Samba 3.6 to 4.x: User Profile Service Failed the Login

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
I posted this a while ago on the FreeBSD forums but received no response so
I thought I'd ask here.  If things are out of date, it's simply due to the
length of time between my original post and now.  A few updates I've noted
since the saga began.

I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've tried
all available 4.x releases from ports, 4.2, 4.3, and 4.4 [edit: the issue
still appears when testing with 4.6]), and I've run into the very strange
error message in the title of this post.

I'm still trying to, for the time being, keep the NT4 style domain, and do
as minimal changes as necessary to perform the upgrade. Everything is
working swimmingly with 3.6 (aside from its age and lack of support), and
I'm hoping for the same with samba 4. To upgrade, I took the following
steps, more or less in order:

1. Stop and remove samba36 from ports
2. Install samba4x (I've tried all the current samba 4.x releases in ports)
3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf
4. Rename samba_enable to samba_server_enable in rc.conf
5. Moved the smbpasswd file into where samba 4 looks for it,
/var/db/samba4/private/
6. Added acl allow execute always = true to my smb4.conf file, in case it
was needed.
7. Started samba4_server

Now here's where it gets a little weird. Almost everything was working at
this point. I could (and did on a test machine) leave and rejoin the domain
on our Win7 desktops. Files could be downloaded/uploaded and I could open
shares when I logged in on a local account on these desktops. But, if I try
to log in on any user account, I get the cryptic error "User Profile
Service Failed the Login."

At first I thought this was an issue with profile synchronization, but
after investigating, I don't believe it is. Why? I cleared all the cached
profiles off the Windows box with delprof, and then tried to log the user
in, paying careful attention to log.smbd. And, sure enough, I could see it
download the entire profile via samba, and it was only *after* it
downloaded the profile did I get the error.

So what gives? I looked a little deeper at higher verbosity levels of
logging, and I did see one curious error relating to SPNEGO, and found a
few other users had issues with a change to the defaults from 3.x to 4.x,
so I tried adding client use spnego = no to my smb4.conf in the global
section, but this hasn't changed anything. I also tried renaming the user's
existing profile, so it would create a new one upon logging in, but this
hasn't helped things either.

If you have any ideas or suggestions on where to start, I'm all ears, as
I'm stumped at how to proceed. Things appear to basically be functioning
correctly on samba's end, but Windows refuses to let accounts log in.

P.S. - I've since been looking at packet traces, and increasingly verbose
levels of logging, but my knowledge of the SMB protocol is limited.

Thanks,
- Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On Sat, 12 Aug 2017 19:48:16 -0500
Ian T via samba <[hidden email]> wrote:

> I posted this a while ago on the FreeBSD forums but received no
> response so I thought I'd ask here.  If things are out of date, it's
> simply due to the length of time between my original post and now.  A
> few updates I've noted since the saga began.
>
> I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've
> tried all available 4.x releases from ports, 4.2, 4.3, and 4.4 [edit:
> the issue still appears when testing with 4.6]), and I've run into
> the very strange error message in the title of this post.
>
> I'm still trying to, for the time being, keep the NT4 style domain,
> and do as minimal changes as necessary to perform the upgrade.
> Everything is working swimmingly with 3.6 (aside from its age and
> lack of support), and I'm hoping for the same with samba 4. To
> upgrade, I took the following steps, more or less in order:
>
> 1. Stop and remove samba36 from ports
> 2. Install samba4x (I've tried all the current samba 4.x releases in
> ports) 3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf

Can you start by posting your smb4.conf, without this we are guessing
what type of server you have.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> Can you start by posting your smb4.conf, without this we are guessing
> what type of server you have.
>
> Rowland

Sure thing.  As I stated earlier, except for the two added options
(client use spnego and acl allow execute always) it's identical to my
Samba 3 config.  Also, I've trimmed down things to just an example user
as the actual config is over 1K lines.

