Force Active Directory Users to Log Into a Shared Local Profile.
I've searched long and hard for an answer to this but I've found very little info on it so I'm starting to wonder if it's at all possible.
On some of our "Presenter PC's" at work it has been deemed that the creation of a new account from the Default profile takes too long when logging into Active Directory and slows presenting down too much. Our Default profile is probably around 120Mb due to
the contents of the image after deployment and how every application is tailored for use hence the AppData folder takes the bulk of the size up and it's not an option to remove it.
These PC's are (for now at least but hopefully not for much longer) locked down by Deep Freeze which resets all changes to all files when the PC is rebooted so a shared profile is not a problem at this point in time.
What I want to know is whether there is ANY way to make it so that a user authenticating to Active Directory can ALWAYS be forced into a pre-configured, local profile running on Win 7 32/64 Pro?
I've been looking at credential providers and replacing USERINIT.exe. I'm just not 100% sure which part of the process actually tells the PC which profile to use. I know that the registry is checked for the user GUID and if not present creates a new entry and
copies the Default profile but I don't know quite where this is called and how to modify it.
My programming knowledge limited to a bit of CMD and AutoIt but I do know a few coders so if we really have to get our hands dirty on this it isn't the end of the world.
I should also add I've recently been toying with taking the AppData folder outside of the Default profile and creating a SymLink to it but upon copying the Default profile to a new profile (much quicker and more acceptable) the SymLink is lost and replaced
with a relatively empty set of folders which can't be deleted and replaced with a SymLink because the LSASS.exe process is using it and obviously you can't stop that process...
Making the PC log into a local profile on startup is also not an option because a user MUST log into AD to not be in breach of our AUP and all network drives must be availalbe (mapped by GPo and login script).
Any help is more than welcome at this point in time as I've pretty much exhausted all avenues that I know of and have turned to you helpful folk. Cheers
Hi,
For mandatory profile, I suggest you refer to the following articles:
Customize the default local user profile when preparing an image of Windows
http://support.microsoft.com/kb/973289
mandatory profiles
http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/d2406a55-e053-45c5-b064-bf009c4bfafc
Hope this helps.
Vincent Wang
TechNet Community Support
Similar Messages
-
Window Active Directory users cannot see home drive when logon to Macs
This problem just occurred, so that tells me either 10.4.9 has done it or a security update to Windows 2003 Server.
Looking for any tech saavy network guru to help.
Windows 2003 Server houses active directory. Users in the past were able to log on to a Macintosh computer and their home drive would appear on the desktop.
Now 'all of a sudden' any user that logs onto a Macintosh computer with an AD account does not see their home drive on the desktop.
Has anyone else had this problem? Any suggestions on how to resolve it? I haven't unbound the Mac from AD yet will try that tomorrow.
JTSFixed this...a corrupted keychain item that contained the users prior used network password was the culprit.
Once I delted the corrupted keychain, active directory users can log on a Mac and see their home directory on the desktop.
JTS -
Cannot log into DTR with Active Directory User
Greetings,
I have set up and installed JDI correctly. I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user. I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
500 Internal Server Error
SAP J2EE Engine/6.40
Application error occurred during the request procession.
Details: Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!]. The ID of this error is
Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error.
Any help is greatly appreciated.
Thanks,
MartyHi Marty,
In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
Regards,
Manohar -
Logging into weblogic console using Active directory users?
Hi,
We developed a portal application using BEA 8.1 by getting users from embidded LDAP provided with the weblogic server.Now we need to access the users accounts stored in active directory.we configured new active directory authenticator and able to see the user and group names in the weblogic console. when we try to login to the console using one of the active directory user names, we are unable to login.
I would be thankful if any one can help on this.
Thanks & Regards
Surendranath ReddyHi Surendranath,
I am trying to attempt the same task, but have been unsuccessful so far. If you have had any luck with this, please let me know.
I can get MS AD to work just fine in the Security Provider and it works via the developers application, but I cannot login using the Active Directory users from the Admin Console.
