Creating machine trust account for NT

[werner maes]

>OK, this is a basic rundown of how it works:
>
>When you select this option, the NT client logs in to the Samba server,
>and issues a 'create account' RPC command, then a 'set password' command
>to set a random smb password on the trust account.
>
>This works fine on the Samba side of things, but we have some legacy
>issues:  Unfortunately the way samba works internally it requires an
>/etc/passwd account before it can create it in smbpasswd.  By default
>the 'create user' call only makes the smbpasswd part, you have to do the
>unix stuff yourself.  This is what the 'add user script' (and the 'add
>machine script' in HEAD) are for, to allow samba to do both parts.
>
>Now, back to your question.  Why you did the 'smbpasswd -am' yourself,
>you effectively did the same thing as the 'create user' checkbox on the
>NT client achives, except that you set the password to a known value.
>In this case the NT client just changes that password when you join it,
>but in the meantime any other machine can use that account - not a good
>thing and why only the second method is supported under Win2k.
>
>Andrew Bartlett

Thanks for your reply,
I get the picture.

But now I've done some tests. Everything seems to work fine, even when you 
select the option "create a computer account in the domain". There's still 
one problem however.
If I try selecting this option on a NT 4.0 Server, the machine trust 
account is created on the Samba server but with wrong settings.
e.g:
testnts$:507:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO 
PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDW        ]:LCT-00000000:

This is the entry I get after I added a NT server to a Samba domain with 
the option "create a computer account in the domain" enabled.
With these settings you cannot login in the domain.

If you first create the machine account with "smbpasswd -a -m" and then add 
the NT server to the domain, then it works.
With NT Workstation 4.0 everything works fine (same for Win2000).

Am I correct?

Werner