# Samba 4 config
[global]
      workgroup = BLKG
      server string = PDC
      encrypt passwords = Yes
      null passwords = true
      log level = 2
      max log size = 5000
      socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
      use sendfile = yes
      load printers = no
      wins support = yes
      security = user
      domain master = yes
      local master = yes
      preferred master = yes
      domain logons = yes
      username map = /usr/local/etc/smbusers
      passdb backend = smbpasswd
      hide dot files = yes
      dns proxy = no
      client use spnego = no
      os level = 65
      printing = BSD
      interfaces = 192.168.192.5 127.0.0.0/8
      hosts allow = 192.168.0.0/16
      time server = yes
      logon script = LOGON.bat
      unix password sync = true
      pam password change = no
      passwd chat = *New*Password* %n\n *Retype*Password* %n\n *Changed*
      passwd program = /usr/bin/passwd %u
      acl allow execute always = true
# Try Aio
      aio read size = 16384
      aio write size = 16384
      aio write behind = true
# Weird bug
      client signing = false
# Cut old smbd
      deadtime = 15

[netlogon]
      comment=Netlogon Share
      path=/home/netlogon
      read only  =yes
      write list =@wheel

# A typical user looks like this:
[testuser]
      comment = Test User
      path = /home/testuser
      create mask = 770
      force directory mode = 0770
      force group = testuser
      valid users = testuser,@test
      vfs object = shadow_copy2
      shadow:sort = desc
      shadow:snapdir = .zfs/snapshot
      shadow:format = %Y%m%d%H%M
      shadow:localtime = yes
      writeable = Yes
      csc policy = disable


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On Sun, 13 Aug 2017 07:37:54 -0500
Ian via samba <[hidden email]> wrote:

> On 8/13/2017 2:06 AM, Rowland Penny via samba wrote:
> > Can you start by posting your smb4.conf, without this we are
> > guessing what type of server you have.
> >
> > Rowland
>
> Sure thing.  As I stated earlier, except for the two added options
> (client use spnego and acl allow execute always) it's identical to my
> Samba 3 config.  Also, I've trimmed down things to just an example
> user as the actual config is over 1K lines.
>
> # Samba 4 config
> [global]
>       workgroup = BLKG
>       server string = PDC
>       encrypt passwords = Yes
>       null passwords = true
>       log level = 2
>       max log size = 5000
>       socket options = TCP_NODELAY SO_RCVBUF=64240 SO_SNDBUF=64240
>       use sendfile = yes
>       load printers = no
>       wins support = yes
>       security = user
>       domain master = yes
>       local master = yes
>       preferred master = yes
>       domain logons = yes
>       username map = /usr/local/etc/smbusers
>       passdb backend = smbpasswd
>       hide dot files = yes
>       dns proxy = no
>       client use spnego = no
>       os level = 65
>       printing = BSD
>       interfaces = 192.168.192.5 127.0.0.0/8
>       hosts allow = 192.168.0.0/16
>       time server = yes
>       logon script = LOGON.bat
>       unix password sync = true
>       pam password change = no
>       passwd chat = *New*Password* %n\n *Retype*Password* %n\n
> *Changed* passwd program = /usr/bin/passwd %u
>       acl allow execute always = true
> # Try Aio
>       aio read size = 16384
>       aio write size = 16384
>       aio write behind = true
> # Weird bug
>       client signing = false
> # Cut old smbd
>       deadtime = 15
>
> [netlogon]
>       comment=Netlogon Share
>       path=/home/netlogon
>       read only  =yes
>       write list =@wheel
>
> # A typical user looks like this:
> [testuser]
>       comment = Test User
>       path = /home/testuser
>       create mask = 770
>       force directory mode = 0770
>       force group = testuser
>       valid users = testuser,@test
>       vfs object = shadow_copy2
>       shadow:sort = desc
>       shadow:snapdir = .zfs/snapshot
>       shadow:format = %Y%m%d%H%M
>       shadow:localtime = yes
>       writeable = Yes
>       csc policy = disable
>
>

Nothing really wrong with the [global] portion of your smb.conf (there
are a few lines I would remove) but I do not see a profiles share. I
would expect to see something like this:

[profiles]
    comment = User Profiles
    path = /path/to/where/you/want/store/profiles
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = no
    csc policy = disable

What I do see is something that looks like a users home directory
'[testuser]'

It has been quite some time since I used an NT4-style domain, but what
I have noticed is that it is getting harder and harder to keep them
working, not from the Samba side, but from the windows side.

One thing I did notice, you are still using the deprecated smbpasswd
passdb backend.

Finally, it could be down to windows updates, try adding this to your
smb.conf:

server max protocol = NT1

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On 8/13/2017 8:40 AM, Rowland Penny via samba wrote:
> Nothing really wrong with the [global] portion of your smb.conf (there
> are a few lines I would remove) but I do not see a profiles share. I
> would expect to see something like this:
>
> ... snip ...
>
> What I do see is something that looks like a users home directory
> '[testuser]'

That's correct.  Right now the profiles are being stored in the user's
home directory.  I realize that's probably unusual, but it does simplify
some things, and I've never had an issue with it in Samba 3.  When a
user logs in when running Samba 4, I can see their profile being
downloaded (via smbstatus or logs), and it's only after the profile is
synchronized that the error appears.

