192 lines
12 KiB
HTML
192 lines
12 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Troubleshoot the logon server</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="logon_trouble"></a>
|
||
|
<h2 id="logon_trouble">Troubleshoot the logon server</h2>
|
||
|
<p><span class="bold">Cannot find the Logon Server?</span></p>
|
||
|
<p>Most likely, the PC message you see are similar to one of the
|
||
|
following: </p>
|
||
|
<ul>
|
||
|
<li>No domain server was available to validate your password.</li>
|
||
|
<li>The system could not log you on now because the domain X is not available.</li></ul>
|
||
|
<p>This can occur for a number of reasons: </p>
|
||
|
<ul>
|
||
|
<li>The client cannot resolve to the Logon Server. This is the most common
|
||
|
reason and there can be a variety of causes, depending how the network is
|
||
|
configured. The client PC must be able to get the IP address of the Logon
|
||
|
Server based on the domain name. If the client and Logon Server are located
|
||
|
on different TCP/IP subnets, then typically broadcast queries are not sent
|
||
|
across. There are three solution strategies:
|
||
|
<ol type="1">
|
||
|
<li>It may just work using the domain discovery support of the
|
||
|
Microsoft Browsing protocol/support . The iSeries Browsing support is discussed
|
||
|
in a previous section, but the basic idea is that if at least one browser
|
||
|
server for the domain exists in the subnet that the PC will log on from, and
|
||
|
that LMB has knowledge of the DMB (Domain Master Browser), then the client
|
||
|
can ask it for the name of the Logon Server, after which normal name resolution
|
||
|
can proceed (DNS, etc.). However, there is not always an LMB available to
|
||
|
service these requests, and in that case, one of the following backup solutions
|
||
|
should be put in place.</li>
|
||
|
<li>WINS. Windows Internet Name Service is the general solution and recommended
|
||
|
for complex TCP/IP networks because computers AND the services they render
|
||
|
are matched with IP. It requires at least one WINS server running on a computer
|
||
|
with that capability somewhere on the network. Then, each computer needing
|
||
|
the service should be configured with the IP address of the WINS server.
|
||
|
This configuration is not explained here.</li>
|
||
|
<li>Static LMHOSTS configuration file on the PC. Host lines can be appended
|
||
|
with #PRE and #DOM:domain directives to preload domain controllers into the
|
||
|
name cache. See the sample files shipped with Windows for more information.
|
||
|
Note that LMHOSTS files can include files on servers so that this solution
|
||
|
can still be centrally administered.
|
||
|
<a name="wq99"></a>
|
||
|
<div class="notetitle" id="wq99">Note:</div>
|
||
|
<div class="notebody"> The Logon
|
||
|
support provided by iSeries NetServer™ is for clients in the same TCP/IP network segment
|
||
|
as the server. If your client is in a different segment or subnet, then these
|
||
|
resolution strategies are not guaranteed to work. However, a trick that often
|
||
|
works for Windows 2000 or Windows XP clients is to change the workgroup of
|
||
|
the client machine to one that is <span class="bold">different</span> than the
|
||
|
domain name assigned to iSeries NetServer.</div></li></ol></li>
|
||
|
<li>iSeries NetServer is not started or it didn't start as a Logon Server for the domain
|
||
|
in question. Check that it is configured as a Logon Server and that there
|
||
|
are no conflict messages in QSYSOPR. If you see a CPIB687, read the detailed
|
||
|
description for more information on the exact nature of the conflict.</li></ul>
|
||
|
<p><span class="bold">User name could not be found</span></p>
|
||
|
<p>This message normally indicates that the user attempting to log on does
|
||
|
not have a user profile on the iSeries Logon Server. A guest user may not sign
|
||
|
on to an iSeries domain. In extreme cases where the Logon Server is very busy
|
||
|
or slow, the user may not be making it into iSeries NetServer's cache quick enough to
|
||
|
respond. If this is the case, attempting the logon again should succeed.</p>
|
||
|
<p><span class="bold">Password incorrect</span></p>
|
||
|
<p>You are likely to see the following messages when attempting to log on
|
||
|
in this situation: </p>
|
||
|
<ul>
|
||
|
<li>The domain password you supplied is incorrect or access to the Logon Server
|
||
|
has been denied.</li>
|
||
|
<li>The Logon attempt was unsuccessful. Select Help for possible causes and
|
||
|
suggested actions.</li></ul>
|
||
|
<p>Here are the possible causes for these messages and resolutions:</p>
|
||
|
<ul>
|
||
|
<li>The password you sign on to the domain with does not match the password
|
||
|
in your iSeries user profile. Use your iSeries password and try again.</li>
|
||
|
<li> The password in your iSeries profile has expired. Unfortunately, you cannot
|
||
|
change your iSeries password through Windows, so this must be directly done to
|
||
|
your profile.</li>
|
||
|
<li>Your iSeries user profile is disabled. The administrator must enable it.</li>
|
||
|
<li>You are disabled for iSeries NetServer access. The iSeries NetServer administrator can check
|
||
|
this condition and reenable you from iSeries Navigator.</li>
|
||
|
<li>Although you are typing the correct password, Windows 98 is
|
||
|
using an old cached password. The boot drive on the client PC needs to be
|
||
|
scanned for a user.pwl file and then remove this file.</li>
|
||
|
<li> For Windows 2000 and Windows XP it is possible that the wrong
|
||
|
machine is being resolved to. Try prefacing the user name with the domain
|
||
|
name in the logon prompt like this: domain\user, where user is the username
|
||
|
and domain is the domain name.</li></ul>
|
||
|
<p>For Windows 2000 and Windows XP your password also has to match
