XP-machines cannot join Samba PDC with tdbsam

High there ...

I cannot join my Samba PDC any longer with my XP-machines, I mean I'm
not be able to create new machine accounts.
The existing machine-accounts in the tdb-database works properly, all
the existing XP-machines are joined without any problems. Only it isn't
possible to joint the Samba PCD with new machines...

My first Samba PDC-Configuration with this tdbsam as the passwd
backend,  with the same smb.conf as today (please have a look above) I
had run with an early version of Samba 3 on a 32bit Server in 2005 with
nearly 50 XP-machines as Domain-members. In 2006 I had the first
migration of a newer 64bit hardware, this was uncomplicated, all things
worked properly with meanwhile 150 XP-machines. Now I had a new
hardware-migration of a new 64bit-Server-hardware two weeks ago and I
run into some troubles.
I did the migration in the same way as before. I stopped the old Server
and I copied the /etc/samba/smb.conf with all the scripts and the
/var/lib/samba with the tdb-database to the new Server-hardware.
The new Server runs with Debian_version 5.0.3 (Lenny), before the old
hardware run with Debian_version 4.0 (Etch).
The current Samba-Version is 3.2.5-4lenny7.

When I try to join the Domain with a XPSP3-Workstation and get the
demand "Enter the name and password of an account with permission to
join the domain" and fill in the user of the domainadmin and the
password, I get the answer "The following error occurred attempting to
join the domain "MYDOMAIN, the specified domain either does not exist or
could not be contacted". But the Domain exists, this is a fact, all the
old XP-Machines, which are members  of the domain MYDOMAIN work properly.
The user domadmin and the password are really correct, when I try login
on a XP-Workstation, which is an old member of the domain, then it works
properly, I can without problems login.

Have a look at my Domain-Administator rights:
===============================
/etc/passwd: domadmin:x:500:512:Domain Administrator
MYDOMAIN:/srv/data1/home1/domadmin:/bin/bash
/etc/group domadmins:x:512:admin,domadmin

Unix username:        domadmin
NT username:        
Account Flags:        [U          ]
User SID:             S-1-5-21-1656000120-2433418590-619812953-500
lookup_global_sam_rid: looking up RID 512.
pdb_getsampwrid (TDB): error looking up RID 512 by key RID_00000200.
lookup_rids: Domain Admins:2
Primary Group SID:    S-1-5-21-1656000120-2433418590-619812953-512
Full Name:            Domain Administrator MYDOMAIN
Home Directory:       \\domainserver1\domadmin\win
HomeDir Drive:        U:
Logon Script:         logon.cmd
Profile Path:         \\domainserver1\profiles\domadmin
Domain:               MYDOMAIN
Account desc:        
Workstations:        
Munged dial:        
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Fr, 06 Nov 2009 12:41:16 CET
Password can change:  Fr, 06 Nov 2009 12:41:16 CET
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

----------------------------------------------------------------------------------------
domainserver1:~# net rpc rights list accounts -U domadmin -S 192.168.151.240
Enter domadmin's password:
MYDOMAIN\domadmin
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

Everyone
No privileges assigned

-------------------------------------------------------------------------------------------------------------------

Here are the globals of my smb.conf:
[global]
        unix charset = ISO8859-1
        workgroup = MYDOMAIN
        netbios aliases = Server2
        server string = %h
        update encrypted = Yes
        obey pam restrictions = Yes
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        add user script = /usr/sbin/adduser.sh -p -u "%u" -n "%u"
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/local/bin/smbgrpadd.sh "%g"
        delete group script = /usr/sbin/groupdel "%g"
        add user to group script = /usr/bin/gpasswd -a "%u" "%g"
        delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
        set primary group script = /usr/sbin/usermod -g "%g" "%u"
        add machine script = /usr/sbin/addmachine.sh -u %u
        logon script = logon.cmd
        logon path = \\%N\profiles\%U
        logon drive = U:
        logon home = \\%N\%U\win
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        invalid users = root
---------------------------------------------------------------------------------------

Here are some debug-information from the samba-log:
[2009/11/06 14:34:59,  5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(644)
  secrets_fetch failed!
[2009/11/06 14:34:59,  5] passdb/pdb_tdb.c:tdbsam_getsampwnam(911)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_root
-------------------------------------------------------------------------------------------

Please help, I'm really desperate.

Heinz Allerberger


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba