samba - Apr 2002 - strange access problems with SAMBA 2.2.3a/Winbindd and Security = DOMAIN

Hello..

i have some strange behavior with my Samba 2.2.3a with WINBIND (Linux
2.4.17acl enabled)and a NT4.0 SP6 Domain with nearly 2000 users... Here
comes some more infos for you...
We want to migrate from one of our fileservers (NT4.0) to a new samba
server.. nearly 400 users use this new machine for normal fileservice...
everything looks good, but some of my users can?t login...  and they change
from day to day...they get everytime the message "password wrong"....
 
i turned debug levet to 5 and i saw some strange things.. they are listed on
the bottom of this mail..

First my config...

[global]
        workgroup = DH-COM
        netbios name = NRZ90
        server string = Samba Server
        security = DOMAIN
        encrypt passwords = Yes
### tried also password server = nt07 no luck !!!
        password server = *
        log file = /usr/local/samba/var/log.%m
        wins server = 172.31.1.151
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind separator = +
        winbind cache time = 10
	log level = 5
	nt acl support = yes
[info]
        nt acl support = yes
        comment = INFO-Server
        path = /webserver/htdocs/infoserver
        browseable = no
        public = no
        writeable = yes

I succesfully joined our Domain with ( NT07 is our PDC)
smbpasswd -j DH-COM -r NT07 -U Administrator%xxxxxx
and i got.. 
joined domain DH-COM.... 8-)
I did also the other way with server manager no changes in the behavior..

I made all changes to the pam configs and i can do all things with wbinfo..

nrz90:/usr/local/samba/bin # ./wbinfo -t
Secret is good
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+test-user1
DH-COM+test-user2
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+SWG-Test
DH-COM+SWG-Time
nrz90:/usr/local/samba/bin # ./wbinfo -n DH-COM+test
S-1-5-21-1558126179-1158248748-102967255-5977 2
nrz90:/usr/local/samba/bin # ./wbinfo -a DH-COM+test%test
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DH-COM+test%test with challenge/response
nrz90:/usr/local/samba/bin #

Everything looks good... But here comes a log from a user which is unable to
login to the server.. he gets always (bad password) if he trys to login.. 

-- cut --- from a log.workstation
[2002/04/27 12:57:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(588)
      0024 status: NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
  cli_nt_setup_creds: auth2 challenge failed
[2002/04/27 12:57:58, 0]
smbd/password.c:connect_to_domain_password_server(1336)
  connect_to_domain_password_server: unable to setup the PDC credentials to
machine
NT51. Error was : NT_STATUS_OK.
[2002/04/27 12:57:58, 5] lib/util.c:show_msg(275)
[2002/04/27 12:57:59, 0] smbd/password.c:domain_client_validate(1554)
  domain_client_validate: Domain password server not available.
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
  startsmbfilepwent_internal: unable to open file
/usr/local/samba/private/smbpasswd
. Error was No such file or directory
[2002/04/27 12:57:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
  unable to open passdb database.
[2002/04/27 12:57:59, 1] smbd/password.c:pass_check_smb(555)
  Couldn't find user 'dh-com+di12822' in passdb.
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(962)
  NT Password did not match for user 'dh-com+di12822'!
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(972)
  Defaulting to Lanman password for dh-com+di12822
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
---- cut ----

no luck with this user.. i run for debug reasons wbinfo -t in a cron job
every minute, and it works everytime. ..

the only thing i see on the nt side is in the event log on the pdc or bdc
... messages is like this..

-- cut ---NETLOGON Failure ID 5722
The session setup from the computer NRZ90 failed to authenticate. the name
of the account referenced in the security database is NRZ90$. The following
error occured. ACCESS DENIED 
--- cut ---

i checked everything, deleted the computer account 3-4 time.. changed the
name.. .made first the computer account in the server manager and then
joined the domain and so on.. everytime the same problem...

Some of my users can?t login , others could.. nearly 450 of my users can
work, and 50 not... but the users change every day..

Any help is welcome. if you  need more debug i can mail them.. i have
winbind.. smb.log, nmbd.log and so on...It looks like the samba machine
could sometimes not validate his account in the nt domain, but most time it
works... i also checked the secure channels between the pdc and bdc and they
are ok and synced..

I have no idea what goes wrong.. some tips , hints would be great..

thanks a lot..

roman

mfg
Roman Petry
Microsoft Certified System Engineer (MCSE) 
ITS-IT
AG der Dillinger Huettenwerke
Tel.: 0049-6831-474670
Fax.: 0049-6831-473505