I cannot for the life of me get this XP client to logon to my Samba domain. The error is:

"Windows cannot connect to the domain, either because the dmain controller is down or otherwise unreachable, or because your computer account was not found....."

The machine joins the domain with no problems at all, and is able to access shares just fine when logged on with a local account.

Most of what I find on the web is along these lines:
---------------------------------------------------------------------------------
Cannot Log onto Domain Member Workstation After Joining Domain

After successfully joining the domain, user logons fail with one of two messages: one to the effect that the Domain Controller cannot be found; the other claims that the account does not exist in the domain or that the password is incorrect. This may be due to incompatible settings between the Windows client and the Samba-3 server for schannel (secure channel) settings or smb signing settings. Check your Samba settings for client schannel, server schannel, client signing, server signing by executing:

testparm -v | more and looking for the value of these parameters.

Also use the Microsoft Management Console Local Security Settings. This tool is available from the Control Panel. The Policy settings are found in the Local Policies/Securty Options area and are prefixed by Secure Channel: ..., and Digitally sign .....

It is important that these be set consistently with the Samba-3 server settings.
---------------------------------------------------------------------------------

I have tried many combinations of these settings on both client and server and still no luck, anyone have a known working set of settings for this OR anything else it could be? Client is XP Pro SP2 and Server is Samba 3.0.10-2 configured as a PDC running on Fedora Core 3. Here is my smb.conf file:

[global]
workgroup = AZ
server string = Fedora3 Linux Samba Server
update encrypted = Yes
min password length = 7
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers
unix password sync = Yes
restrict anonymous = 2
log file = /var/log/samba/%m.log
max log size = 50
server signing = auto
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/adduser -n -g machines -c 'Windows Machine Domain Account' -d /dev/null -s /bin/false %m$
logon script = %U.bat
logon path = \\%L\%U\profile
logon drive = Y:
logon home = \\%L\%U\profile9x
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins server = 192.168.2.101
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
admin users = rob, root
hosts allow = 192.168.1., 192.168.2., 127.
cups options = raw
case sensitive = No

[homes]
comment = Home Directories
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/netlogon

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[test]
path = /share/test
read only = No

Are you using smbpasswd and if so, did you export the passwd file to smbpasswd? Did you happen to create machine accounts on the server in passwd and smbpasswd?

admin users = rob, root

Also... The above won't work anymore. You have to use the net groupmap command.

You can view your current settings with: net groupmap list.
To use Domain Users use: net groupmap modify ntgroup="Domain Users" unixgroup=<unixgroup>.
To use Domain Admins use: net groupmap modify ntgroup="Domain Admins" unixgroup=<unixgroup>.

Obviously the groups must match the users. Ex: rob would be a part of group admins.

I tried the admin users but when I would logon to the Windows workstation I still didn't have admin rights.

Also, when I had Samba 2.2.5 as a PDC I had to make a registry change. Go to the registry. Go to HKLM\System\CurrentControlSet\Services\netlogon\parameters. Look for "RequireSignOrSeal"=dword:00000000. Change the value from "0" to "1". Reboot. And you should be able to logon to your domain.

admin users = rob, root

Also... The above won't work anymore. You have to use the net groupmap command.

You can view your current settings with: net groupmap list.
To use Domain Users use: net groupmap modify ntgroup="Domain Users" unixgroup=<unixgroup>.
To use Domain Admins use: net groupmap modify ntgroup="Domain Admins" unixgroup=<unixgroup>.

Obviously the groups must match the users. Ex: rob would be a part of group admins.

I tried the admin users but when I would logon to the Windows workstation I still didn't have admin rights.



Forgive me, but I would to know in the above what are the values for <unixgroup>

How do you export the passwords from passwd to smbpasswd ??

I believe it's /usr/bin/mksmbpasswd.sh. Or I was also successfull with smbpasswd -a <user>

actually no it's not. sorry... I can't remember the command.

the value of <unixgroup> would be a group you want to use that exists in /etc/group. Ex: Domain Users = users (unix group).

hey i'm not sure if you tryed this yet, but if your running fedora core 3 sometimes iptables gets in the way, i've got a samba domain controller and rather than work out what was going wrong with it i just shutdown iptables ... give that a go maybe it'll work

hwy if that helps and you feel like helping me out, i'm trying to get my samba domain controller to apply NT4 policies to to an XP machine i've called them NTconfig.pol and placed them in my netlogon drive, but it's not working and i can't figure out why