Re: Suse 10 ldap und samba fehler bei Speicher der Benutzerprofile

From: Claudia Neumann <>
Date: Tue Nov 29 2005 - 22:34:56 CET


Am Donnerstag, 24. November 2005 10:37 schrieb
> Ich habe eine großes Problem.
> Habe bei einem Freund den Mund wohl zu voll genommen und wollte ihm helfen
> erheblich Kosten zu sparen, Gates soll nicht reicher werden. Bin an die
> Lösung zu blauäugig herangegangen. Teillösungen sind schon fertig.
[ ... ]
Zuviele Probleme auf einmal. Ich kenne ladap nicht. SuSe 10.0 kenne ich auch
In Samba-doc (Debian-Paket) steht folgendes:

The System Cannot Log You On (C000019B)

“I joined the domain successfully but after upgrading to a newer version of
the Samba code I get the message, `The system cannot log you on (C000019B),
Please try again or consult your system administrator when attempting to

This occurs when the domain SID stored in the secrets.tdb database is changed.
The most common cause of a change in domain SID is when the domain name
and/or the server name (NetBIOS name) is changed. The only way to correct the
problem is to restore the original domain SID or remove the domain client
from the domain and rejoin. The domain SID may be reset using either the net
or rpcclient utilities.

To reset or change the domain SID you can use the net command as follows:

root# net getlocalsid 'OLDNAME'
root# net setlocalsid 'SID'

Workstation Machine Trust Accounts work only with the Domain (or network) SID.
If this SID changes Domain Members (workstations) will not be able to log
onto the domain. The original Domain SID can be recovered from the
secrets.tdb file. The alternative is to visit each workstation to re-join it
to the domain.

The Machine Trust Account Is Not Accessible

“When I try to join the domain I get the message, `The machine account for
this computer either does not exist or is not accessible'. What's wrong?”

This problem is caused by the PDC not having a suitable Machine Trust Account.
If you are using the add machine script method to create accounts then this
would indicate that it has not worked. Ensure the domain admin user system is

Alternately, if you are creating account entries manually then they have not
been created correctly. Make sure that you have the entry correct for the
Machine Trust Account in smbpasswd file on the Samba PDC. If you added the
account using an editor rather than using the smbpasswd utility, make sure
that the account name is the machine NetBIOS name with a “$” appended to it
(i.e., computer_name$). There must be an entry in both /etc/passwd and the
smbpasswd file.

Some people have also reported that inconsistent subnet masks between the
Samba server and the NT client can cause this problem. Make sure that these
are consistent for both client and server.
Account Disabled

“When I attempt to login to a Samba Domain from a NT4/W200x workstation, I get
a message about my account being disabled.”

Enable the user accounts with smbpasswd -e username . This is normally done as
an account is created.

Domain Controller Unavailable

“Until a few minutes after Samba has started, clients get the error `Domain
Controller Unavailable'”

A Domain Controller has to announce its role on the network. This usually
takes a while. Be patient for up to fifteen minutes, then try again.
Cannot Log onto Domain Member Workstation After Joining Domain

After successfully joining the domain, user logons fail with one of two
messages: one to the effect that the Domain Controller cannot be found; the
other claims that the account does not exist in the domain or that the
password is incorrect. This may be due to incompatible settings between the
Windows client and the Samba-3 server for schannel (secure channel) settings
or smb signing settings. Check your Samba settings for client schannel,
server schannel, client signing, server signing by executing:

testparm -v | more and looking for the value of these parameters.

Also use the Microsoft Management Console Local Security Settings. This tool
is available from the Control Panel. The Policy settings are found in the
Local Policies/Security Options area and are prefixed by Secure Channel: ...,
and Digitally sign .....

It is important that these be set consistently with the Samba-3 server


Siehe Samba-doc und besonders den Abschnitt "Chapter 27. Integrating MS
Windows Networks with Samba".



Viele Grüße

Claudia Neumann

Wenn durch das Land die Grippe saust, es meiner ganzen Sippe graust.
Received on Tue, 29 Nov 2005 22:34:56 +0100

This archive was generated by hypermail 2.1.8 : Tue Nov 29 2005 - 22:33:23 CET