ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahl_5.4.0.1/rzahllogtrblshoot.htm

192 lines
12 KiB
HTML

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Troubleshoot the logon server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="logon_trouble"></a>
<h2 id="logon_trouble">Troubleshoot the logon server</h2>
<p><span class="bold">Cannot find the Logon Server?</span></p>
<p>Most likely, the PC message you see are similar to one of the
following: </p>
<ul>
<li>No domain server was available to validate your password.</li>
<li>The system could not log you on now because the domain X is not available.</li></ul>
<p>This can occur for a number of reasons: </p>
<ul>
<li>The client cannot resolve to the Logon Server. This is the most common
reason and there can be a variety of causes, depending how the network is
configured. The client PC must be able to get the IP address of the Logon
Server based on the domain name. If the client and Logon Server are located
on different TCP/IP subnets, then typically broadcast queries are not sent
across. There are three solution strategies:
<ol type="1">
<li>It may just work using the domain discovery support of the
Microsoft Browsing protocol/support . The iSeries Browsing support is discussed
in a previous section, but the basic idea is that if at least one browser
server for the domain exists in the subnet that the PC will log on from, and
that LMB has knowledge of the DMB (Domain Master Browser), then the client
can ask it for the name of the Logon Server, after which normal name resolution
can proceed (DNS, etc.). However, there is not always an LMB available to
service these requests, and in that case, one of the following backup solutions
should be put in place.</li>
<li>WINS. Windows Internet Name Service is the general solution and recommended
for complex TCP/IP networks because computers AND the services they render
are matched with IP. It requires at least one WINS server running on a computer
with that capability somewhere on the network. Then, each computer needing
the service should be configured with the IP address of the WINS server.
This configuration is not explained here.</li>
<li>Static LMHOSTS configuration file on the PC. Host lines can be appended
with #PRE and #DOM:domain directives to preload domain controllers into the
name cache. See the sample files shipped with Windows for more information.
Note that LMHOSTS files can include files on servers so that this solution
can still be centrally administered.
<a name="wq99"></a>
<div class="notetitle" id="wq99">Note:</div>
<div class="notebody"> The Logon
support provided by iSeries NetServer&trade; is for clients in the same TCP/IP network segment
as the server. If your client is in a different segment or subnet, then these
resolution strategies are not guaranteed to work. However, a trick that often
works for Windows 2000 or Windows XP clients is to change the workgroup of
the client machine to one that is <span class="bold">different</span> than the
domain name assigned to iSeries NetServer.</div></li></ol></li>
<li>iSeries NetServer is not started or it didn't start as a Logon Server for the domain
in question. Check that it is configured as a Logon Server and that there
are no conflict messages in QSYSOPR. If you see a CPIB687, read the detailed
description for more information on the exact nature of the conflict.</li></ul>
<p><span class="bold">User name could not be found</span></p>
<p>This message normally indicates that the user attempting to log on does
not have a user profile on the iSeries Logon Server. A guest user may not sign
on to an iSeries domain. In extreme cases where the Logon Server is very busy
or slow, the user may not be making it into iSeries NetServer's cache quick enough to
respond. If this is the case, attempting the logon again should succeed.</p>
<p><span class="bold">Password incorrect</span></p>
<p>You are likely to see the following messages when attempting to log on
in this situation: </p>
<ul>
<li>The domain password you supplied is incorrect or access to the Logon Server
has been denied.</li>
<li>The Logon attempt was unsuccessful. Select Help for possible causes and
suggested actions.</li></ul>
<p>Here are the possible causes for these messages and resolutions:</p>
<ul>
<li>The password you sign on to the domain with does not match the password
in your iSeries user profile. Use your iSeries password and try again.</li>
<li> The password in your iSeries profile has expired. Unfortunately, you cannot
change your iSeries password through Windows, so this must be directly done to
your profile.</li>
<li>Your iSeries user profile is disabled. The administrator must enable it.</li>
<li>You are disabled for iSeries NetServer access. The iSeries NetServer administrator can check
this condition and reenable you from iSeries Navigator.</li>
<li>Although you are typing the correct password, Windows 98 is
using an old cached password. The boot drive on the client PC needs to be
scanned for a user.pwl file and then remove this file.</li>
<li> For Windows 2000 and Windows XP it is possible that the wrong
machine is being resolved to. Try prefacing the user name with the domain
name in the logon prompt like this: domain\user, where user is the username
and domain is the domain name.</li></ul>
