[Samba] XP-machines cannot join Samba PDC with tdbsam

[Heinz Allerberger]

High there ...

I cannot join my Samba PDC any longer with my XP-machines, I mean I'm 
not be able to create new machine accounts.
The existing machine-accounts in the tdb-database works properly, all 
the existing XP-machines are joined without any problems. Only it isn't 
possible to joint the Samba PCD with new machines...

My first Samba PDC-Configuration with this tdbsam as the passwd 
backend,  with the same smb.conf as today (please have a look above) I 
had run with an early version of Samba 3 on a 32bit Server in 2005 with 
nearly 50 XP-machines as Domain-members. In 2006 I had the first 
migration of a newer 64bit hardware, this was uncomplicated, all things 
worked properly with meanwhile 150 XP-machines. Now I had a new 
hardware-migration of a new 64bit-Server-hardware two weeks ago and I 
run into some troubles.
I did the migration in the same way as before. I stopped the old Server 
and I copied the /etc/samba/smb.conf with all the scripts and the 
/var/lib/samba with the tdb-database to the new Server-hardware.
The new Server runs with Debian_version 5.0.3 (Lenny), before the old 
hardware run with Debian_version 4.0 (Etch).
The current Samba-Version is 3.2.5-4lenny7.

When I try to join the Domain with a XPSP3-Workstation and get the 
demand "Enter the name and password of an account with permission to 
join the domain" and fill in the user of the domainadmin and the 
password, I get the answer "The following error occurred attempting to 
join the domain "MYDOMAIN, the specified domain either does not exist or 
could not be contacted". But the Domain exists, this is a fact, all the 
old XP-Machines, which are members  of the domain MYDOMAIN work properly.
The user domadmin and the password are really correct, when I try login 
on a XP-Workstation, which is an old member of the domain, then it works 
properly, I can without problems login.

Have a look at my Domain-Administator rights:
===============================
/etc/passwd: domadmin:x:500:512:Domain Administrator 
MYDOMAIN:/srv/data1/home1/domadmin:/bin/bash
/etc/group domadmins:x:512:admin,domadmin

Unix username:        domadmin
NT username:         
Account Flags:        [U          ]
User SID:             S-1-5-21-1656000120-2433418590-619812953-500
lookup_global_sam_rid: looking up RID 512.
pdb_getsampwrid (TDB): error looking up RID 512 by key RID_00000200.
lookup_rids: Domain Admins:2
Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-512
Full Name:            Domain Administrator MYDOMAIN
Home Directory:       \\domainserver1\domadmin\win
HomeDir Drive:        U:
Logon Script:         logon.cmd
Profile Path:         \\domainserver1\profiles\domadmin
Domain:               MYDOMAIN
Account desc:        
Workstations:        
Munged dial:         
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Fr, 06 Nov 2009 12:41:16 CET
Password can change:  Fr, 06 Nov 2009 12:41:16 CET
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

----------------------------------------------------------------------------------------
domainserver1:~# net rpc rights list accounts -U domadmin -S 192.168.151.240
Enter domadmin's password:
MYDOMAIN\domadmin
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

-------------------------------------------------------------------------------------------------------------------

Here are the globals of my smb.conf:
[global]
        unix charset = ISO8859-1
        workgroup = MYDOMAIN
        netbios aliases = Server2
        server string = %h
        update encrypted = Yes
        obey pam restrictions = Yes
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        add user script = /usr/sbin/adduser.sh -p -u "%u" -n "%u"
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/local/bin/smbgrpadd.sh "%g"
        delete group script = /usr/sbin/groupdel "%g"
        add user to group script = /usr/bin/gpasswd -a "%u" "%g"
        delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
        set primary group script = /usr/sbin/usermod -g "%g" "%u"
        add machine script = /usr/sbin/addmachine.sh -u %u
        logon script = logon.cmd
        logon path = \\%N\profiles\%U
        logon drive = U:
        logon home = \\%N\%U\win
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        invalid users = root
---------------------------------------------------------------------------------------

Here are some debug-information from the samba-log:
[2009/11/06 14:34:59,  5] 
passdb/secrets.c:secrets_fetch_trusted_domain_password(644)
  secrets_fetch failed!
[2009/11/06 14:34:59,  5] passdb/pdb_tdb.c:tdbsam_getsampwnam(911)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_root
-------------------------------------------------------------------------------------------

Please help, I'm really desperate.

Heinz Allerberger