samba - Aug 2017 - Samba 3.6 to 4.x: User Profile Service Failed the Login

On 8/13/2017 8:40 AM, Rowland Penny via samba wrote:
> Nothing really wrong with the [global] portion of your smb.conf (there
> are a few lines I would remove) but I do not see a profiles share. I
> would expect to see something like this:
>
> ... snip ...
>
> What I do see is something that looks like a users home directory
> '[testuser]'
That's correct.  Right now the profiles are being stored in the user's 
home directory.  I realize that's probably unusual, but it does simplify 
some things, and I've never had an issue with it in Samba 3.  When a 
user logs in when running Samba 4, I can see their profile being 
downloaded (via smbstatus or logs), and it's only after the profile is 
synchronized that the error appears.

If you think that's the cause of the problem, however, I'll attempt to 
move them all to a common share.
> It has been quite some time since I used an NT4-style domain, but what
> I have noticed is that it is getting harder and harder to keep them
> working, not from the Samba side, but from the windows side.
>
> One thing I did notice, you are still using the deprecated smbpasswd
> passdb backend.
I agree, I'd love to move to an AD domain, but I'm trying to do small 
steps in order to make troubleshooting as simple as possible by doing as 
few changes as possible.  My plan was first to go from 3 to 4, then to 
move from passdb to tdbsam, and then to move from NT4 to AD.
> Finally, it could be down to windows updates, try adding this to your
> smb.conf:
>
> server max protocol = NT1
Thanks, I'll give this a try shortly.

- Ian

On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com> wrote:
>
> Finally, it could be down to windows updates, try adding this to your
>> smb.conf:
>>
>> server max protocol = NT1
>>
>
> Thanks, I'll give this a try shortly.
>
So when I went to test this I rebuilt samba46 (enough dependencies had
changed since I last built it) and the issue no longer appears, even
without that configuration option.  I suspect that the issue may have been
with an older dependency and not with Samba itself.  However, I ran into a
new issue when trying to join machines: invalid NTLMSSP_MIC / SPNEGO login
failed: NT_STATUS_INVALID_PARAMETER.  After reading through that thread
from October of last year, it appears that NT4 style domains have not
worked in Samba 4 since somewhere between 4.2.12 to 4.2.14 (inclusive),
contrary to the claim that these are still supported in 4.x.  So, I finally
just decided to covert to tdbsam and ultimately upgrade to an AD domain.

To make a very long story short, I have things somewhat working under AD,
though with 4.5 instead of 4.6 due to bugs with provisioning in 4.6.  I
still have a few problems remaining, the most pressing of which I'll list
here:

- I've set the new realm to AD.BLKG.LOCAL, and the workgroup to BLKG (what
was previously used as our NT4 domain).  However, hosts appear to only be
able to join the domain when using ad.blkg.local and not just blkg (as I
was hoping to not have to rejoin all of our machines!). According to the
wiki: "You can enter the NetBIOS name of the domain, if your client is able
to resolve it."  This leads me to two questions; why the netbios name
instead of the workgroup, as I think of that as the host name of the
server, and more importantly, is there any way to work around this that
doesn't involve rejoining every PC by tomorrow morning?  I noticed there
are no SRV records for any domains ending in .BLKG.

- Despite having logon path = \\%N\%U\profile, it is not using the profiles
that are stored in their home directory.  I assume I need to set this
somewhere within active directory itself via rsat, but where?  I'm not even
sure where (if anywhere on the PDC) the profiles are being stored right now.

- Logon scripts are no longer running despite logon script being defined
and relocating the script to the new netlogon share.  I assume again this
is something I have to mess with over rsat?

- Passwordless accounts don't seem to be permitted despite null passwords
true?

Thanks again for all the help so far,
- Ian

On Sun, 13 Aug 2017 22:54:38 -0500
Ian T via samba <samba at lists.samba.org> wrote:
> On Sun, Aug 13, 2017 at 9:03 AM, Ian <yoitsmeremember at gmail.com>
> wrote:
> 
> >
> > Finally, it could be down to windows updates, try adding this to
> > your
> >> smb.conf:
> >>
> >> server max protocol = NT1
> >>
> >
> > Thanks, I'll give this a try shortly.
> >
> 
> So when I went to test this I rebuilt samba46 (enough dependencies had
> changed since I last built it) and the issue no longer appears, even
> without that configuration option.  I suspect that the issue may have
> been with an older dependency and not with Samba itself.  However, I
> ran into a new issue when trying to join machines: invalid
> NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER.
> After reading through that thread from October of last year, it
> appears that NT4 style domains have not worked in Samba 4 since
> somewhere between 4.2.12 to 4.2.14 (inclusive), contrary to the claim
> that these are still supported in 4.x.  So, I finally just decided to
> covert to tdbsam and ultimately upgrade to an AD domain.
> 
> To make a very long story short, I have things somewhat working under
> AD, though with 4.5 instead of 4.6 due to bugs with provisioning in
> 4.6.  I still have a few problems remaining, the most pressing of
> which I'll list here:
> 
> - I've set the new realm to AD.BLKG.LOCAL,
I take it you have missed that it is a 'BAD' idea to use
'.local' for
your TLD.
> and the workgroup to BLKG
> (what was previously used as our NT4 domain).  However, hosts appear
> to only be able to join the domain when using ad.blkg.local and not
> just blkg (as I was hoping to not have to rejoin all of our
> machines!).
Not surprising really, a new domain would have a different SID, so you
will have to join all your computers to the 'new' domain even if you
have used the same workgroup name.
> According to the wiki: "You can enter the NetBIOS name of
> the domain, if your client is able to resolve it."  This leads me to
> two questions; why the netbios name instead of the workgroup, as I
> think of that as the host name of the server, and more importantly,
> is there any way to work around this that doesn't involve rejoining
> every PC by tomorrow morning?  I noticed there are no SRV records for
> any domains ending in .BLKG.
There wont be, all your dns records will end in 'ad.blkg.local'
> 
> - Despite having logon path = \\%N\%U\profile, it is not using the
> profiles that are stored in their home directory.  I assume I need to
> set this somewhere within active directory itself via rsat, but
> where?  I'm not even sure where (if anywhere on the PDC) the profiles
> are being stored right now.
AD doesn't work like an NT4-style PDC, there are numerous attributes in
AD for storing things like profile paths, I suggest you read the Samba
wiki, especially this page:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> 
> - Logon scripts are no longer running despite logon script being
> defined and relocating the script to the new netlogon share.  I
> assume again this is something I have to mess with over rsat?
Probably, I don't use them, but I am fairly sure Louis does (hint, hint)
> 
> - Passwordless accounts don't seem to be permitted despite null
> passwords = true?
No, that will not work, also why do want blank passwords, they are a
bad idea.

Rowland