Thanks,
Kevin. -
I am new to Orchestrator. I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008. I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
and moved to another OU. However, I would be happy just to have the account just be disabled. If you need any more info or I have posted in the wrong forum, please let me know.
ThanksHi,
there is no SCO Activity to do this.
Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
Best will be you take a look at this PowerShell Script
http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
and change it to your needs
Seidl Michael | http://www.techguy.at |
twitter.com/techguyat | facebook.com/techguyat -
Issue with Active Directory User Target Recon
Hi ,
I am facing an issue with Active Directory User Target Recon
My environment is OIM 11g R2 with BP03 patch applied
AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
Checked the user profile of users processed can see AD account provisioned for users
My query is why this job is not processing allthe users.Please point if i am missing some thing .
thanks in advanceCheck the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
-Bikash -
Hi My self Arun in my current project i have a task on that active directory user need to automatically populate in share point list drop down please help me. is that any out of box feature in share point 2010 ?
Thanking You
ArunArun,
If you plan to implement the "Querying the Active Directory" based on my code snippet,
and if you do not have permission [your account must be the part of domain admin] to do so,
Then still you can do it in least effort through code,
string usersInXml = SPContext.Current.Web.AllUsers.Xml;your xml string look like this.
<Users><User ID="2" Sid="" Name="Administrator"
LoginName="i:0#.w|murugesan\administrator" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1" Sid="" Name="Murugesa Pandian" LoginName="i:0#.w|murugesan\murugesan" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1073741823" Sid="S-1-0-0" Name="System Account" LoginName="SHAREPOINT\system" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0" /></Users>
You can user Linq to XML to filter the "LoginName,Name and Email and then populate your drop down list.
* User must be logged into the site at least once.
Murugesa Pandian.,MCTS|App.Devleopment|Configure -
How to import your MS Active Directory users in an Oracle table
Hello,
I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
This doesn't work so I used an alternative solution:
How to import your MS Active Directory users in an Oracle table
- a Visual Basic script for export from Active Directory
- a table in my database
- a SQL*Loader Control-file
- a command-file to start the SQL*Loader
Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
Just to share my scripts:
I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
'Export_ActiveDir_users.vbs 26-10-2006
'Script to export info from MS Active Directory to a CSV-file
' Accountname, employeeid, Name, Function, Department etc.
' Richard de Boer - Wetterskip Fryslan, the Nethterlands
' samaccountname Logon Name / Account
' employeeid Employee ID
' name name
' displayname Display Name / Full Name
' sn Last Name
' description Description / Function
' department Department / Organisation
' physicaldeliveryofficename Office Location Wetterskip Fryslan
' streetaddress Street Address Harlingerstraatweg 113
' l City / Location Leeuwarden
' mail E-mail adress
' wwwhomepage Web Page Address
' distinguishedName Full unique name with cn, ou's, dc's
'Global variables
Dim oContainer
Dim OutPutFile
Dim FileSystem
'Initialize global variables
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
'Enumerate Container
EnumerateUsers oContainer
'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set oContainer = Nothing
WScript.Echo "Finished"
WScript.Quit(0)
Sub EnumerateUsers(oCont)
Dim oUser
For Each oUser In oCont
Select Case LCase(oUser.Class)
Case "user"
If Not IsEmpty(oUser.distinguishedName) Then
OutPutFile.WriteLine _
oUser.samaccountname & ";" & _
oUser.employeeid & ";" & _
oUser.Get ("name") & ";" & _
oUser.displayname & ";" & _
oUser.sn & ";" & _
oUser.description & ";" & _
oUser.department & ";" & _
oUser.physicaldeliveryofficename & ";" & _
oUser.streetaddress & ";" & _
oUser.l & ";" & _
oUser.mail & ";" & _
oUser.wwwhomepage & ";" & _
oUser.distinguishedName & ";"
End If
Case "organizationalunit", "container"
