[Samba] Problems with several accounts after Samba 2.x to 3.5.8 migration

2011-05-27 Thread Marc Richter 
Hi everyone,

my last question was some kind of bumpy and hard to understand. So I
will try a better explanation of the issue this time.

I was running a Samba 3.0.26a and tdbsam based PDC with roaming profiles
for several years. Now the need came up to serve Windows Vista and up
with roaming profiles, too.

I patched all Vista, 7 and Server 2008 R2 nodes with the .reg provided
in $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg .

On the PDC side, I copied all *.tdb Databases from the old node to the
new one and saved them in /etc/samba/private .
When I restarted the new samba, I could see all the old users,
successfully by issuing pdbedit -L .

I joined the new domain with all clients successfully, too.

Since the logon-errors seem to be identically in Windows Vista, 7 and
Server 2008 R2, I'll refer these machines as new profile in common
from now on.

Now I have the following issue:
We do have round about 50 users using this PDC for login to their
computers and roaming. When 10 of them try to login on a new profile
machine, they usually get one of two errors. Either, they do logoff
after Windows has tried to logon them after round about one minute
without even displaying the Desktop once or displaying an errormessage,
or they get the error displayed, that they do not have permission to
connect to the group policy service.

I have traced this for two weeks now, but cannot find any hint. Neither
in the logfiles, nor by using google, nor by trail  error. I have to
admit that I cannot really understand what is happening when I have a
look at the logfiles, since they seem to be very cryptic and do not
offer their meaning to not-developers; at least not to me.

What I have tried so far:

1)
It has to be some issue with the accounts, since the users, having this
problems do have them on any machine running a new profile OS, while
others can logon to these machines seamless.

2)
Those users, having these issues at new profile machines can logon in 2K
and XP machines without a problem.

3)
I had the suspicion that it has something to do with the profiles
already saved either in the client or the PDC. So I have done the following:
First, I logged into a new profile machine as local administrator and
deleted all the user's subfolders in Documents and Settings (for
example: when the user's login is ab I delete ab, ab.domain,
ab.domain0, ...). After that, I removed all the directories in the
folder on the PDC, which contains the user's roaming profiles. Then I
set the user's (empty) roaming profile directory on the PDC to
permission 777 to be completely sure that every right exists which the
logon process might need.
Then I logged in with the user's account on a new profile machine and
got the same error behavior of the client.

4)
I deleted the user from the samba tdb database using smbpasswd -x
username and validated the success with pdbedit -Lv username, which
displayed not found then.
After that, I recreated the user by issuing smbpasswd -a username and
giving his password. I validated the success by issuing pdbedit -Lv
username again and get:

Unix username:Username
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-3657164528-3206697869-1154195925-1172
Primary Group SID:S-1-5-21-3657164528-3206697869-1154195925-513
Full Name:Name Surname
Home Directory:   \\thalos\%u
HomeDir Drive:Z:
Logon Script: netlogon.cmd
Profile Path: \\thalos\profiles\username\UNKNOWN.msprofile
Domain:   MFC2
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Wed, 06 Feb 2036 16:06:39 CET
Kickoff time: Wed, 06 Feb 2036 16:06:39 CET
Password last set:Thu, 26 May 2011 14:31:36 CEST
Password can change:  Thu, 26 May 2011 14:31:36 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

Everything is right with this; this is truely my domain's name and SID.
What makes me wonder a little bit is, that strange time in 2036 for
Kickoff time and Logoff time, but cannot tell if this is right or not.
The error when logging on to a new profile machine stays the same.

5)
Please find my PDC configuration here: http://pastebin.com/3KU5ruHt

For 6) I repeated the steps 2) and 3) for a better comparison:

6)
Since the generated output is way too big to have it copied to pastebin
or even into this mail, please find a log of a _failing_ logon (user:
mr) from a Windows 7 machine (named MFCDOMTEST7) at
http://www.marc-richter.info/20110527_mr_fail.log
This ends up with an empty folder created in the nt profile dir of that
user on the PDC, named Vista.msprofile.V2 and the message, that the
user has been loged on with a temporary profile only.

