Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: twijtzes on November 28, 2008, 10:11:26 AM
-
Hello all,
Finally we have decided to move from SME server as a workgroup controller to SME server as a domain controller. In the past years the SME server worked flawlessly. Therefore I think I must be doing something wrong. Having struggled through more than a few posts here, I give up and play the dumb blond.
In short, the windows machine (Win2k sp4) claims that my admin account is disabled/switched off when I try to log on to the domain for the first time after switchting from workgroup (dutch: werkgroep) to domain. After entering the admin/password combination, I get an error message
The exact message that I get from the windows machine is:
De volgende fout is opgetreden tijdens het lid worden van domein FOODSAFE:
Aanmeldingsfout: account is momenteel uitgeschakeld
I think that translates to
The folowing error has occured while trying to joint the domain FOODSAFE:
Login error: account is currently disabled (or switched off)
However:
I can log in on the server manager using my admin account, see emails etc etc. It all seems to works properly.
As I said, probably I am missing something, forgetting something. Please help.
Thanks for helping
Taco
The samba log says
[2008/11/28 10:27:40, 1] auth/auth_sam.c:sam_account_ok(142)
sam_account_ok: Account for user 'admin' was disabled.
-
Have you installed the registry patch from http://yourserver/server-resources/ ?
-
Great....
That seemed to do the trick TXS
BUT
Now it is complaining that the group policies are different.. any ideas ?
Thanks
Taco
-
Not really, but check out your server's NETLOGON share to see whether there are any ntconfig.pol or ntconfig.man files present.
SME uses NT4 style policies.
-
Hi David,
I guess the netlogon is not a regular share, as it does not show up when I try to connect to it using my network places
Using PUTTY and MC i went to /home/e-smith/files/samba and found three directories
/netlogon
/printers
/profiles
The /netlogon directory only contains a file netlogon.bat which is obviously intended to set drive mappings and so forth. For the rest it is empty.
/printers has several directories for differenet printer types. (useful for later.....)
/profiles has user directories such as my own. All directories are empty.
I cannot find the files that you mention (ntconfig.pol or ntconfig.man). Furthermore I did a search across the server (find file in MC) and found no such files.
What to do ?
thanks in advance,
Taco
-
Well if there are no policies being set at the server level, you have come across a Win2K workstation issue, which, unfortunately, this forum is not really designed to address.
-
In short, the windows machine (Win2k sp4) claims that my admin account is disabled/switched off when I try to log on to the domain for the first time after switchting from workgroup (dutch: werkgroep) to domain. After entering the admin/password combination, I get an error message
It's a little unclear if you are having problems with your windows client administrator accounts or the SME admin account.
Speaking in general terms, when you switched from a peer-to-peer (workgroup) network to domain network, you introduced another authentication layer to your setup. With a windows domain network, you have machine (or local) authentication and domain (or network) authentication. Whereas, with a peer-to-peer (workgroup) network, you are only dealing with the machine (local) authentication.
When you log into a windows domain you are granted certain network privileges and certain machine (local) privileges, based on the domain group(s) which you are a member of. The standard domain group Domain Admins is the group that is granted both domain administrator privileges and local machine administrator privileges.
Out-of-the-box, SME is configured so that the only SME user who is a member of the Domain Admins group is the SME "admin" user. You can change this by accessing the SME Groups server-manager panel and defining a group called something like "da" with the description "Domain Admins" This will map the SME group "da" to the domain group Domain Admins. Any SME users you add to the group "da" will be granted Domain Admin privileges when they log into the domain.
My guess is that you need to re-tool your thinking. With a domain network, you don't need local machine accounts. All authentication is done by SME. In fact, having local machine accounts can result in authentication conflicts if the same username is both a local username and a domain username (perhaps this is part of the issue you are having). Try removing all of the local machine accounts you had defined in your previous setup, create the user accounts in SME, then try logging in.
-
Hi Guys,
Thank you for your help so far. I will try a complete fresh install of win2k and see if that works. It should as there are hundreds of people using the SME as domain contoller. When it works; i know what to do ...... Only 35 machines to go.
