Hi there!
Situation:
Company’s network with ~50 computers (workstations and Linux servers).
Domain and authorization - using 11.3 samba and OpenLDAP packages. Authorization works fine on external Zimbra e-mail server as well.
Worked fine - could join all workstations (even Win7) and servers to domain, configure shares etc. But right now mystically cant join new or reinstalled machines to domain any more with “access denied” error message. Would like to mention, that admin username and password is not changed for sure.
From other linux box tryed to do
net rpc join KASTE -U root
Enter root's password:
could not open domain: NT_STATUS_ACCESS_DENIED
Unable to join domain KASTE.
Any ideas of what could cause such a problem and where to look for answer? Even could any updates cause this problem? (did a system update a couple a weeks ago)
Check that the clock is the same on all computers, if there is a time difference between the logon server and the clients, you will get the access denied error.
The problem with time in networks exists even in Windows machines. It comes from the base idea of a networking communication. It is as if you are talking to a web camera and there is latency in the voice and image…Imagine a situation that you are speaking with one another and due to the fact that your voice/image is sent long time after the image/voice the things are getting funny!
If you cant understand that then a simpler example is when you are late at the train station! You go there but the train misses! so you can’t leave and goes in circles…
The computer thinkie now.
The network cards have protocols (some kind of language) to speak to each other. The network cards send what they need to send in packages (just as in the human mailing system). These packages contain a time and date sent so that they can put them in some order of execution and processing. If the time that the server (domain controller) differs in more than an expected amount of time. (most of the times is too low say 2min if i remember) then the server thinks (and he should do it) that the package cannot be processed because the time hasnt come yet!!! And this continues to happen becuase the client Pc always set different times. What must be done then is either change the hour of the Client(casual) , or of the server (difficult scenario). In the server the time does not need to be fixed IF you have desployed the time server process correctly. That daemon tries to keep the timings in place. It can be either a machine or the same the domain controller. Then you just set the clients to get the time from that server and everything is synchronized again.
I hope i helped a little , although i am not a network expert (my profession is programming) but my job has made me a bit of that too!
AS for your previousquestion :
there may be some problem with the time as the previous people say
check even if the user u are login exists is unlocked and so on in the ldap
even check the ip of the new pcs for any collision in ips