If you think that's the cause of the problem, however, I'll attempt to
move them all to a common share.

> It has been quite some time since I used an NT4-style domain, but what
> I have noticed is that it is getting harder and harder to keep them
> working, not from the Samba side, but from the windows side.
>
> One thing I did notice, you are still using the deprecated smbpasswd
> passdb backend.

I agree, I'd love to move to an AD domain, but I'm trying to do small
steps in order to make troubleshooting as simple as possible by doing as
few changes as possible.  My plan was first to go from 3 to 4, then to
move from passdb to tdbsam, and then to move from NT4 to AD.

> Finally, it could be down to windows updates, try adding this to your
> smb.conf:
>
> server max protocol = NT1

Thanks, I'll give this a try shortly.

- Ian


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On Sun, Aug 13, 2017 at 9:03 AM, Ian <[hidden email]> wrote:

>
> Finally, it could be down to windows updates, try adding this to your
>> smb.conf:
>>
>> server max protocol = NT1
>>
>
> Thanks, I'll give this a try shortly.
>

So when I went to test this I rebuilt samba46 (enough dependencies had
changed since I last built it) and the issue no longer appears, even
without that configuration option.  I suspect that the issue may have been
with an older dependency and not with Samba itself.  However, I ran into a
new issue when trying to join machines: invalid NTLMSSP_MIC / SPNEGO login
failed: NT_STATUS_INVALID_PARAMETER.  After reading through that thread
from October of last year, it appears that NT4 style domains have not
worked in Samba 4 since somewhere between 4.2.12 to 4.2.14 (inclusive),
contrary to the claim that these are still supported in 4.x.  So, I finally
just decided to covert to tdbsam and ultimately upgrade to an AD domain.

To make a very long story short, I have things somewhat working under AD,
though with 4.5 instead of 4.6 due to bugs with provisioning in 4.6.  I
still have a few problems remaining, the most pressing of which I'll list
here:

- I've set the new realm to AD.BLKG.LOCAL, and the workgroup to BLKG (what
was previously used as our NT4 domain).  However, hosts appear to only be
able to join the domain when using ad.blkg.local and not just blkg (as I
was hoping to not have to rejoin all of our machines!). According to the
wiki: "You can enter the NetBIOS name of the domain, if your client is able
to resolve it."  This leads me to two questions; why the netbios name
instead of the workgroup, as I think of that as the host name of the
server, and more importantly, is there any way to work around this that
doesn't involve rejoining every PC by tomorrow morning?  I noticed there
are no SRV records for any domains ending in .BLKG.

- Despite having logon path = \\%N\%U\profile, it is not using the profiles
that are stored in their home directory.  I assume I need to set this
somewhere within active directory itself via rsat, but where?  I'm not even
sure where (if anywhere on the PDC) the profiles are being stored right now.

- Logon scripts are no longer running despite logon script being defined
and relocating the script to the new netlogon share.  I assume again this
is something I have to mess with over rsat?

- Passwordless accounts don't seem to be permitted despite null passwords =
true?

Thanks again for all the help so far,
- Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On Sun, 13 Aug 2017 22:54:38 -0500
Ian T via samba <[hidden email]> wrote:

> On Sun, Aug 13, 2017 at 9:03 AM, Ian <[hidden email]>
> wrote:
>
> >
> > Finally, it could be down to windows updates, try adding this to
> > your
> >> smb.conf:
> >>
> >> server max protocol = NT1
> >>
> >
> > Thanks, I'll give this a try shortly.
> >
>
> So when I went to test this I rebuilt samba46 (enough dependencies had
> changed since I last built it) and the issue no longer appears, even
> without that configuration option.  I suspect that the issue may have
> been with an older dependency and not with Samba itself.  However, I
> ran into a new issue when trying to join machines: invalid
> NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER.
> After reading through that thread from October of last year, it
> appears that NT4 style domains have not worked in Samba 4 since
> somewhere between 4.2.12 to 4.2.14 (inclusive), contrary to the claim
> that these are still supported in 4.x.  So, I finally just decided to
> covert to tdbsam and ultimately upgrade to an AD domain.
>
> To make a very long story short, I have things somewhat working under
> AD, though with 4.5 instead of 4.6 due to bugs with provisioning in
> 4.6.  I still have a few problems remaining, the most pressing of
> which I'll list here:
>
> - I've set the new realm to AD.BLKG.LOCAL,

I take it you have missed that it is a 'BAD' idea to use '.local' for
your TLD.

