When logging into a Samba 2.2 or 3.0 PDC from a windows desktop, you can sometimes get the error message "Incorrect Parameter". We've found two reasons for this:
Samba 2.2, affects all users. This error message can occur if the permissions on your login script are incorrect.
Samba 3.0alpha, affects one machine only. Not really a Samba issue, as much as that type of problem classifed as PEBKAC. Check that your "domain" field in the login prompt is actually correct and doesn't, for example, contain extra spaces after the domain name. "Foo" is slightly different to "Foo ".
Make sure that /dev/pts is mounted properly. This will vary depending on your server distribution
This normally means your password has expired. However, it may not always be obvious why..
I have a Samba 3.0a PDC setup, authenticating out of LDAP. My LDAP entities have posixAccount, shadowAccount, and sambaAccount objetclasses, amongst others. If you have 'obey pam restrictions = yes' in your smb.conf (version 3.x and later 2.2 only) then if pam thinks your shadow passwords have expired, samba will insist you need to change your password - even if your samba password expiry is correct.
I have a Samba 3.0.1 PDC setup, authenticating with tdbsam. When I exported to XML, erased the database, and imported from the database, suddenly all my passwords had expired, with a kick date at the beginning of Unix time - somewhere in 1970. I had to recreate all of the accounts. So beware of using the XML format as a backup of your password database until this bug is corrected.
Use the command pdbedit username -c "[X ]" to set password expiry off for the user.
If an account is locked after too many failed login attempts, use pdbedit username -z to unlock the account.
Check that the host you are trying to connect to has its loopback interface (lo) correctly configured and up
According to Google this is a very common error, usually overlooked on the Samba mailing list. I gather, from reading the few posts that do have replies, that this error could be due to various things; the reason I was getting it was that I hadn't included the following in /etc/nsswitch.conf:
passwd: compat winbind group: compat winbind
This post helped a bit.
EwenMcNeill: From what I can tell the underlying cause of this error is that the authentication of the user worked, but it wasn't possible to load in their account information. Not having set up nsswitch.conf properly is one cause of that; having set up nsswitch.conf but not having restarted nscd (the caching daemon) is another cause. (The most obvious symptom for "not having restarted nscd" is that "getent passwd | grep USER" finds the user, but "getent passwd USER" doesn't, because the former doesn't seem to go through nscd, but the latter does -- and the latter is the same sort of call as Samba is making. If you see those symptoms check for nscd even if you didn't think you had it installed.)
If both invocations of gentent work, make sure you've restarted samba since adding winbind to /etc/nsswitch.conf
getent tends not to work if it can't find one of these (I don't know which specifically) (libnss_winbind.so is in the samba/source/nsswitch subfolder. See the Samba winbind manual chapter 23 for other details. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html)
If you get this error running wbinfo -t, try setting client schannel = no in your smb.conf.
I had a lot of trouble finding a solution to this problem and found that once the time was set on the system (ntpd) and the winbind / samba databases were recreated that all worked (this problem first occoured on a VM, hence why the time issue may have triggered the situation).
At this point all started working again. However, please note,
A) Time is very important to Active Directory (hence ntpdate or ntpd is important)
B) VM's dont work so well with time, hence, not so well with directories (install the vm tools - a service is added to ensure that time is taken from the host system more correctly)
You have cached some IP addresses you no longer have, so Samba can't participate in browser elections on those domains. Stop Samba and remove the entries from /var/lib/samba/wins.dat and /var/lib/samba/namelist.debug. Thanks to Zeros Subs for the answer.
#smbclient -L localhost protocol negotiation failed.
I tried to restart samba, even the whole machine. Interfaces were up and running fine. Testparm didn't detected anything suspicious. Ports were listening. After some debugging, I revealed the cause: it was hanged up cupsd, because of some malformed print job. It got 100% of processor time (visible in 'top'), however the rest of the system was running fine, even the Xwindow. After cleaning of queue and restart cupsys, everything worked as expected.
(I know this sounds like primitive and trivial case, but I couldn't find a clue for hours, maybe someone will take advantage of this simple advice. Please edit as you wish, but don't delete.)
Using short domain name -- EXAMPLE Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'MACHINE' in realm 'EXAMPLE.COM'
Does hostname --fqdn read machine.example.com? If not, edit /etc/hosts and start again. You should have a line like:
10.11.12.13 machine.example.com machine