Since this mail is already long enough, I'd like to focus on this single
failing logon first, instead of describing all the failures.

Thank you for your help!

Best regards,
Marc

Re: [Samba] Strange problem with my new PDC

2011-05-20 Thread Marc Richter 
Hi Helmut,

the logs are 2,6 MB uncompressed, each. So inline would make ~5MB ,
multiplied by the number of recipients ;) So I thought a ~400 KB great
attachment would be the better way ...

Am 20.05.2011 07:22, schrieb Helmut Hullen:
 Hallo, Marc,
 
 Du meintest am 19.05.11:
 
 You can find two Logfiles in the attached archive. One's named
 Success.log and the other one Failing.log.
 
 No - this mailing list doesn't support such attachments. Try inline  
 copies.
 
 Viele Gruesse!
 Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Strange problem with my new PDC

2011-05-19 Thread Marc Richter 
Hi everyone ,

I have setup a new Server, based on Ubuntu Linux. Since the Samba
version from it's repository was too old for my purposes, I downloaded
and installed Samba from source (version 3.5.8). Everything went fine so
far.

We currently run an older version (3.0.26a) of samba as PDC . I copied
the tdbsam databases from the current PDC over to the new one. This
seems to have worked very well, since all users and computeraccounts
were accessible by pdbedit. I could also logon with my old credentials,
too! My password was accepted, my roaming profile was read and written
correctly, etc. All seems very good.

Now to the problem:
I asked two collegues of mine to try their logins with a Windows Server
2008 R2 and an Windows 7 system. They can login, but become immediately
logged off again. They not even see the Desktop for a short time. This
was tested on several Windows 7 and Server 2008 Systems now and it
happens everywhere. I can logon with my user without a problem on any
system.

I cannot find anything relevant in the logs, but that doesn't have to
mean much, since this seems very cryptic to me. I tried and googled for
three days now! Could please anyone assist me with this issue?

I tried to send a gziped Logfile as attachment to the list already, but
it was blocked, because the resulting mail was too big. I cannot put the
logs to pastebin, since this ist too big, too. So I copied the logs to
my webspace:

The log with the successful login attempt:
http://www.marc-richter.info/Success.log

The log with the unsuccessful login attempt:
http://www.marc-richter.info/Failing.log

The PDC is named thalos. The Windows 2008 R2 machine from which the
two logins are done is named gollum. The Domain is named MFC2. The
user who succeedes is named mr and the one which is failing is named ab.

I could really need help here ...

Best regards,
Marc
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Strange problem with my new PDC

2011-05-19 Thread Marc Richter 
Hi everyone ,

I have setup a new Server, based on Ubuntu Linux.
Since the Samba version from it's repository was too old for my purposes, I 
downloaded and installed Samba from source (version 3.5.8). Everything went 
fine so far.

We currently run an older version (3.0.26a) of samba as PDC .

I copied the tdbsam databases from the current PDC over to the new one. This 
seems to have worked very well, since all users and computeraccounts were 
accessible by pdbedit. I could also logon with my old credentials, too! My 
password was accepted, my roaming profile was read and written correctly, etc. 
All seems very good.

Now to the problem:
I asked two collegues of mine to try their logins with a Windows Server 2008 
R2 and an Windows 7 system. They can login, but become immediately logged off 
again. They not even see the Desktop for a short time. This was tested on 
several Windows 7 and Server 2008 Systems now and it happens everywhere. I can 
logon with my user without a problem on any system.

I cannot find anything relevant in the logs, but that doesn't have to mean 
much, since this seems very cryptic to me. I tried and googled for three days 
now! Could please anyone assist me with this issue?

You can find two Logfiles in the attached archive. One's named Success.log and 
the other one Failing.log.
The PDC is named thalos. The Windows 2008 R2 machine from which the two 
logins are done is named gollum. The Domain is named MFC2.
The user who succeedes is named mr and the one which is failing is named 
ab.

I could really need help here ...

Best regards,
Marc
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba