Penguin

Incorrect Parameter

When logging into a Samba 2.2 or 3.0 PDC from a windows desktop, you can sometimes get the error message "Incorrect Parameter". We've found two reasons for this:

Samba 2.2, affects all users. This error message can occur if the permissions on your login script are incorrect.

Samba 3.0alpha, affects one machine only. Not really a Samba issue, as much as that type of problem classifed as PEBKAC. Check that your "domain" field in the login prompt is actually correct and doesn't, for example, contain extra spaces after the domain name. "Foo" is slightly different to "Foo ".

Cannot change password - "Permission denied" error

smbd/chgpasswd.c:findpty(73): findpty: Unable to create master/slave pty pair

Make sure that /dev/pts is mounted properly. This will vary depending on your server distribution

Password has expired

This normally means your password has expired. However, it may not always be obvious why..

I have a Samba 3.0a PDC setup, authenticating out of LDAP. My LDAP entities have posixAccount, shadowAccount, and sambaAccount objetclasses, amongst others. If you have 'obey pam restrictions = yes' in your smb.conf (version 3.x and later 2.2 only) then if pam thinks your shadow passwords have expired, samba will insist you need to change your password - even if your samba password expiry is correct.

suggested solutions:

  1. Tell Samba to not obey pam restrictions
  2. Reset your UNIX password at the same time you reset your Samba password
  3. Disable forced password changes in pam(7).

Another password has expired problem

I have a Samba 3.0.1 PDC setup, authenticating with tdbsam. When I exported to XML, erased the database, and imported from the database, suddenly all my passwords had expired, with a kick date at the beginning of Unix time - somewhere in 1970. I had to recreate all of the accounts. So beware of using the XML format as a backup of your password database until this bug is corrected.

Check the user account status

Use the command pdbedit username -c "[X ]" to set password expiry off for the user.

Account disabled

If an account is locked after too many failed login attempts, use pdbedit username -z to unlock the account.

smbclient -L host says 'protocol negotiation failed'

Check that the host you are trying to connect to has its loopback interface (lo) correctly configured and up

make_server_info_info3: pdb_init_sam failed!

According to Google this is a very common error, usually overlooked on the Samba mailing list. I gather, from reading the few posts that do have replies, that this error could be due to various things; the reason I was getting it was that I hadn't included the following in /etc/nsswitch.conf:

 passwd:         compat winbind
 group:          compat winbind

This post helped a bit.

EwenMcNeill: From what I can tell the underlying cause of this error is that the authentication of the user worked, but it wasn't possible to load in their account information. Not having set up nsswitch.conf properly is one cause of that; having set up nsswitch.conf but not having restarted nscd (the caching daemon) is another cause. (The most obvious symptom for "not having restarted nscd" is that "getent passwd | grep USER" finds the user, but "getent passwd USER" doesn't, because the former doesn't seem to go through nscd, but the latter does -- and the latter is the same sort of call as Samba is making. If you see those symptoms check for nscd even if you didn't think you had it installed.)

If both invocations of gentent work, make sure you've restarted samba since adding winbind to /etc/nsswitch.conf

Another thing to check (esp on Solaris) is that the libnss_winbind.so is in /lib and there are a bunch of symbolic links to it in /lib
libnss_winbind.so.1 libnss_winbind.so.2 nss_winbind.so.1 nss_winbind.so.2

getent tends not to work if it can't find one of these (I don't know which specifically) (libnss_winbind.so is in the samba/source/nsswitch subfolder. See the Samba winbind manual chapter 23 for other details. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html)

error code was NT_STATUS_PIPE_NOT_AVAILABLE (0xc00000ac)

If you get this error running wbinfo -t, try setting client schannel = no in your smb.conf.

When using wbinfo to test operability Error looking up domain users is returned plus only the builtin groups returned on test

I had a lot of trouble finding a solution to this problem and found that once the time was set on the system (ntpd) and the winbind / samba databases were recreated that all worked (this problem first occoured on a VM, hence why the time issue may have triggered the situation).

The databases can be recreated by:

  • Stopping the samba and winbind services
  • Backing up the samba database (just in case of course)
  • Rejoining the domain
  • Restart the samba and winbind services
  • Reset the Samba authentication (wbinfo --set-auth-user user%password)

At this point all started working again. However, please note,
A) Time is very important to Active Directory (hence ntpdate or ntpd is important)
B) VM's dont work so well with time, hence, not so well with directories (install the vm tools - a service is added to ensure that time is taken from the host system more correctly)

"get_domain_master_name_node_status_fail" and "Cannot get workgroup name" in log.nmbd

You have cached some IP addresses you no longer have, so Samba can't participate in browser elections on those domains. Stop Samba and remove the entries from /var/lib/samba/wins.dat and /var/lib/samba/namelist.debug. Thanks to Zeros Subs for the answer.

"protocol negotiation failed"

RafalStanilewicz: I had problem with Samba 3.0.22. Clients could not connect, both remote and from the same machine:

#smbclient -L localhost
protocol negotiation failed.

I tried to restart samba, even the whole machine. Interfaces were up and running fine. Testparm didn't detected anything suspicious. Ports were listening. After some debugging, I revealed the cause: it was hanged up cupsd, because of some malformed print job. It got 100% of processor time (visible in 'top'), however the rest of the system was running fine, even the Xwindow. After cleaning of queue and restart cupsys, everything worked as expected.

(I know this sounds like primitive and trivial case, but I couldn't find a clue for hours, maybe someone will take advantage of this simple advice. Please edit as you wish, but don't delete.)

Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain

Using short domain name -- EXAMPLE
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'MACHINE' in realm 'EXAMPLE.COM'

Does hostname --fqdn read machine.example.com? If not, edit /etc/hosts and start again. You should have a line like:

10.11.12.13     machine.example.com machine