[Samba] Problems after changing operating system and versions

Marian Mlcoch, Ing mm at tsmp.sk
Fri Jun 27 07:55:21 GMT 2003


"The system can not log you on (C000019B)...."
I joined the domain successfully but after upgrading to a newer version of
the Samba code I get the message, "The system can not log you on (C000019B),
Please try again or consult your system administrator" when attempting to
logon.

This occurs when the domain SID stored in private/WORKGROUP.SID is changed.
For example, you remove the file and smbd automatically creates a new one.
Or you are swapping back and forth between versions 2.0.7, TNG and the HEAD
branch code (not recommended). The only way to correct the problem is to
restore the original domain SID or remove the domain client from the domain
and rejoin.

This is text from FAQ...

Im not known if SID is stored in LDAP but i mean not. Then you must restore
it from file on old system samba.

Bye.

----- Original Message ----- 
From: "Christoph Witzig" <christoph.witzig at opit.ch>
To: <samba at lists.samba.org>
Sent: Friday, June 27, 2003 8:20 AM
Subject: [Samba] Problems after changing operating system and versions


>
> Dear all,
>
> we have been using samba as PDC with ldap for over a year without any
> problems. Now we are trying to switch to a another operating system
> version and another samba version and have big problems with
> our windows clients (NT, 2000 and XP). Some have problems logging on
> to the domain (error C000019B), others give the net helpmsg 3678
> (problems saving profile) and/or the netlogon script and profile is not
> properly executed. Strangely a few seem to work just fine!
>
> Old version:
> SuSE 8.0
> samba 2.2.4
> openldap 2.0.23
>
> New version:
> United Linux with SP 1+2 (and SP2 hotfix)
> samba 2.2.5-178
> openldap 2.2.14-86
>
>
> As I could nowhere find more information about how to properly
> make such a migration, I did naivly the following:
>
> 1. profiles and user data are in an external RAID array (and weren't
moved)
>
> 2. install new operating system on the same host giving him the
> same name and ip address.
>
> 3. export ldap from old host using slapcat and import it with ldapadd
> (after manually taking into account the modified samba schema between
> openldap 2.0 and 2.2). ldapadd did not report any problems while
> checking the schema so I assume that was done right.
>
> I should add, that at the same time the different ldap entries
> that used to be all together at the top of the ldap tree
> (uid=YYY,dc=samba,dc=org) were put into ou=groups,dc=samba,dc=org,
> ou=people,dc=samba,dc=org and ou=computer,dc=samba,dc=org to have
> themseparated while browsing the ldap tree.
>
> In addition the computer account used to have an entry in the
> /etc/passwd and ldap (ldap had only sambaAccount no posixAccount).
> I changed this and added a posixAccount into the ldap entry for machines
> and removed all machine entries in the /etc/passwd.
> (The users and groups were already entirely in ldap).
>
> I was extra careful  not to change any uid's, rid's etc in ldap
> between the old and new setup. No passwords were changed (the same ones
> were taken as before).
>
> 4. To setup pams and nss I configured the ldap client with yast2
> and verified the settings of nsswitch and /etc/security/pam_unix2.conf
>
> 5. Then I take the same smb.conf file as before. (domain name and all
> that were not changed).
>
> 6. The windows clients were not touched at all. In particular I did
> not take them out of the domain and add them again. I  would like to
> avoid this at any cost because of the time involved.I tried this with
> a few machines and joining the domain seemed to work. However that
> did not fix the problems with the users logging into the PCs after that.
>
> 7. I tested the entire setup with a separate, smaller installation
> consisting of three PCs with one being the linux server (same
> software,same ldap info etc as the big server) and two windows PCs
> (2000 and NT). For this test setup I had no problems but of course I
> had to newly add the machines into the domain during the setup as they
> didn't exist in the original ldap setting.)
>
>
> Now my questions:
> -----------------
> 1. Is the general approach correct or should be done different?
> 1. If 1 is ok, what have I done wrong and forgotten to do?
> 3. Among other things I read somewhere that the domain sid should also
> be the same, so this could be part of my problem. How can I do this? I
> couldn't figure it out using rpcclient.Is that the only thing that could
> be wrong.
>
> Unfortunately with many users using the real system my access
> is very limited and I don't have a lot of opportunities to just
> keep trying things out!
>
> Many thanks in advance
>
> Christoph
>
>
> -- 
>
****************************************************************************
***************
>
>     Christoph Witzig
>     christoph.witzig at opit.ch
>
>     OPIT Solutions AG
>     Täfernstr. 11
>     CH-5405 Baden-Dättwil
>
>     Tel: +41 56 484-8000 / Fax: +41 56 484-8001 / Web: www.opit.ch
>
>
****************************************************************************
***************
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list