EnumerateUsers oUser
End Select
Next
End SubThis give's output like this:
rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
CREATE TABLE PG4WF.ACTD_USERS
samaccountname VARCHAR2(64)
, employeeid VARCHAR2(16)
, name VARCHAR2(64)
, displayname VARCHAR2(64)
, sn VARCHAR2(64)
, description VARCHAR2(100)
, department VARCHAR2(64)
, physicaldeliveryofficename VARCHAR2(64)
, streetaddress VARCHAR2(128)
, l VARCHAR2(64)
, mail VARCHAR2(100)
, wwwhomepage VARCHAR2(128)
, distinguishedName VARCHAR2(256)
)I made SQL*Loader Control-file:
LOAD DATA
INFILE 'ActiveDir_users.csv'
BADFILE 'ActiveDir_users.bad'
DISCARDFILE 'ActiveDir_users.dsc'
TRUNCATE
INTO TABLE PG4WF.ACTD_USERS
FIELDS TERMINATED BY ';'
( samaccountname
, employeeid
, name
, displayname
, sn
, description
, department
, physicaldeliveryofficename
, streetaddress
, l
, mail
, wwwhomepage
, distinguishedName
)I made a cmd-file to start SQL*Loader
: Import the Active Directory users in Oracle by SQL*Loader
D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
http://www.kouti.com/tables/userattributes.htm
Greetings,
Richard de BoerI have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
Is there any way that I can find out what time each record has been inserted?
For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
First you need to clarify what you mean by 'the date that each record get inserted'. A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time. -
I need a script that will find the computer a user last logged into.
I am still learning scripting, I need a script that will allow me to pull in usernames from a csv file. Find what computer they last logged into and output that to an csv file.
I have looked all over and can't find exactly what I need.
I found the following script but I need to add the resuitsize unlimited but can not figure out where to put it we have a large environment. Also I need to be able to grab username from a csv file. Any assistance you can provide is appreciated.
## Find out what computers a user is logged into on your domain by running the script
## and entering in the requested logon id for the user.
## This script requires the free Quest ActiveRoles Management Shell for Active Directory
## snapin http://www.quest.com/powershell/activeroles-server.aspx
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$ErrorActionPreference = "SilentlyContinue"
# Retrieve Username to search for, error checks to make sure the username
# is not blank and that it exists in Active Directory
Function Get-Username {
$Global:Username = Read-Host "Enter username you want to search for"
if ($Username -eq $null){
Write-Host "Username cannot be blank, please re-enter username!!!!!"
Get-Username}
$UserCheck = Get-QADUser -SamAccountName $Username
if ($UserCheck -eq $null){
Write-Host "Invalid username, please verify this is the logon id for the account"
Get-Username}
get-username resultsize unlimited
$computers = Get-QADComputer | where {$_.accountisdisabled -eq $false}
foreach ($comp in $computers)
$Computer = $comp.Name
$ping = new-object System.Net.NetworkInformation.Ping
$Reply = $null
$Reply = $ping.send($Computer)
if($Reply.status -like 'Success'){
#Get explorer.exe processes
$proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
#Search collection of processes for username
ForEach ($p in $proc) {
$temp = ($p.GetOwner()).User
if ($temp -eq $Username){
write-host "$Username is logged on $Computer"If you are querying by user "resultset size" will be of no use.
You also have functions that are never used and the body code doe snot look for users.
Here is what you scrip looks like if printed well. It is just a jumble of pasted together and unrelated items.
## Find out what computers a user is logged into on your domain by running the script
## and entering in the requested logon id for the user.
## This script requires the free Quest ActiveRoles Management Shell for Active Directory
## snapin http://www.quest.com/powershell/activeroles-server.aspx
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$ErrorActionPreference = "SilentlyContinue"
# Retrieve Username to search for, error checks to make sure the username
# is not blank and that it exists in Active Directory
Function Get-Username {
$Global:Username = Read-Host "Enter username you want to search for"
if ($Username -eq $null) {
Write-Host "Username cannot be blank, please re-enter username!!!!!"
