samba - Mar 2007 - Could not peek rid out of sid

New samba deployment; samba 3.0.24 w/ldapsam, em64t (Dell 2900), CentOS 
4.4, using nss_ldap with LDAP master and two slaves (OpenLDAP 2.3.32), one 
Samba PDC (on LDAP master) and two Samba BDC's (on each of the LDAP 
slaves); no Windows servers; one Linux domain member server (first of 
several). All four Samba servers use the same LDAP parameters. testparm 
checks out. All accounts are in LDAP; no other source except for the stock 
/etc/passwd entries. LDAP is fully functional; nss_ldap is properly 
configured (I believe). Everything seems to work properly in the Unix 
space, and in the Windows space with the exception of roaming profiles; I 
can join Windows machines to the domain, log in, map shares, etc, with no 
issues. In the DIT I have, for each user, the following:

   sambaHomePath: \\<server.domain.org>\<username>
   sambaProfilePath: \\<server.domain.org>\profiles\<username>

where "server.domain.org" is the fully-qualified hostname of the DMS
box
(which resolves to two IP's from DNS, forwards and backwards, as do the 
PDC and BDC's). When logging in to a Windows XP box, I get the complaint 
that the roaming profile cannot be downloaded because it is not owned by 
the user that is logging in (it is, and all permissions are correct), and 
in the samba log file there is a successful connection to the profiles 
share followed by:

   Could not peek rid out of sid <correct-SID-value> (twice)
   User <username> with invalid SID <same-SID-value> in passdb (3
times)

followed by a successful connection to the home directory share, which is 
fully useable from the Windows client at this point.

If I replace the "server.domain.org" in LDAP's sambaProfilePath
with the
FQDN of the PDC (not changing sambaHomePath), the roaming profile can be 
successfully downloaded (which is how it was initially created).

Rather than including all my configuration files, I'd just appreciate it 
if someone can give me a clue as to where to look next. It's evidently a 
problem with the DMS setup, although the DMS works well for everything 
else Samba-related (only roaming profiles do not work).

Steve

OK, replying to my own post.
>Could not peek rid out of sid <correct-SID-value> (twice)
It appears that when the domain member server starts, it creates an entry 
in the LDAP database with the following dn:

 	sambaDomainName=<dms_netbios_name>,<ldap_suffix>

which has an incorrect sambaSID in it. If I correct the value of SambaSID 
in this entry, everything works. If I delete this entry entirely, and 
restart Samba, the entry comes back with an incorrect SID (it's the value 
of 'getlocalsid' on the DMS).

However, why is the sambaDomainName record being created at all when Samba 
starts on the domain member?

After all, <dms_netbios_name> is not the correct domain name, and
"net rpc
info -S <dms_netbios_name> -U%" does show it as a member of the
correct
domain.

Steve
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,300 miles per second: it's not just a good idea, it's the
law"
----------------------------------------------------------------------------