Ian T
2017-Aug-13 00:48 UTC
[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login
I posted this a while ago on the FreeBSD forums but received no response so I thought I'd ask here. If things are out of date, it's simply due to the length of time between my original post and now. A few updates I've noted since the saga began. I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've tried all available 4.x releases from ports, 4.2, 4.3, and 4.4 [edit: the issue still appears when testing with 4.6]), and I've run into the very strange error message in the title of this post. I'm still trying to, for the time being, keep the NT4 style domain, and do as minimal changes as necessary to perform the upgrade. Everything is working swimmingly with 3.6 (aside from its age and lack of support), and I'm hoping for the same with samba 4. To upgrade, I took the following steps, more or less in order: 1. Stop and remove samba36 from ports 2. Install samba4x (I've tried all the current samba 4.x releases in ports) 3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf 4. Rename samba_enable to samba_server_enable in rc.conf 5. Moved the smbpasswd file into where samba 4 looks for it, /var/db/samba4/private/ 6. Added acl allow execute always = true to my smb4.conf file, in case it was needed. 7. Started samba4_server Now here's where it gets a little weird. Almost everything was working at this point. I could (and did on a test machine) leave and rejoin the domain on our Win7 desktops. Files could be downloaded/uploaded and I could open shares when I logged in on a local account on these desktops. But, if I try to log in on any user account, I get the cryptic error "User Profile Service Failed the Login." At first I thought this was an issue with profile synchronization, but after investigating, I don't believe it is. Why? I cleared all the cached profiles off the Windows box with delprof, and then tried to log the user in, paying careful attention to log.smbd. And, sure enough, I could see it download the entire profile via samba, and it was only *after* it downloaded the profile did I get the error. So what gives? I looked a little deeper at higher verbosity levels of logging, and I did see one curious error relating to SPNEGO, and found a few other users had issues with a change to the defaults from 3.x to 4.x, so I tried adding client use spnego = no to my smb4.conf in the global section, but this hasn't changed anything. I also tried renaming the user's existing profile, so it would create a new one upon logging in, but this hasn't helped things either. If you have any ideas or suggestions on where to start, I'm all ears, as I'm stumped at how to proceed. Things appear to basically be functioning correctly on samba's end, but Windows refuses to let accounts log in. P.S. - I've since been looking at packet traces, and increasingly verbose levels of logging, but my knowledge of the SMB protocol is limited. Thanks, - Ian
Rowland Penny
2017-Aug-13 07:06 UTC
[Samba] Samba 3.6 to 4.x: User Profile Service Failed the Login
On Sat, 12 Aug 2017 19:48:16 -0500 Ian T via samba <samba at lists.samba.org> wrote:> I posted this a while ago on the FreeBSD forums but received no > response so I thought I'd ask here. If things are out of date, it's > simply due to the length of time between my original post and now. A > few updates I've noted since the saga began. > > I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've > tried all available 4.x releases from ports, 4.2, 4.3, and 4.4 [edit: > the issue still appears when testing with 4.6]), and I've run into > the very strange error message in the title of this post. > > I'm still trying to, for the time being, keep the NT4 style domain, > and do as minimal changes as necessary to perform the upgrade. > Everything is working swimmingly with 3.6 (aside from its age and > lack of support), and I'm hoping for the same with samba 4. To > upgrade, I took the following steps, more or less in order: > > 1. Stop and remove samba36 from ports > 2. Install samba4x (I've tried all the current samba 4.x releases in > ports) 3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.confCan you start by posting your smb4.conf, without this we are guessing what type of server you have. Rowland
On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:> Can you start by posting your smb4.conf, without this we are guessing > what type of server you have. > > RowlandSure thing. As I stated earlier, except for the two added options (client use spnego and acl allow execute always) it's identical to my Samba 3 config. Also, I've trimmed down things to just an example user as the actual config is over 1K lines. # Samba 4 config [global] workgroup = BLKG server string = PDC encrypt passwords = Yes null passwords = true log level = 2 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240 use sendfile = yes load printers = no wins support = yes security = user domain master = yes local master = yes preferred master = yes domain logons = yes username map = /usr/local/etc/smbusers passdb backend = smbpasswd hide dot files = yes dns proxy = no client use spnego = no os level = 65 printing = BSD interfaces = 192.168.192.5 127.0.0.0/8 hosts allow = 192.168.0.0/16 time server = yes logon script = LOGON.bat unix password sync = true pam password change = no passwd chat = *New*Password* %n\n *Retype*Password* %n\n *Changed* passwd program = /usr/bin/passwd %u acl allow execute always = true # Try Aio aio read size = 16384 aio write size = 16384 aio write behind = true # Weird bug client signing = false # Cut old smbd deadtime = 15 [netlogon] comment=Netlogon Share path=/home/netlogon read only =yes write list =@wheel # A typical user looks like this: [testuser] comment = Test User path = /home/testuser create mask = 770 force directory mode = 0770 force group = testuser valid users = testuser, at test vfs object = shadow_copy2 shadow:sort = desc shadow:snapdir = .zfs/snapshot shadow:format = %Y%m%d%H%M shadow:localtime = yes writeable = Yes csc policy = disable