Get-Username
$UserCheck = Get-QADUser -SamAccountName $Username
if ($UserCheck -eq $null) {
Write-Host "Invalid username, please verify this is the logon id for the account"
Get-Username
get-username resultsize unlimited
$computers = Get-QADComputer | where { $_.accountisdisabled -eq $false }
foreach ($comp in $computers) {
$Computer = $comp.Name
$ping = new-object System.Net.NetworkInformation.Ping
$Reply = $null
$Reply = $ping.send($Computer)
if ($Reply.status -like 'Success') {
#Get explorer.exe processes
$proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
#Search collection of processes for username
ForEach ($p in $proc) {
$temp = ($p.GetOwner()).User
if ($temp -eq $Username) {
write-host "$Username is logged on $Computer"
I suggest finding the original code then use the learning link at the top of this page to help you understand how it works in Powershell.
¯\_(ツ)_/¯ -
11gr2 Active Directory User Target Delete Recon Search Root
Hi All,
latest AD conector with the patch.
Have a situation where I need to change the root or base search for the delete recon. by default it seams to want to search at the domain level but that won't work for us. Checked the doc and can't seem to find anyway to change this for the delete recon.
Thanx in advance
FredHi,
The issue is still pending. I am specifying the following parameters for the scheduled job :
Batch Size : 100
Object Type : User
Batch Start : 1
Resource Object Name : AD User
Filter : startsWith('samAccountName','c')
Scheduled Task Name : Active Directory User Target Recon
Incremental Recon Attribute : uSNChanged
Search Base : <blank>
IT Resource Name : Active Directory
Search Scope : subtree
Latest Token : <blank>
Sort By : samAccountName
Number of Batches : All
Sort Direction : asc
The job runs successfully but no records are reconciled into UD_ADUSER table and the job reports the following error in the logs :
[2012-10-25T02:32:04.785-07:00] [oim_server1] [ERROR] [] [org.quartz.impl.jdbcjobstore.JobStoreCMT] [tid: QuartzScheduler_OIMQuartzScheduler-iamoimdev-v1.capgroup.com1351057898397_MisfireHandler] [userId: oiminternal] [ecid: 80eeb34d89d5ed80:-343bffe9:13a9150ba30:-8000-0000000000000005,1:24567] [APP: oim#11.1.2.0.0] MisfireHandler: Error handling misfires: Unexpected runtime exception: null[[
org.quartz.JobPersistenceException: Unexpected runtime exception: null [See nested exception: java.lang.NullPointerException]
at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3042)
at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.manage(JobStoreSupport.java:3789)
at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.run(JobStoreSupport.java:3809)
Caused by: java.lang.NullPointerException
at org.quartz.SimpleTrigger.computeNumTimesFiredBetween(SimpleTrigger.java:800)
at org.quartz.SimpleTrigger.updateAfterMisfire(SimpleTrigger.java:514)
at org.quartz.impl.jdbcjobstore.JobStoreSupport.doUpdateOfMisfiredTrigger(JobStoreSupport.java:944)
at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverMisfiredJobs(JobStoreSupport.java:898)
at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3029)
Edited by: IDM_newbie on Oct 25, 2012 2:38 AM -
Is it possible to get the active directory user name of the person
Is it possible to get the active directory user name of the person who is logged onto a windows computer, when they are using your coldfusion site, the same way asp pages can do that?
SECOND TRY TO POST THIS REPLY
You have to turn on "Windows Integrated Security" and turn off anonymous login in the IIS web server, once that condition is met the cgi.AUTH_USER variable will be popluated with the domain/username of the user logged into the cient computer.
If the user is using a windows browser on a windows client computer this will be done silently in the background. Otherwise they will normally be presented with a login dialog box by the browser. -
We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory. We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides. In 10.6, this worked beautifully. Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch. In 10.8 server, this is not working. Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share. When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password. Please try again." On a 10.7 client, the window shakes.
What confuses me even more is that no local users can mount the share as well. I try as our admin account, I receive the following error message on our 10.6 clients:
Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
This was the error message we were receiving on 10.7 clients before it magically started working:
In any case, authenticating as an AD user is still no go. Any ideas?I had something similar to this. In the name field put in DOMAIN\username rather than just the name.
