4.6 Common Errors

4.6.2 Joining Domain Fails Because of Existing Machine Account

" I get told, 'You already have a connection to the Domain...' or 'Cannot join domain, the credentials supplied conflict with an existing set...' when creating a Machine Trust Account ."

This happens if you try to create a Machine Trust Account from the machine itself and already have a connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections:

C:\> net use * /d

Further, if the machine is already a " member of a workgroup " that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again.

4.6.3 The System Cannot Log You On (C000019B)

" I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, 'The system cannot log you on (C000019B), Please try again or consult your system administrator when attempting to logon ."

This occurs when the domain SID stored in the secrets.tdb database is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (NetBIOS name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain SID may be reset using either the net or rpcclient utilities.

To reset or change the domain SID you can use the net command as follows :

root# net getlocalsid 'OLDNAME' root# net setlocalsid 'SID'

Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes Domain Members (workstations) will not be able to log onto the domain. The original Domain SID can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join it to the domain.

4.6.4 The Machine Trust Account Is Not Accessible

" When I try to join the domain I get the message, 'The machine account for this computer either does not exist or is not accessible'. What's wrong ?"

This problem is caused by the PDC not having a suitable Machine Trust Account. If you are using the add machine script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working.

Alternately, if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry correct for the Machine Trust Account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a "$" appended to it (i.e., computer_name$). There must be an entry in both /etc/passwd and the smbpasswd file.

Some people have also reported that inconsistent subnet masks between the Samba server and the NT client can cause this problem. Make sure that these are consistent for both client and server.

4.6.5 Account Disabled

" When I attempt to login to a Samba Domain from a NT4/W200x workstation, I get a message about my account being disabled ."

Enable the user accounts with smbpasswd -e username . This is normally done as an account is created.

4.6.6 Domain Controller Unavailable

" Until a few minutes after Samba has started, clients get the error 'Domain Controller Unavailable "'

A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes, then try again.

4.6.7 Cannot Log onto Domain Member Workstation After Joining Domain

After successfully joining the domain, user logons fail with one of two messages: one to the effect that the Domain Controller cannot be found; the other claims that the account does not exist in the domain or that the password is incorrect. This may be due to incompatible settings between the Windows client and the Samba-3 server for schannel (secure channel) settings or smb signing settings. Check your Samba settings for client schannel, server schannel, client signing, server signing by executing:

testparm

-v  more and looking for the value of these parameters.

Also use the Microsoft Management Console ” Local Security Settings. This tool is available from the Control Panel. The Policy settings are found in the Local Policies/Securty Options area and are prefixed by Secure Channel: ..., and Digitally sign ....

It is important that these be set consistently with the Samba-3 server settings.