Samba 2.2.1(a) and Windows XP Domain Logons

Spickenreither Florian spicki at
Sun Sep 9 11:55:02 GMT 2001

Hi !

I have read in many newsgroups that there seem to be problems with
domain logons using Samba 2.2.1(a) and Windows XP Final.

Windows XP clients can join Samba 2.2.1(a) Domains without an error
message, Samba creates the Unix and Samba machine account for the new
client the way it is supposed to do.

When you try to logon into the Samba Domain, several error messages
occur like "The trust relationship between the client and the primary
domain controller (PDC) could not be established" and others.

The solution for that problem is simple - the error is not caused by
Samba - it is caused by a new default setting in the local security
policy of Windows XP compared to Windows 2000:

Open the "Local Security Policies"-Editor (Control Panel->Administrative
Tools->Local Security Policies).
Go to "Local Policies->Security Options" and choose the option
"Secure channel: Digitally encrypt or sign secure channel (always)"
"Domain member: Digitally encrypt or sign secure channel (always)" (WXP)

With W2K this defaults to disabled, with WXP it is enabled. Since Samba
does not support this option, communication between Samba and WXP during
the logon process can not work.

Set this option to disabled, reboot your Windows XP machine and now you
should be able to logon successfully.

This worked for me, I hope it works for everybody else too ! Comments
are welcome (samba at



- --
+ BCOMS Bavaria Computer Service GmbH - Linux Netzwerkdienstleistungen +
| Florian Spickenreither (Managing Director)                           |
| Wettersteinstr. 2a, 82340 Feldafing, Tel:08157/901201 Fax:08157/1602 |
+ E-Mail: florian.spickenreither at, URL: ---+

More information about the samba-technical mailing list