> and the workgroup to BLKG
> (what was previously used as our NT4 domain).  However, hosts appear
> to only be able to join the domain when using ad.blkg.local and not
> just blkg (as I was hoping to not have to rejoin all of our
> machines!).

Not surprising really, a new domain would have a different SID, so you
will have to join all your computers to the 'new' domain even if you
have used the same workgroup name.

> According to the wiki: "You can enter the NetBIOS name of
> the domain, if your client is able to resolve it."  This leads me to
> two questions; why the netbios name instead of the workgroup, as I
> think of that as the host name of the server, and more importantly,
> is there any way to work around this that doesn't involve rejoining
> every PC by tomorrow morning?  I noticed there are no SRV records for
> any domains ending in .BLKG.

There wont be, all your dns records will end in 'ad.blkg.local'

>
> - Despite having logon path = \\%N\%U\profile, it is not using the
> profiles that are stored in their home directory.  I assume I need to
> set this somewhere within active directory itself via rsat, but
> where?  I'm not even sure where (if anywhere on the PDC) the profiles
> are being stored right now.

AD doesn't work like an NT4-style PDC, there are numerous attributes in
AD for storing things like profile paths, I suggest you read the Samba
wiki, especially this page:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

>
> - Logon scripts are no longer running despite logon script being
> defined and relocating the script to the new netlogon share.  I
> assume again this is something I have to mess with over rsat?

Probably, I don't use them, but I am fairly sure Louis does (hint, hint)

>
> - Passwordless accounts don't seem to be permitted despite null
> passwords = true?

No, that will not work, also why do want blank passwords, they are a
bad idea.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 3.6 to 4.x: User Profile Service Failed the Login

Samba - General mailing list
On Mon, Aug 14, 2017 at 2:43 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Sun, 13 Aug 2017 22:54:38 -0500
> Ian T via samba <[hidden email]> wrote:
>
> > On Sun, Aug 13, 2017 at 9:03 AM, Ian <[hidden email]>
> > wrote:
> > - I've set the new realm to AD.BLKG.LOCAL,
>
> I take it you have missed that it is a 'BAD' idea to use '.local' for
> your TLD.
>

Actually, I did read the wiki on this.  Breaking Bonjour is practically a
bonus, and I don't need anything beyond self-signed certs for the AD domain
anyway, so I should be okay.


> > and the workgroup to BLKG
> > (what was previously used as our NT4 domain).  However, hosts appear
> > to only be able to join the domain when using ad.blkg.local and not
> > just blkg (as I was hoping to not have to rejoin all of our
> > machines!).
>
> Not surprising really, a new domain would have a different SID, so you
> will have to join all your computers to the 'new' domain even if you
> have used the same workgroup name.
>

I've now done this on basically all of our currently in-use machines, but
it's tedious even when scripted.  Oh well.


> AD doesn't work like an NT4-style PDC, there are numerous attributes in
> AD for storing things like profile paths, I suggest you read the Samba
> wiki, especially this page:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>

Yes, I've gone through this now and finally figured out the correct string
to set to get it back to the old behavior: \\PDC\%USERNAME%\profile

However, I now have a new problem.  Profiles will synchronize (even after a
delprof), but for most of our users, Windows will barf the error: "The
Group Policy Client service failed the logon.  Access is denied."  This is
almost identical to the problem I had before, except that was the "User
Profile Service."

Digging into it more I've found this is some issue in their profile
itself.  I verified this by simply renaming their current profile
(profile.V2) to something else, delprof their machine, and having them log
in again.  Windows of course creates a new profile.V2 folder the first
time, and after logging in and out a second time a full working profile is
present (this behavior is identical to what happened in Samba 3.x when
creating new profiles).  However, if I delete this new (working) profile,
rename their old (non-working) profile back to profile.V2, delprof the
machine, and have them log in again... well, you guessed it: "The Group
Policy Client service failed the logon.  Access is denied."

So clearly it's something buried in their original profile.  A SID
somewhere that wasn't updated perhaps?  Is there anything I can change or
simply delete from their old profiles to get it working with the new AD
domain, without recreating all their profiles from scratch?

> - Passwordless accounts don't seem to be permitted despite null
> > passwords = true?
>
> No, that will not work, also why do want blank passwords, they are a
> bad idea.
>

This is just for guest accounts with mandatory profiles.  I'm guessing this
is buried in a GPO somewhere so I'll just hunt around to find out.

Thanks again,
- Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...