-
Best practice for Active Directory User Templates regarding Distribution Lists
Hello All
I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
this has led to problems with new employees being added to groups which they should not be a part of.
I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
of.
Has anyone come up with a better method of doing this?
Thank youYou can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
the factors you predefine for them. -
Not able to open active directory user and computer in windows server 2008r2
Hi All techies,
i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
Please let me know the cause of it and really appreciate it .
Thanks
AtulYou need to ensure that
1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
2. DNS record exists for all DCs in DNS
3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
- Sarvesh Goel - Enterprise Messaging Administrator -
SMB access for Active Directory users
Hi there,
My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
My smb.conf file is as follows:
; Configuration file for the Samba software suite.
; ============================================================================
; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).
; The following configuration should suit most systems for basic usage and
; initial testing. It gives all clients access to their home directories and
; allows access to all printers specified in /etc/printcap.
; BEGIN required configuration
; Parameters inside the required configuration block should not be altered.
; They may be changed at any time by upgrades or other automated processes.
; Site-specific customizations will only be preserved if they are done
; outside this block. If you choose to make customizations, it is your
; own responsibility to verify that they work correctly with the supported
; configuration tools.
[global]
debug pid = yes
log level = 1
server string = Mac OS X
printcap name = cups
printing = cups
encrypt passwords = yes
use spnego = yes
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
map to guest = Bad User
guest account = nobody
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
dos charset = 437
vfs objects = darwinacl,darwin_streams
; Don't become a master browser unless absolutely necessary.
os level = 2
domain master = no
; For performance reasons, set the transmit buffer size
; to the maximum and enable sendfile support.
max xmit = 131072
use sendfile = yes
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes
; Enable locking coherency with AFP.
darwin_streams:brlm = yes
; Core files are invariably disabled system-wide, but attempting to
; dump core will trigger a crash report, so we still want to try.
enable core files = yes
; Configure usershares for use by the synchronize-shares tool.
usershare max shares = 1000
usershare path = /var/samba/shares
usershare owner only = no
usershare allow guests = yes
usershare allow full config = yes
; Filter inaccessible shares from the browse list.
com.apple:filter shares by access = yes
; Check in with PAM to enforce SACL access policy.
obey pam restrictions = yes
; Don't be trying to enforce ACLs in userspace.
acl check permissions = no
; Make sure that we resolve unqualified names as NetBIOS before DNS.
name resolve order = lmhosts wins bcast host
; Pull in system-wide preference settings. These are managed by
; synchronize-preferences tool.
include = /var/db/smb.conf
[printers]
comment = All Printers
path = /tmp
printable = yes
guest ok = no
create mode = 0700
writeable = no
browseable = no
; Site-specific parameters can be added below this comment.
; END required configuration.
Any help would be much appreciated!!
Thanks.I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
[2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
Not feeling the Mac OS X love tonight.
Bill
System is bound to active directory - green light in Directory Utility
Maybe you are looking for
-
Restrict filter values that are shown in the selection screen
Hi Experts 1) Is it possible to restrict the filter values that are shown in the selection screen in BEx web? When a user are asked to enter a material number and uses the selection button in BEx web, he should only see material numbers for one speci
-
Exchange 2013, multiple IIS OWA sites with different authentication
Hi I have an exchange 2013 server with Client Access and Mailbox server installed. The server has an second ip address which I have bound an additional IIS site to. The additional IIS site is named ExchangeExternalFBA. The default web site is configu
-
Translating a report which is using excel template
Hello, We are working on a BI report using excel template. I've checked the report designer's user guide and it says template translation is a feature only supporting RTF and BI publisher layout template. I am wondering what is the best practice for
-
Dreamweaver Flash Video Player
Hi, I am a newbie to Flash and DreamWeaver. I thought I posted this yesterday but cannot find Posting. Can someone please help? Flash player and video work fine in Dreamweaver CS3 but do not work at all on Windows Vista PC with IE 7. I have all the f
-
How can you watch videos without flash player?
Is there any way to watch videos on ipad that say you need flash player. I know Apple does not support Flash Player. It's really annoying.