samba - Jun 2006 - samba rejecting machine accounts

Hi!

I use Debian Sarge + Samba 3.0.22 + OpenLDAP 2.2.23 Server for a 
domain controller. Once a month i have to rejoin windows XP clients to 
the domain, because samba thinks they're not in the domain(users 
cannot log in).
The error message found in each machine log:


_net_auth2: creds_server_check failed. Rejecting auth request from 
client T2906 machine account T2906$

What's wrong? 

Thanks!


Ferenc Ulrich
IT Manager


Here's a copy of my smb.conf:

[global]
        workgroup = DOMAIN
        netbios name = SZERVER
        enable privileges = yes
        interfaces = 10.0.****
        server string = Szerver
        security = user
        unix password sync = yes
        passwd program = /usr/sbin/smbldap-passwd -u "%u"
        passwd chat = "Changing password for*\nNew password*" %
n\n "*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        Dos charset = 852
        Unix charset = ISO8859-2

        logon script = startup.bat
        logon drive = J:
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap admin dn = cn=Manager,dc=CSETE,dc=SULINET,dc=HU
        ldap suffix = dc=CSETE,dc=SULINET,dc=HU
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap ssl = no
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        add machine script = /usr/sbin/smbldap-useradd -w -i "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%
u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%
u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%
u"


[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /etc/samba/netlogon/%a/
        browseable = No
        read only = yes

[profiles]
        path = /etc/samba/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U @"Domain Admins"
        hide files = /desktop.ini/


[vb]
        path = /vb
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0775

[tanarok]
        path = /tanarok
        browseable = No
        guest ok = No
        read only = No
        directory mask = 0770
        create mask = 0770
        valid users = %U @"Domain Admins"
        invalid users = virusbuster


[feladat]
        path = /feladat
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0775
        read list = virusbuster


[vizsga]
        path = /vizsga
        browseable = Yes
        directory mask = 755
        create mask = 755
        write list = root

_________________________________________________________________
711 ?ll?saj?nlat k?z?tt biztosan tal?lsz olyat, ami Neked is megfelel!
http://ad.adverticum.net/b/cl,1,6022,105302,170442/click.prm