Upon logon, windows requests the group memberships of a user to determine what rights to assign. I am not assigned any of the rights and cannot log in using terminal server. However: net user %username% /domain <- works net group "Domain Admins" /domain <- works According to wireshark, the SAMR GetGroupsforUser call gives a malformed answer. Response is packet 20458 at 10.1837s
Created attachment 6979 [details] Logon process
Created attachment 6983 [details] The capture of the network traffic between 2008R2 and Samba 3.6.0 Created another attachment, as the start of the TCP session was missing in the other capture. For some reason, wireshark on my laptop parses the packet fine (not the wireshark I made the capture with), suggesting the bug is not in the getgroupsforuser call.
Created attachment 6984 [details] The related log.smbd at level 10
no samlogon in that log, please reboot client and retry.
Created attachment 6985 [details] Log file at level 10 New log file, see line 14851
Okay, the groups rid array is empty in the Netr_LogonSamLogon response is empty. This does work via Samr_GetGroupsForUser (net user .. /domain on windows).
It appears to fail in samu_to_SamInfo3, the resulting rids are not stored. It appears that pdb_enum_group_memberships works as expected, but the compiler seems to optimize out the return values for some reason. 441 status = pdb_enum_group_memberships(mem_ctx, samu, (gdb) 444 if (!NT_STATUS_IS_OK(status)) { (gdb) print group_sids $40 = <optimized out> (gdb) print gids $41 = <optimized out> (gdb) next 450 if (num_group_sids) { (gdb) 451 status = group_sids_to_info3(info3, group_sids, num_group_sids); (gdb) step group_sids_to_info3 (num_sids=<optimized out>, sids=<optimized out>, info3=<optimized out>) at auth/server_info.c:267 267 groups->rids = talloc_array(info3, (gdb) next samu_to_SamInfo3 (mem_ctx=<optimized out>, samu=0x7ffff8282210, login_server=<optimized out>, _info3=<optimized out>, extra=0x7ffff828abb0) at auth/server_info.c:451 451 status = group_sids_to_info3(info3, group_sids, num_group_sids); (gdb) step group_sids_to_info3 (num_sids=<optimized out>, sids=<optimized out>, info3=<optimized out>) at auth/server_info.c:264 264 domain_sid = info3->base.domain_sid; (gdb) next 267 groups->rids = talloc_array(info3, (gdb) next 269 if (!groups->rids) { (gdb) print groups $42 = <optimized out>
The problem is that group_sids_to_info3 can't verify the group because the domain sid is unavailable. Volker fixed this in commit 3dcec44f3edbc9c4f1946ead3480f6d01cd53e7a This bug is apparently a duplicate of bug 8455.
*** This bug has been marked as a duplicate of bug 8455 ***