Comment 14 for bug 2024377

Hey,

Unfortunately with Samba logs there's a lot of noise to filter out. I compared one of your runs with my (successful) run and I noticed something interesting.

We do a LDAP search to get the list of GPOs using the domain controller exposed by SSSD via D-Bus. For you the DC is autoselected as "n060adkhdc121". The list of GPOs is a list of URLs reported as "smb://domain.com/SysVol/domain.com/Policies..." which doesn't contain the DC name, only the domain name.

When we download the GPOs, libsmbclient will try to resolve a DC from the domain, in your case it appears there are a lot of DCs advertised (looking at the "Connecting to ... at port ..." prints). For some reason, the DC selected by libsmbclient is "N060ADKAZ103" instead of the DC reported by SSSD. Hence we end up with this error:

SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.

I've pushed another build to the PPA mentioned above, where the GPO URLs are rewritten to contain the hostname of the DC in addition to the domain which will bypass the autoselect/discovery logic of libsmbclient and reuse the server exposed by SSSD when downloading the GPO data. You can install the package using the same steps from my previous comment. Please let me know if it works for you.