctschools,dc=org
ldap user suffix = ou=Users
idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
--
Shawn Dakin (CNE)
Director of Technology
Newcomerstown Schools
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Finally, I have settled on the cause of the problem. The SambaSID is causing problems when created through LAM. I am not sure why it was working but now has a problem, but the issue appears to be the SambaSID range that the new users are created in. However older users in the same range have no issues. I am continuing to investigate. Any help would be appreciated.
Ok, the problem is that I have a specific sambasid that will not allow a user to login. The problem is not with LAM specifically. Conclusion, the "group policy client service failed the logon" error occures only when a user has a specific sambasid. I will close this thread and start a new one. On Thu, Jun 7, 2012 at 1:24 PM, Shawn Dakin <dakinsh00 at staff.nctschools.org> wrote:> Finally, I have settled on the cause of the problem. > The SambaSID is causing problems when created through LAM. > I am not sure why it was working but now has a problem, but the issue > appears to be the SambaSID range that the new users are created in. > However older users in the same range have no issues. I am continuing > to investigate. Any help would be appreciated.-- Shawn Dakin (CNE) Director of Technology Newcomerstown Schools 659 S. Beaver St. Newcomerstown Oh, 43832 Office 740-498-4999 Cell 740-227-0339