<p>For Windows 2000 and Windows XP your password also has to match
the password stored in the local profile if you have a local profile. If
these do not match, then you will see a message like, The system could not
log you on. Your network account and password are correct, but your local
account password is out of sync. Contact your administrator.</p>
<p><span class="bold">Cannot find the iSeries NetServer domain through My Network
Places. </span></p>
<p>You have configured iSeries NetServer as a Logon Server for domain X, but X does not
show up in the Microsoft Windows Network of domains. Some possibilities are:
</p>
<ul>
<li>iSeries NetServer failed to come up as the DMB because of a conflict with another
computer. Check for message CPIB687 (RC=2) in QSYSOPR.</li>
<li>iSeries NetServer is not configured for WINS if WINS is in use.</li>
<li>The client PC is not properly configured for WINS.</li>
<li>There is no Browser in the local subnet of the PC that is a member of
domain X.</li></ul>
<p><span class="bold">Can log on but do not see my home drive mapped
for Windows 2000 or Windows XP clients even though the share name exists </span></p>
<p> The typical problem here is that although the share was created successfully
from the client, the path name does not actually exist on the server. When
you create a user profile on the iSeries, a default home directory path is put
in the profile (/home/user), however, the actual user directory in home is
not created automatically. You need to do this manually. For example: ===>
CRTDIR '/home/USER1'</p>
<p><span class="bold">I want to use a roaming profile from Windows
2000 or Windows XP, but the option to change it from 'Local' to 'Roaming'
is disabled</span></p>
<p>Remember, that you must be logged onto the target domain with an administrating
profile (not the profile you want to change to roaming) in order for the option
to be available. In V5R1, iSeries NetServer is able to map longer Windows user names
to truncated iSeries profile names. So, you can do the following: </p>
<ol type="1">
<li>Create the user profile ADMINISTRA on the iSeries</li>
<li>Give ADMINISTRA a password that matches the password for Administrator
on the client</li>
<li>Now log onto the iSeries domain with the Administrator profile.</li>
<li>Open Control Panel, and then open System.</li>
<li>Click on the <span class="bold">User Profiles</span> tab and make the appropriate
changes</li></ol>
<p><span class="bold">My profile is listed as 'Roaming', but changes to my settings
(or desktop, etc.) do not get saved </span></p>
<p> The settings get saved to the locally cached copy of your profile, but
they are not being updated on the server. This is readily apparent if you
try to log on from a different workstation and you don't see the updates.
This problem can occur when the Windows client cannot access the user profile
directory where the user profile is to be stored. The following are some
things to check: </p>
<ul>
<li>Make sure the appropriate access rights are set on each part of the path
on the Logon Server.</li>
<li>Make sure the path is spelled correctly if it is being specified in the
User Profile settings on the workstation.</li>
<li>Also check that unsupported environment variables are not being used.
Some environment variables are not active/usable until after logon. For
example, if you specify %logonserver%\profiles\%username% as the Profile path
in User Manager on a Win NT workstation with a service pack less than 3, then
the client will be unable to resolve the %logonserver% environment variable.
Try using \\servername\profiles\username instead.</li>
<li>It's always a good idea to start with a locally cached profile that is
copied to the Logon Server.</li></ul>
<p><span class="bold">Locally stored profile is newer than that on the server</span></p>
<p> This dialog box occurs when you log on and asks you if you want to use
your local copy instead. Normally, this is a valid message that you can respond
Yes to, so that network traffic is reduced, or this message is received repeatedly
after just logging off from the same workstation. Looking at the time stamps
on the two profiles, the remote one is 2 seconds older (for example) than
the locally cached one which indicates that Windows did a final update to
the local profile after it copied it out to the Logon Server. Ensure that
the client's time is synched with the server's time.</p>
<p><span class="bold">Incorrect authentication method used</span></p>
<p>The following message is generally received when a user attempts to log
in using a different authentication method than what the server is currently
configured to use.</p>
<p><tt class="xph">There are currently no logon servers available to service the logon
request.</tt></p>
<p>iSeries NetServer cannot be a Logon Server and have Kerberos authentication enabled
as well. This message is typically received when a user attempts to sign onto
an iSeries server using a traditional password, when the iSeries NetServer has Kerberos
authentication enabled.</p>
<p>Refer to <a href="rzahlkrbv5auth.htm#krbv5auth">iSeries NetServer support for Kerberos v5 authentication</a> for information on how to
enable Kerberos v5 authentication and traditional password support.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>