samba - Apr 2002 - Problems with Samba 2.2.3a in a Windows 2000 Domain

Help!

I have been trying to get a samba server running on a sun host to join a NT
2000 domain without much luck.
I am running:

	o - W2K in Native mode with two domain controllers (TOPAZ and TZI)
both at 5.00.2195, service pack 2
	o - Sun Host ZIRCON running Solaris 8; path level 108528-06
	o - Newly compiled (accepted all configure defaults) samba 2.2.3a

I have been able to get the samba server to successfully join the domain by
stopping smbd and nmbd daemons and issuing the command:

smbpasswd -j TRANSZAP -r TOPAZ -u administrator
password:
Joined domain TRANSZAP.

I then set the following parameters in the smb.conf to:

   netbios name = ZIRCON
   workgroup = TRANSZAP
   security = domain
   password server = TOPAZ TZI
   encrypt passwords = yes

I can successfully list the shares while on the sun host, ZIRCON

zircon> smbclient -L zircon
added interface ip=192.168.2.25 bcast=192.168.2.255 nmask=255.255.255.0
Password: 
Anonymous login successful
Domain=[TRANSZAP] OS=[Unix] Server=[Samba 2.2.3a]

        Sharename      Type      Comment
        ---------      ----      -------
        source         Disk      Local source tree
        home$          Disk      Home directories
        IPC$           IPC       IPC Service (zircon Samba Server)
        ADMIN$         Disk      IPC Service (zircon Samba Server)

        Server               Comment
        ---------            -------
        ZIRCON               zircon Samba Server

        Workgroup            Master
        ---------            -------
        TRANSZAP             TZI

but I am unable to get to the shares on any windows 2000 server or
workstation. I have turned on debug (level 4) to smbd and the relevant
errors in the log file when I connect from a windows workstation are:

[2002/04/09 21:19:16, 3] libsmb/namequery.c:resolve_hosts(792)
  resolve_hosts: Attempting host lookup for name TOPAZ<0x20>
[2002/04/09 21:19:16, 3] lib/util_sock.c:open_socket_out(830)
  Connecting to 192.168.2.36 at port 445
[2002/04/09 21:19:16, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(220)
  cli_net_req_chal: LSA Request Challenge from TOPAZ to ZIRCON:
1209F02679D7B948
[2002/04/09 21:19:16, 4] libsmb/credentials.c:cred_session_key(60)
  cred_session_key
[2002/04/09 21:19:16, 4] libsmb/credentials.c:cred_create(91)
  cred_create
[2002/04/09 21:19:16, 4] rpc_client/cli_netlogon.c:cli_net_auth2(130)
  cli_net_auth2: srv:\\TOPAZ acct:ZIRCON$ sc:2 mc: ZIRCON chal
E74DD66BEA134E78 neg: 1ff
[2002/04/09 21:19:16, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/04/09 21:19:16, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
  cli_nt_setup_creds: auth2 challenge failed
[2002/04/09 21:19:16, 0]
smbd/password.c:connect_to_domain_password_server(1335)
  connect_to_domain_password_server: unable to setup the PDC credentials to
machine TOPAZ. Error was : NT_STATUS_OK.

Just after this, it attempts the same thing to the other domain controller
and I get the same results.

Even more confusing is this:

If I then change the smb.conf to

  security = server

everything works fine.

I have searched the archives and the documentation extensively and have
found nothing to help me resolve this issue.

Does anybody have any ideas? I also have output from two sniffer sessions
between ZIRCON and TOPAZ, one with ZIRCON configured 'security = domain'
and
the other with 'security = server' (generated with etheral) if someone
thinks this would help.

Thanks,

..billg