Re: [Samba] group policy client service failed the logon
Finally, I have settled on the cause of the problem. The SambaSID is causing problems when created through LAM. I am not sure why it was working but now has a problem, but the issue appears to be the SambaSID range that the new users are created in. However older users in the same range have no issues. I am continuing to investigate. Any help would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group policy client service failed the logon
Ok, the problem is that I have a specific sambasid that will not allow a user to login. The problem is not with LAM specifically. Conclusion, the group policy client service failed the logon error occures only when a user has a specific sambasid. I will close this thread and start a new one. On Thu, Jun 7, 2012 at 1:24 PM, Shawn Dakin dakins...@staff.nctschools.org wrote: Finally, I have settled on the cause of the problem. The SambaSID is causing problems when created through LAM. I am not sure why it was working but now has a problem, but the issue appears to be the SambaSID range that the new users are created in. However older users in the same range have no issues. I am continuing to investigate. Any help would be appreciated. -- Shawn Dakin (CNE) Director of Technology Newcomerstown Schools 659 S. Beaver St. Newcomerstown Oh, 43832 Office 740-498-4999 Cell 740-227-0339 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] user with specific sambasid can not login
For some odd reason a user with the specific sambasid S-1-5-21-1545272169-3882205488-3325164475-21006 can not login on our PDC. The user gets the error group policy client service failed the logon If I increment the users RID to 21007 they can login. I can not find any other users with the RID 21006 in my LDAP so no conflict is apparent. Does anyone have an idea as to what the problem is with this RID? I assume some type of conflict with a previously existing user, but do not know how to check apart from LDAP. Are RIDs stored in another location? -- Shawn Dakin (CNE) Director of Technology Newcomerstown Schools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group policy client service failed the logon
So after another day of investigation I have discovered it may be a LAM issue. If I create a new user using smbldap-useradd the new user can login to my win7 workstations. However, if I create the new user in LAM the new user receives the errorĀ group policy client service failed the logon. Access denied Any one have an idea what LAM is doing to the user accounts? Here is a quick comparison. yo.littledog (GOOD ACCOUNT) I know the home dir and profile path are wrong. SAMBA1:/var/log/samba # pdbedit -Lv yo.littledog smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=NEVSD))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: yo.littledog init_group_from_ldap: Entry found for group: 513 Unix username:yo.littledog NT username: yo.littledog Account Flags:[U ] User SID: S-1-5-21-1545272169-3882205488-3325164475-1328 Primary Group SID:S-1-5-21-1545272169-3882205488-3325164475-513 Full Name:yo.littledog Home Directory: \\PDC-SRV\yo.littledog HomeDir Drive:H: Logon Script: logon.bat Profile Path: \\PDC-SRV\profiles\yo.littledog Domain: NEVSD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 EST Kickoff time: Mon, 18 Jan 2038 22:14:07 EST Password last set:Wed, 06 Jun 2012 14:52:39 EDT Password can change: Wed, 06 Jun 2012 14:52:39 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF yo.dog (BAD ACCOUNT) SAMBA1:/var/log/samba # pdbedit -Lv yo.dog smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=NEVSD))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: yo.dog init_group_from_ldap: Entry found for group: 513 Unix username:yo.dog NT username: yo.dog Account Flags:[UX ] User SID: S-1-5-21-1545272169-3882205488-3325164475-21006 Primary Group SID:S-1-5-21-1545272169-3882205488-3325164475-513 Full Name:Yo Dog Home Directory: \\SAMBA1\yo.dog HomeDir Drive:H: Logon Script: Profile Path: \\samba1\profiles\yo.dog Domain: NEVSD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: Mon, 31 Dec 2029 19:00:00 EST Password last set:Wed, 06 Jun 2012 15:19:40 EDT Password can change: Wed, 06 Jun 2012 15:19:40 EDT Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group policy client service failed the logon
