ok. 1) i wasn't setting up the "global_member_sid" variable, so samba was reporting that it was a member of S-0-0 instead of S-1-5-21-xxx-yyy-zzz. 2) there was a bug in rpc_server/srv_netlogon.c with a true/false mistake returning a status error instead of no status error.