Samba 3.6 to 4.x: User Profile Service Failed the Login?

I'm trying to do a long overdue upgrade from samba 3.6 to 4.x (I've tried all available 4.x releases from ports, 4.2, 4.3, and 4.4), and I've run into the very strange error message in the title of this post. Why is it so strange? Well, let me start at the beginning.

I'm still trying to, for the time being, keep the NT4 style domain, and do as minimal changes as necessary to perform the upgrade. Everything is working swimmingly with 3.6 (aside from its age and lack of support), and I'm hoping for the same with samba 4. To upgrade, I took the following steps, more or less in order:

1. Stop and remove samba36 from ports
2. Install samba4x (I've tried all the current samba 4.x releases in ports)
3. Copy /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf
4. Rename samba_enable to samba_server_enable in rc.conf
5. Moved the smbpasswd file into where samba 4 looks for it, /var/db/samba4/private/
6. Added acl allow execute always = true to my smb4.conf file, in case it was needed.
7. Started samba4_server

Now here's where it gets a little weird. Almost everything was working at this point. I could (and did on a test machine) leave and rejoin the domain on our Win7 desktops. Files could be downloaded/uploaded and I could open shares when I logged in on a local account on these desktops. But, if I try to log in on any user account, I get the cryptic error "User Profile Service Failed the Login."

At first I thought this was an issue with profile synchronization, but after investigating, I don't believe it is. Why? I cleared all the cached profiles off the Windows box with delprof (a MS utility that deletes all cached domain profiles, and their respective registry entries), and then tried to log the user in, paying careful attention to log.smbd. And, sure enough, I could see it download the entire profile via samba, and it was only *after* it downloaded the profile did I get the error.

So what gives? I looked a little deeper at higher verbosity levels of logging, and I did see one curious error relating to SPNEGO, and found a few other users had issues with a change to the defaults from 3.x to 4.x, so I tried adding client use spnego = no to my smb4.conf in the global section, but this hasn't changed anything. I also tried renaming the user's existing profile, so it would create a new one upon logging in, but this hasn't helped things either.

If you have any ideas or suggestions on where to start, I'm all ears, as I'm stumped at how to proceed. Things appear to basically be functioning correctly on samba's end, but Windows refuses to let accounts log in.
Last edited:
Going to bump this as it's been over a year and things are becoming increasingly inconvenient now that samba36 is gone from ports. I'll also ask on the samba mailing list.