samba - Jan 2006 - can't map drive to WinXP client from v3.0.21 w. security=ads

new installation of samba v3.0.21 on debian.  Joined the samba box to an
ActiveDirectory domain.

Can enumerate users/groups with wbinfo run locally on the samba box.
Can connect remotely to samba box via smbclient Version 3.0.10-Ubuntu linux.
Can create new files via 'put' cmd within smbclient.
Can login remotely to samba box with ssh client on linux box.

Can _NOT_ map a drive to samba box from WinXP SP2 box that is joined
to the same A.D. domain :

        i run 'net use \\sambabox\username'
        and about 10 seconds later I get this output:

        'System error 1240 has occurred.

        The account is not authorized to log in from this station.'

Does anyone have an idea what's wrong, and/or a suggestion of what to
try to find out why it's not working?

AtDhVaAnNkCsE

the rest of this email is supporting data that may or may not be
relevant or interesting.

pam config
----------
      I'm wondering if the problem could be the pam config.  The ssh and
      samba pam configs are almost the same - the ssh config has 4 things that
      the samba config doesn't:

        session    optional     pam_motd.so
        session    optional     pam_mail.so standard noenv
        session    required     pam_limits.so
        @include common-password

      which makes me think, if anything, that the pam requirements for ssh are
      more stringent than for samba.  Yet samba isn't working, and ssh does.

      Here's the auth pam stuff done for samba (and ssh) :
        auth    requisite       pam_nologin.so debug
        auth    [success=1 default=ignore] pam_localuser.so debug
        auth    [success=done auth_err=bad]   pam_winbind.so debug
        auth    required        pam_unix.so nullok_secure debug

      Here's the account pam stuff done for samba & ssh:
        account    sufficient   pam_winbind.so debug
        account required        pam_unix.so debug

      and the session pam stuff:
        session required        pam_unix.so

samba logs (debuglevel = 2)for successful connect via smbclient:
----------------------------------------------------------------
[2006/01/20 15:54:39, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [detertj] -> [detertj]
  -> [MSOE+detertj] succeeded
[2006/01/20 15:54:39, 1] smbd/service.c:make_connection_snum(666)
    carlisle (155.92.193.21) connect to service detertj initially as
    user MSOE+detertj (uid=10008, gid=10000) (pid 7892)

samba logs (degublevel=3) for failed 'net use' on winxp sp2 box:
----------------------------------------------------------------
[2006/01/20 15:22:27, 3] smbd/oplock.c:init_oplocks(711)
  open_oplock_ipc: opening loopback UDP socket.
[2006/01/20 15:22:27, 3] smbd/process.c:process_smb(1194)
  Transaction 0 of length 137
[2006/01/20 15:22:27, 3] smbd/process.c:switch_message(993)
  switch message SMBnegprot (pid 5028) conn 0x0
[2006/01/20 15:22:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [LANMAN1.0]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [Windows for Workgroups 3.1a]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [LM1.2X002]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [LANMAN2.1]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(475)
  Requested protocol [NT LM 0.12]
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_nt1(346)
  using SPNEGO
[2006/01/20 15:22:27, 3] smbd/negprot.c:reply_negprot(568)
  Selected protocol NT LM 0.12
[2006/01/20 15:22:29, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
-- 
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.