Hi! I use Debian Sarge + Samba 3.0.22 + OpenLDAP 2.2.23 Server for a domain controller. Once a month i have to rejoin windows XP clients to the domain, because samba thinks they're not in the domain(users cannot log in). The error message found in each machine log: _net_auth2: creds_server_check failed. Rejecting auth request from client T2906 machine account T2906$ What's wrong? Thanks! Ferenc Ulrich IT Manager Here's a copy of my smb.conf: [global] workgroup = DOMAIN netbios name = SZERVER enable privileges = yes interfaces = 10.0.**** server string = Szerver security = user unix password sync = yes passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing password for*\nNew password*" % n\n "*Retype new password*" %n\n" ldap passwd sync = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 time server = Yes Dos charset = 852 Unix charset = ISO8859-2 logon script = startup.bat logon drive = J: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=CSETE,dc=SULINET,dc=HU ldap suffix = dc=CSETE,dc=SULINET,dc=HU ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap ssl = no add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add machine script = /usr/sbin/smbldap-useradd -w -i "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "% u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "% u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "% u" [homes] comment = repertoire de %U, %u read only = No create mask = 700 directory mask = 0700 browseable = No [netlogon] path = /etc/samba/netlogon/%a/ browseable = No read only = yes [profiles] path = /etc/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @"Domain Admins" hide files = /desktop.ini/ [vb] path = /vb browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0775 [tanarok] path = /tanarok browseable = No guest ok = No read only = No directory mask = 0770 create mask = 0770 valid users = %U @"Domain Admins" invalid users = virusbuster [feladat] path = /feladat browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0775 read list = virusbuster [vizsga] path = /vizsga browseable = Yes directory mask = 755 create mask = 755 write list = root _________________________________________________________________ 711 ?ll?saj?nlat k?z?tt biztosan tal?lsz olyat, ami Neked is megfelel! http://ad.adverticum.net/b/cl,1,6022,105302,170442/click.prm