4.6 Common Errors
" Cannot Be Included in Machine
The machine account must have the exact name that the workstation has.
The UNIX tool vipw is a common tool for directly editing the /etc/passwd file.
" I get told, 'You already have a connection to the Domain...' or 'Cannot join domain, the credentials supplied conflict with an existing set...' when creating a Machine Trust Account ."
This happens if you try to create a Machine Trust Account from the machine itself and already have a connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections:
C:\> net use * /d
Further, if the machine is already a " member of a workgroup " that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again.
I joined the domain successfully but after upgrading to a
This occurs when the domain SID stored in the secrets.tdb database is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (NetBIOS name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain SID may be reset using either the net or rpcclient utilities.
To reset or change the domain SID you can use the net command as
root# net getlocalsid 'OLDNAME' root# net setlocalsid 'SID'
Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes Domain Members (workstations) will not be able to log onto the domain. The original Domain SID can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join it to the domain.
" When I try to join the domain I get the message, 'The machine account for this computer either does not exist or is not accessible'. What's wrong ?"
This problem is caused by the PDC not having a suitable Machine Trust Account. If you are using the
add machine script
method to create accounts then this would
Alternately, if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry correct for the Machine Trust Account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a "$" appended to it (i.e., computer_name$). There must be an entry in both /etc/passwd and the smbpasswd file.
Some people have also
" When I attempt to login to a Samba Domain from a NT4/W200x workstation, I get a message about my account being disabled ."
Enable the user accounts with smbpasswd -e username . This is normally done as an account is created.
Until a few minutes after Samba has started,
A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes, then try again.
After successfully joining the domain, user
testparm-v more and looking for the value of these parameters.
Also use the Microsoft Management Console ” Local Security Settings. This tool is available from the Control Panel. The Policy settings are found in the Local Policies/Securty Options area and are prefixed by Secure Channel: ..., and Digitally sign ....
It is important that these be set consistently with the Samba-3 server settings.