[Samba] Machine trust relationship failed

[Mr. Demeanour]

Hi,

I am having trouble joining a Win2K machine to a Samba domain.

The Win2K machine is patched and up-to-date.

The Samba machine is running Debian Sarge and Samba 3.0.14a-Debian. The
passdb-backend is OpenLDAP, but I don't think this is relevant; I have
tried with tdbsam as well, and had exactly the same results.

I have been mainly following this guide:
http://www.nomis52.net/?section=docs&page=samldap

The PDC appears to be working; testparm doesn't complain, and says:
   Server role: ROLE_DOMAIN_PDC

I have defined Samba 3 Group Mappings using phpldapadmin for admins,
groups and guests. These are mapped to the well-known RIDs for the
respective Domain * Windows groups.
   # getent group
   admins:x:2000:
   users:x:2001:
   guests:x:2002:
   ...

I have defined a samba Administrator user, with a uidNumber of 0 and a
gidNumber of 2000.

 From the Win2K system I can map share to a service on the PDC, after
giving the Administrator userid and password. However I cannot browse
the server.

I have a "add machine script" defined as follows in smb.conf:
   add machine script = /usr/sbin/smbldap-useradd -w "%u"

This appears to work; after attempting to add the machine to the domain
using Network Identification/Properties (and giving the credentials for
the Administrator user), the new machine appears in the proper place in
the LDAP directory, with a sambaNTPassword (but no userPassword).

After rebooting the Win2K machine and logging in with local admin
credentials, I try to grant login privileges to a domain-user using the
"Users and Passwords" Control panel applet. This fails with the message
   "The trust relationship between this workstation and the primary
   domain failed."

The following lines appear in /var/log/samba/[machine-name].log:
   [2006/11/20 13:50:15, 2] smbd/uid.c:change_to_user(202)
     change_to_user: SMB user  (unix user nobody, vuid 101) not
     permitted access to share IPC$.
   [2006/11/20 13:50:15, 0] smbd/service.c:make_connection_snum(577)
     Can't become connected user!

I don't know what these messages mean.

The Win2K machine has Local Security Settings as follows:
   Digitally sign server communication (always): Disabled
   Digitally encrypt or sign secure channel data (always): Disabled

The PDC has these settings in smb.conf:
   client schannel = Auto
   server schannel = Auto

I suspect that the machine has not been *properly* joined to the domain.
  I have read a few (old) threads in various archives that seem to relate
to this problem, but they all end in either the policy settings I've
just mentioned, or they tail away with no resolution.

Can anyone advise?

Regards,
Jack.