Thank you very much for now, i'll be back......
Taco
-
Hi Guys,
Thank you for your help so far. I will try a complete fresh install of win2k and see if that works. It should as there are hundreds of people using the SME as domain contoller. When it works; i know what to do ...... Only 35 machines to go.
Taco
That is an incredible waste of time. It is very rarely necessary to reinstall windows due to network login issues.
-
Before changing your windows workstation from workgroup "FOODSAFE" to domain "FOODSAFE", change them to temporary workgroup "TEMP", then restart windows. After restart join domain "FOODSAFE" using user admin and your-sme-admin-password.
-
Before changing your windows workstation from workgroup "FOODSAFE" to domain "FOODSAFE", change them to temporary workgroup "TEMP", then restart windows. After restart join domain "FOODSAFE" using user admin and your-sme-admin-password.
Very good point Boris.
Windows is funny that way. Typically you are forced to drop to a temp work group any time you change the machine name or going from a domain->workgroup or visa-versa, as you've pointed out.
-
Windows is funny that way.
In this case its not the Windows, but samba's behavior. It doesn't like multiple connections with different credentials to the server. Changing to temporary workgroup name assures that no cached connections are automatically established upon restart.
-
In this case its not the Windows, but samba's behavior. It doesn't like multiple connections with different credentials to the server. Changing to temporary workgroup name assures that no cached connections are automatically established upon restart.
No, the problem is with Windows. I can change any configuration parameter in samba and make it active by restarting the nmbd, smbd, and possible winbindd daemons. No reboot required.
This has nothing to do with cached information.
-
Greg,
I am not sure if Linux vs Windows discussion is really needed. As a professional I happily use whatever is appropriate for the job, just considering the strength and limitations of different systems.
-
I am not sure if Linux vs Windows discussion is really needed.
I don't see any such discussion.
-
I don't see any such discussion.
Would you like to? :P Just kidding :P
It was stopped just before it turn into such discussion, that was not necessary.
The topics matter is solved and it can rest in peace (in the archive) unless there are new findings.
-
Yippie !!!!
Thanks a lot Boris and Greg ! Need to write up some sort of Howto. When you know what to do it's fairly easy
Would that be useful ?
Taco
-
What exactly worked for you in the end?
-
The situation was the following
My network consists of (only) win2K workstations, and a SME 7 latest update server.
In the old situation all users authenticated against the win2k machines. On each win2k machine individual user mappings were made to connect to the relevant shares on the network. As the organisation is rapidly growing it became too much work to set up individual user accounts on each win2k machine therefore I wanted to use domain authentication, whereas in the past we were using workgroups.
To change from workgroups to domains I used the solution provided by Boris and Greg
1. Create a group in SME server manager with the name ntadmins and the description Domain Admins
2. Assign a user to this group (username)
3. Goto Win2k machines and change the workgroup of each machine to TEMP.
(configuration screen -> system -> network tab)
4. restart the win2k computer
5. Log in as Administrator on the win2k machine
6. Change from workgroup to domain providing the domain name of the SME-server
7. The Win2k machine asks for a username/password: enter the username and password from step 2
8. If all went well, the win2k computer wants to reboot.
I also switched on roaming profiles (SME server manager), so users get their own desktop after logging in (very cool!)
If you want to make mappings to specific i-bays this can be done in the NETLOGON.BAT file. My NETLOGON.bat file has a time setting and a mapping to a few internal directories on the SME-server. Another option (if roaming profiles are on) is to make the mapping on the desktop (extremely ugly), however I need mapping that are just for me....
I need a few more readthroughs before this is a recipe to change from workgroup to domain in windows
-
I need a few more readthroughs before this is a recipe to change from workgroup to domain in windows
Do we really? IMHO this is very basic windows networking stuff that has been published on the net multiple times.
-
Perhaps you're right, but i couldn't find it, and looking at the number of views, of this topic I gues there are more people with similar questions