[Samba] Samba 3.0.2 PDC Setup: cannot join W2k machine - SAMR_SET_USERINFO fails

[Erik Anderson]

Okay, this is near the end of a marathon day trying to get this linux machine up and running as a PDC.  At this point I am unable to get a Windows 2K machine to join the domain, it responds with "Logon failure: unknown user name or bad password".  Samba log shows the following:

rpc_server/srv_samr_nt.c: _samr_set_userinfo(2937)
 _samr_set_userinfo: 2937
rpc_server/src_lsa_hnd.c:find_policy_by_hnd_internal(162)
 Found policy hnd[0] [000] 00 00 00 00 08 00 00 00  00 00 00 00 32 FA F0 40
  [010] BF 22 00 00
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
 _samr_set_userinfo: access check ((granted: 0x000000b0;  required:0x00000024)
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_set_userinfo: ACCESS DENIED (granted: 0x000000b0;  required: 0x00000024)
rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
rpc_parse/parse_prs.c:prs_ntstatus(665)
     0000 status: NT_STATUS_ACCESS_DENIED

The log appears to show that the machine account was established properly, but failed when the server was attempting to set a password?  Google pulls up only one hit: http://lists.samba.org/archive/samba/2003-December/076951.html

This is a Debian box ("testing" distribution), samba package is 3.0.2a-1 (modified to enable LDAP).

The user I am attempting to add the machine with is named Administrator, which is a normal user (uid=3011, rid=7000) that has a primary group of "Domain Admins" (gid=3011, sid=<SID>-512) and a secondary group of "Administrators" (gid=3002, sid="S-1-5-32-544")

FYI, As a strange side effect of my installation, I had to modify the samba.schema that came with the package, as the compiled output was demanding to use the "historical schema".  Don't know if it has anything to do with this issue, but I'm throwing it out there for additional information.