|
||
|
the password stored in the local profile if you have a local profile. If
|
||
|
these do not match, then you will see a message like, The system could not
|
||
|
log you on. Your network account and password are correct, but your local
|
||
|
account password is out of sync. Contact your administrator.</p>
|
||
|
<p><span class="bold">Cannot find the iSeries NetServer domain through My Network
|
||
|
Places. </span></p>
|
||
|
<p>You have configured iSeries NetServer as a Logon Server for domain X, but X does not
|
||
|
show up in the Microsoft Windows Network of domains. Some possibilities are:
|
||
|
</p>
|
||
|
<ul>
|
||
|
<li>iSeries NetServer failed to come up as the DMB because of a conflict with another
|
||
|
computer. Check for message CPIB687 (RC=2) in QSYSOPR.</li>
|
||
|
<li>iSeries NetServer is not configured for WINS if WINS is in use.</li>
|
||
|
<li>The client PC is not properly configured for WINS.</li>
|
||
|
<li>There is no Browser in the local subnet of the PC that is a member of
|
||
|
domain X.</li></ul>
|
||
|
<p><span class="bold">Can log on but do not see my home drive mapped
|
||
|
for Windows 2000 or Windows XP clients even though the share name exists </span></p>
|
||
|
<p> The typical problem here is that although the share was created successfully
|
||
|
from the client, the path name does not actually exist on the server. When
|
||
|
you create a user profile on the iSeries, a default home directory path is put
|
||
|
in the profile (/home/user), however, the actual user directory in home is
|
||
|
not created automatically. You need to do this manually. For example: ===>
|
||
|
CRTDIR '/home/USER1'</p>
|
||
|
<p><span class="bold">I want to use a roaming profile from Windows
|
||
|
2000 or Windows XP, but the option to change it from 'Local' to 'Roaming'
|
||
|
is disabled</span></p>
|
||
|
<p>Remember, that you must be logged onto the target domain with an administrating
|
||
|
profile (not the profile you want to change to roaming) in order for the option
|
||
|
to be available. In V5R1, iSeries NetServer is able to map longer Windows user names
|
||
|
to truncated iSeries profile names. So, you can do the following: </p>
|
||
|
<ol type="1">
|
||
|
<li>Create the user profile ADMINISTRA on the iSeries</li>
|
||
|
<li>Give ADMINISTRA a password that matches the password for Administrator
|
||
|
on the client</li>
|
||
|
<li>Now log onto the iSeries domain with the Administrator profile.</li>
|
||
|
<li>Open Control Panel, and then open System.</li>
|
||
|
<li>Click on the <span class="bold">User Profiles</span> tab and make the appropriate
|
||
|
changes</li></ol>
|
||
|
<p><span class="bold">My profile is listed as 'Roaming', but changes to my settings
|
||
|
(or desktop, etc.) do not get saved </span></p>
|
||
|
<p> The settings get saved to the locally cached copy of your profile, but
|
||
|
they are not being updated on the server. This is readily apparent if you
|
||
|
try to log on from a different workstation and you don't see the updates.
|
||
|
This problem can occur when the Windows client cannot access the user profile
|
||
|
directory where the user profile is to be stored. The following are some
|
||
|
things to check: </p>
|
||
|
<ul>
|
||
|
<li>Make sure the appropriate access rights are set on each part of the path
|
||
|
on the Logon Server.</li>
|
||
|
<li>Make sure the path is spelled correctly if it is being specified in the
|
||
|
User Profile settings on the workstation.</li>
|
||
|
<li>Also check that unsupported environment variables are not being used.
|
||
|
Some environment variables are not active/usable until after logon. For
|
||
|
example, if you specify %logonserver%\profiles\%username% as the Profile path
|
||
|
in User Manager on a Win NT workstation with a service pack less than 3, then
|
||
|
the client will be unable to resolve the %logonserver% environment variable.
|
||
|
Try using \\servername\profiles\username instead.</li>
|
||
|
<li>It's always a good idea to start with a locally cached profile that is
|
||
|
copied to the Logon Server.</li></ul>
|
||
|
<p><span class="bold">Locally stored profile is newer than that on the server</span></p>
|
||
|
<p> This dialog box occurs when you log on and asks you if you want to use
|
||
|
your local copy instead. Normally, this is a valid message that you can respond
|
||
|
Yes to, so that network traffic is reduced, or this message is received repeatedly
|
||
|
after just logging off from the same workstation. Looking at the time stamps
|
||
|
on the two profiles, the remote one is 2 seconds older (for example) than
|
||
|
the locally cached one which indicates that Windows did a final update to
|
||
|
the local profile after it copied it out to the Logon Server. Ensure that
|
||
|
the client's time is synched with the server's time.</p>
|
||
|
<p><span class="bold">Incorrect authentication method used</span></p>
|
||
|
<p>The following message is generally received when a user attempts to log
|
||
|
in using a different authentication method than what the server is currently
|
||
|
configured to use.</p>
|
||
|
<p><tt class="xph">There are currently no logon servers available to service the logon
|
||
|
request.</tt></p>
|
||
|
<p>iSeries NetServer cannot be a Logon Server and have Kerberos authentication enabled
|
||
|
as well. This message is typically received when a user attempts to sign onto
|
||
|
an iSeries server using a traditional password, when the iSeries NetServer has Kerberos
|
||
|
authentication enabled.</p>
|
||
|
<p>Refer to <a href="rzahlkrbv5auth.htm#krbv5auth">iSeries NetServer support for Kerberos v5 authentication</a> for information on how to
|
||
|
enable Kerberos v5 authentication and traditional password support.</p>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|