samba - Oct 2011 - XP machine wont join domain

Hi

I'm on ubuntu 10.04 LTS fully up to date.

Am running a samba-ldap server but for some reason I can't connect a
new fully updated XP machine to the domain.

I've added other machines (6 months ago now, none since) successfully.

I see a file /var/log/samba/log.machinename, but
/var/log/samba/log.nmbd and /var/log/samba/log.smbd don't have
anything of note.

Using 'net rpc rights list' I have confirmed that my user can add
users/machines to the domain.

There is no firewall problem - there is no firewall between these
machines, as they are on a local LAN together and the XP's firewall is
disabled.

I can successfully map a shared drive on the XP machine using the same
credentials. (and, in fact, if I don't disconnect that share, I get a
different error about not being able to have more than one connection
at the same time)

Samba conf is here: http://paste.ubuntu.com/713761/

I've tried changing security from user to domain and back, without success.

The error I get after entering the same credentials as above is
"Access is denied".

Any ideas? Even any pointers on how I might trace the network traffic
to see where the issues are, since there's no data in the logs of
note?

I'm not excellent at the smb/ldap, and while I did set this server up,
I didn't configure the smbldap part of the set up, so I'm not 100%
sure or certain about what is happening there - am I doing something
wrong in that regard?

Other machines and users are happily connected to the server over
smb/ldap, and when I look at their computer->properties, it says they
are on the domain SBLS, which is what I expected and what I am trying
to connect the current machine to.

Any help appreciated.

cheers
L.



-- 
The politician?s syllogism, also known as the politician?s logic or
the politician?s fallacy, is a logical fallacy of the form:
- We must do something
- This is something
- Therefore, we must do this.
(via http://bestofwikipedia.tumblr.com/ )

On Wed, Oct 19, 2011 at 11:15 PM, Lachlan Musicman <datakid at gmail.com>
wrote:
> Hi
>
> I'm on ubuntu 10.04 LTS fully up to date.
>
> Am running a samba-ldap server but for some reason I can't connect a
> new fully updated XP machine to the domain.
>
> I've added other machines (6 months ago now, none since) successfully.
>
> I see a file /var/log/samba/log.machinename, but
> /var/log/samba/log.nmbd and /var/log/samba/log.smbd don't have
> anything of note.
>
> Using 'net rpc rights list' I have confirmed that my user can add
> users/machines to the domain.
>
> There is no firewall problem - there is no firewall between these
> machines, as they are on a local LAN together and the XP's firewall is
> disabled.
>
> I can successfully map a shared drive on the XP machine using the same
> credentials. (and, in fact, if I don't disconnect that share, I get a
> different error about not being able to have more than one connection
> at the same time)
>
> Samba conf is here: http://paste.ubuntu.com/713761/
>
> I've tried changing security from user to domain and back, without
success.
>
> The error I get after entering the same credentials as above is
> "Access is denied".
>
> Any ideas? Even any pointers on how I might trace the network traffic
> to see where the issues are, since there's no data in the logs of
> note?
>
> I'm not excellent at the smb/ldap, and while I did set this server up,
> I didn't configure the smbldap part of the set up, so I'm not 100%
> sure or certain about what is happening there - am I doing something
> wrong in that regard?
>
> Other machines and users are happily connected to the server over
> smb/ldap, and when I look at their computer->properties, it says they
> are on the domain SBLS, which is what I expected and what I am trying
> to connect the current machine to.
>
> Any help appreciated.
>
> cheers
> L.
>
This may no longer be official Samba policy, so someone please correct
me if I am wrong, but have you tried setting the registry/gpedit fixes
before joining?

Here is what I do on our XP machines:

Start->Run, run gpedit.msc

Change the following:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options branch.

Make sure to disable the following policies:

Domain Member: Digitally encrypt or sign secure channel data (always)

Domain Member: Digitally sign secure channel data (when possible)

Computer Configuration\Administrative Templates\System\User Profiles

Make sure to enable the following policy:

Do not check for user ownership of Roaming Profile Folders


After you make the changes, reboot (not sure if it is required, but
always a good policy with Windows), then try to join the domain again.
 Join the domain first before mapping any drives or anything like
that.

Anyway, just a thought.  Hope it helps.

Preston