This is a freshly provisioned Samba 4.0.0-rc5 installation.
I provisioned the domain and created shares in the configuration file to
match an existing Samba 3.5.x installation that we're moving away from
(or at least, that's the plan...) for various reasons.
I then moved all the contents of the shares over from the old server to
the new server via rsync, including home directories and user profiles.
I then changed the permissions on the profiles and home directories to
match the POSIX IDs which were created by Samba 4 when I created the
users using the Active Directory Users and Computers management tool
from a workstation that I bound to the domain.
I then created a Group Policy, which applied itself successfully to the
workstation.
So far, so good.
However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER}
where $USER is a user account that has membership in the Domain Admins
group. I am completely unable to login as any user that is not in
Domain Admins. When I attempt to do so, the workstation returns the
error message "The Group Policy Client service failed the logon. Access
is denied."
There is nothing in the Windows Event Log indicating an access denied
message, and there is nothing in the Windows Event Log indicating any
other problems at the time that the error message is displayed or within
the time that the login process is pending.
There are no messages in the Samba 4 log, either, with the debug level
set to 9.
The best that I can come up with is that this is a permissions problem
of _some_ sort, but I cannot determine what it is. The system running
Samba has no MAC security systems in the way (e.g., no SELinux or
anything like that, just simple UNIX DAC). The permissions on SYSVOL
and NETLOGON are completely unmodified by me.
Can someone give me an idea of where to start looking? I tried to
figure out perhaps what the ID numbers in the ACLs are for the SYSVOL
share, but wbinfo doesn't seem to know anything about ID numbers
3000000-3000003, which are the IDs on the share itself. The lowest ID
number that I have which appears in user or group lists as returned by
wbinfo is 3000004.
Any help would be appreciated, as I have been banging my head against
this brick wall for hours now, to no avail.
Thanks,
Mike
On 11/24/2012 03:35 PM, Michael Trausch wrote:> This is a freshly provisioned Samba 4.0.0-rc5 installation. > > I provisioned the domain and created shares in the configuration file > to match an existing Samba 3.5.x installation that we're moving away > from (or at least, that's the plan...) for various reasons. > > I then moved all the contents of the shares over from the old server > to the new server via rsync, including home directories and user > profiles. > > I then changed the permissions on the profiles and home directories to > match the POSIX IDs which were created by Samba 4 when I created the > users using the Active Directory Users and Computers management tool > from a workstation that I bound to the domain. > > I then created a Group Policy, which applied itself successfully to > the workstation. > > So far, so good. > > However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} > where $USER is a user account that has membership in the Domain Admins > group. I am completely unable to login as any user that is not in > Domain Admins. When I attempt to do so, the workstation returns the > error message "The Group Policy Client service failed the logon. > Access is denied." > > There is nothing in the Windows Event Log indicating an access denied > message, and there is nothing in the Windows Event Log indicating any > other problems at the time that the error message is displayed or > within the time that the login process is pending. > > There are no messages in the Samba 4 log, either, with the debug level > set to 9. > > The best that I can come up with is that this is a permissions problem > of _some_ sort, but I cannot determine what it is. The system running > Samba has no MAC security systems in the way (e.g., no SELinux or > anything like that, just simple UNIX DAC). The permissions on SYSVOL > and NETLOGON are completely unmodified by me. > > Can someone give me an idea of where to start looking? I tried to > figure out perhaps what the ID numbers in the ACLs are for the SYSVOL > share, but wbinfo doesn't seem to know anything about ID numbers > 3000000-3000003, which are the IDs on the share itself. The lowest ID > number that I have which appears in user or group lists as returned by > wbinfo is 3000004. >Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). -- Matthieu Patou Samba Team http://samba.org
On 11/24/2012 07:35 PM, Matthieu Patou wrote:> Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO.When I attempt login as a normal user, there are success messages for Kerberos login. On the Samba 4 server itself, kinit works just fine. When I login to the joined workstation as Administrator and then attempt to run kinit, I am told that the command does not exist.> Try to trace and see if there is any kind of denied message (in > netlogon, smb, smb2 messages).I assume that you mean to run "samba -i -M single -d 99 --debug-stderr"? I did so and redirected the output to a file. I then attempted to login as a normal user, which of course failed with the Group Policy Client error message. I found no occurrences of the words "access", "denied", "fail", or "deny". I found several lines saying "error: 0", but when I then eliminated those lines there were no remaining lines with the word "error". --- Mike
On 11/24/2012 07:35 PM, Matthieu Patou wrote:> Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO. > > Try to trace and see if there is any kind of denied message (in > netlogon, smb, smb2 messages).I tried again under "strace" and got no EACCESS error messages of any sort. --- Mike
On 11/24/2012 07:35 PM, Matthieu Patou wrote:> Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO.Disabling the GPO also had no effect. --- Mike
On 11/24/2012 04:47 PM, Michael Trausch wrote:> On 11/24/2012 07:35 PM, Matthieu Patou wrote: >> Try to do kinit simple_user at MYDOMAIN.TLD try also to disable the GPO. > > When I attempt login as a normal user, there are success messages for > Kerberos login. > > On the Samba 4 server itself, kinit works just fine. > > When I login to the joined workstation as Administrator and then > attempt to run kinit, I am told that the command does not exist. > >> Try to trace and see if there is any kind of denied message (in >> netlogon, smb, smb2 messages). > > I assume that you mean to run "samba -i -M single -d 99 > --debug-stderr"? I did so and redirected the output to a file. I > then attempted to login as a normal user, which of course failed with > the Group Policy Client error message.No I meant use wireshark to do trace (https://wiki.samba.org/index.php/Capture_Packets)>Matthieu. -- Matthieu Patou Samba Team http://samba.org