here we go, tstudent is a working user - yo.dog is a non working user. I am not seeing any difference between the two. SAMBA1:/etc/samba # net rpc user info tstudent -U administrator Enter administrator's password: None Default Staff User Group SAMBA1:/etc/samba # net rpc user info yo.dog -U administrator Enter administrator's password: None Default Staff User Group SAMBA1:/etc/samba # groups tstudent tstudent : All_Staff SAMBA1:/etc/samba # groups yo.dog yo.dog : All_Staff StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: tstudent init_group_from_ldap: Entry found for group: 1 init_group_from_ldap: Entry found for group: 1 Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user tstudent is a User and not a domain group Forcing Primary Group to 'Domain Users' for tstudent Unix username:tstudent NT username: tstudent Account Flags:[UX ] User SID: S-1-5-21-1545272169-3882205488-3325164475-21002 Primary Group SID:S-1-5-21-1545272169-3882205488-3325164475-513 Full Name:test Student Home Directory: \\SAMBA1\tstudent HomeDir Drive:H: Logon Script: Profile Path: \\samba1\profiles\tstudent Domain: NEVSD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 09 May 2012 14:32:12 EDT Password can change: Wed, 09 May 2012 14:32:12 EDT Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FF StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: yo.dog init_group_from_ldap: Entry found for group: 1 init_group_from_ldap: Entry found for group: 1 Primary group S-1-5-21-1545272169-3882205488-3325164475-21001 for user yo.dog is a User and not a domain group Forcing Primary Group to 'Domain Users' for yo.dog Unix username:yo.dog NT username: yo.dog Account Flags:[UX ] User SID: S-1-5-21-1545272169-3882205488-3325164475-21006 Primary Group SID:S-1-5-21-1545272169-3882205488-3325164475-513 Full Name:Yo Dog Home Directory: \\SAMBA1\yo.dog HomeDir Drive:H: Logon Script: Profile Path: \\samba1\profiles\yo.dog Domain: NEVSD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: Mon, 31 Dec 2029 19:00:00 EST Password last set:Mon, 04 Jun 2012 14:34:26 EDT Password can change: Mon, 04 Jun 2012 14:34:26 EDT Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FF On Mon, Jun 4, 2012 at 8:47 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Maybe the group membership or primary group is getting messed up for the new users? Can you compare the unix, ldap and windows group properties for a new and an older user #pbdedit -Lv username # net rpc user info username -U administrator # groups username -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Shawn Dakin Sent: Monday, June 04, 2012 3:07 PM To: samba@lists.samba.org Subject: [Samba] group policy client service failed the logon I am in the process of implementing a new SAMBA install Version 3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as my backend and LAM to manage my LDAP accounts. Thing were going well until recently. Suddenly any newly created user can not logon (win7). Any accounts that I created prior to last week can still logon to the workstation. The only changes I recall making involve add machine script. I moved from using useradd to using smbldap-useradd so machine accounts would only be created in LDAP and not locally. Also, in yast, I changed the LDAP client Naming Context from ou=users,dc=nctschools,dc=orgto dc=nctschools,dc=org to allow the local LDAP client to find machine accounts, as they are not created in the user context. However, I don't believe any of these changes could be causing the group policy client service failed the logon. Access denied error I am receiving. I could be wrong though. Any help would be GREAT. Thanks Here is my smb.conf [global] workgroup = NEVSD map to guest = Bad User passdb backend = ldapsam:ldap://SAMBA1.nctschools.org log level = 3 log file = /var/log/samba/log.%m printcap name = cups add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine -d /var/lib/nobody -s
[Samba] group policy client service failed the logon
I am in the process of implementing a new SAMBA install Version 3.6.3-34.12.1-2797-SUSE-SL12.1-x86_64 on OpenSuse 12.1 I am using LDAP as my backend and LAM to manage my LDAP accounts. Thing were going well until recently. Suddenly any newly created user can not logon (win7). Any accounts that I created prior to last week can still logon to the workstation. The only changes I recall making involve add machine script. I moved from using useradd to using smbldap-useradd so machine accounts would only be created in LDAP and not locally. Also, in yast, I changed the LDAP client Naming Context from ou=users,dc=nctschools,dc=orgto dc=nctschools,dc=org to allow the local LDAP client to find machine accounts, as they are not created in the user context. However, I don't believe any of these changes could be causing the group policy client service failed the logon. Access denied error I am receiving. I could be wrong though. Any help would be GREAT. Thanks Here is my smb.conf [global] workgroup = NEVSD map to guest = Bad User passdb backend = ldapsam:ldap://SAMBA1.nctschools.org log level = 3 log file = /var/log/samba/log.%m printcap name = cups add machine script = /usr/sbin/smbldap-useradd -t 1 -w -c Machine -d /var/lib/nobody -s /bin/false %m$ logon path = \\%L\profiles\%U logon drive = P: logon home = \\%L\%U\.9xprofile domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Administrator,dc=nctschools,dc=org ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = yes ldap suffix = dc=nctschools,dc=org ldap user suffix = ou=Users idmap config * : backend = ldap:ldap://SAMBA1.nctschools.org cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = %H read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes -- Shawn Dakin (CNE) Director of Technology Newcomerstown Schools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba