samba - Aug 2017 - Samba 3.6 to 4.x: User Profile Service Failed the Login

On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> Can you start by posting your smb4.conf, without this we are guessing
> what type of server you have.
>
> Rowland
Sure thing.  As I stated earlier, except for the two added options 
(client use spnego and acl allow execute always) it's identical to my 
Samba 3 config.  Also, I've trimmed down things to just an example user 
as the actual config is over 1K lines.

# Samba 4 config
[global]
      workgroup = BLKG
      server string = PDC
      encrypt passwords = Yes
      null passwords = true
      log level = 2
      max log size = 5000
      socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
      use sendfile = yes
      load printers = no
      wins support = yes
      security = user
      domain master = yes
      local master = yes
      preferred master = yes
      domain logons = yes
      username map = /usr/local/etc/smbusers
      passdb backend = smbpasswd
      hide dot files = yes
      dns proxy = no
      client use spnego = no
      os level = 65
      printing = BSD
      interfaces = 192.168.192.5 127.0.0.0/8
      hosts allow = 192.168.0.0/16
      time server = yes
      logon script = LOGON.bat
      unix password sync = true
      pam password change = no
      passwd chat = *New*Password* %n\n *Retype*Password* %n\n *Changed*
      passwd program = /usr/bin/passwd %u
      acl allow execute always = true
# Try Aio
      aio read size = 16384
      aio write size = 16384
      aio write behind = true
# Weird bug
      client signing = false
# Cut old smbd
      deadtime = 15

[netlogon]
      comment=Netlogon Share
      path=/home/netlogon
      read only  =yes
      write list =@wheel

# A typical user looks like this:
[testuser]
      comment = Test User
      path = /home/testuser
      create mask = 770
      force directory mode = 0770
      force group = testuser
      valid users = testuser, at test
      vfs object = shadow_copy2
      shadow:sort = desc
      shadow:snapdir = .zfs/snapshot
      shadow:format = %Y%m%d%H%M
      shadow:localtime = yes
      writeable = Yes
      csc policy = disable

On Sun, 13 Aug 2017 07:37:54 -0500
Ian via samba <samba at lists.samba.org> wrote:
> On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> > Can you start by posting your smb4.conf, without this we are
> > guessing what type of server you have.
> >
> > Rowland
> 
> Sure thing.  As I stated earlier, except for the two added options 
> (client use spnego and acl allow execute always) it's identical to my 
> Samba 3 config.  Also, I've trimmed down things to just an example
> user as the actual config is over 1K lines.
> 
> # Samba 4 config
> [global]
>       workgroup = BLKG
>       server string = PDC
>       encrypt passwords = Yes
>       null passwords = true
>       log level = 2
>       max log size = 5000
>       socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
>       use sendfile = yes
>       load printers = no
>       wins support = yes
>       security = user
>       domain master = yes
>       local master = yes
>       preferred master = yes
>       domain logons = yes
>       username map = /usr/local/etc/smbusers
>       passdb backend = smbpasswd
>       hide dot files = yes
>       dns proxy = no
>       client use spnego = no
>       os level = 65
>       printing = BSD
>       interfaces = 192.168.192.5 127.0.0.0/8
>       hosts allow = 192.168.0.0/16
>       time server = yes
>       logon script = LOGON.bat
>       unix password sync = true
>       pam password change = no
>       passwd chat = *New*Password* %n\n *Retype*Password* %n\n
> *Changed* passwd program = /usr/bin/passwd %u
>       acl allow execute always = true
> # Try Aio
>       aio read size = 16384
>       aio write size = 16384
>       aio write behind = true
> # Weird bug
>       client signing = false
> # Cut old smbd
>       deadtime = 15
> 
> [netlogon]
>       comment=Netlogon Share
>       path=/home/netlogon
>       read only  =yes
>       write list =@wheel
> 
> # A typical user looks like this:
> [testuser]
>       comment = Test User
>       path = /home/testuser
>       create mask = 770
>       force directory mode = 0770
>       force group = testuser
>       valid users = testuser, at test
>       vfs object = shadow_copy2
>       shadow:sort = desc
>       shadow:snapdir = .zfs/snapshot
>       shadow:format = %Y%m%d%H%M
>       shadow:localtime = yes
>       writeable = Yes
>       csc policy = disable
> 
> 
Nothing really wrong with the [global] portion of your smb.conf (there
are a few lines I would remove) but I do not see a profiles share. I
would expect to see something like this:

[profiles]
    comment = User Profiles
    path = /path/to/where/you/want/store/profiles
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = no
    csc policy = disable

What I do see is something that looks like a users home directory
'[testuser]'

It has been quite some time since I used an NT4-style domain, but what
I have noticed is that it is getting harder and harder to keep them
working, not from the Samba side, but from the windows side.

One thing I did notice, you are still using the deprecated smbpasswd
passdb backend.

Finally, it could be down to windows updates, try adding this to your
smb.conf:

server max protocol = NT1

Rowland

On 8/13/2017 8:40 AM, Rowland Penny via samba wrote:
> Nothing really wrong with the [global] portion of your smb.conf (there
> are a few lines I would remove) but I do not see a profiles share. I
> would expect to see something like this:
>
> ... snip ...
>
> What I do see is something that looks like a users home directory
> '[testuser]'
That's correct.  Right now the profiles are being stored in the user's 
home directory.  I realize that's probably unusual, but it does simplify 
some things, and I've never had an issue with it in Samba 3.  When a 
user logs in when running Samba 4, I can see their profile being 
downloaded (via smbstatus or logs), and it's only after the profile is 
synchronized that the error appears.

If you think that's the cause of the problem, however, I'll attempt to 
move them all to a common share.
> It has been quite some time since I used an NT4-style domain, but what
> I have noticed is that it is getting harder and harder to keep them
> working, not from the Samba side, but from the windows side.
>
> One thing I did notice, you are still using the deprecated smbpasswd
> passdb backend.
I agree, I'd love to move to an AD domain, but I'm trying to do small 
steps in order to make troubleshooting as simple as possible by doing as 
few changes as possible.  My plan was first to go from 3 to 4, then to 
move from passdb to tdbsam, and then to move from NT4 to AD.
> Finally, it could be down to windows updates, try adding this to your
> smb.conf:
>
> server max protocol = NT1
Thanks, I'll give this a try shortly.

- Ian