Greetings all! I am testing a setup I hope to farm out to a number of high school off campus sites each with a small number of workstations. Presently, they are essentually wide open in terms of security as there is no domain controller to authenticate and run logon scripts. As a cost effective solution, I am setting up a redhat 8 pdc in each of these sites for the above reasons. I have the test server up and running and with a win98 client authenticating, running scripts, mapping drives and essentually doing all I want it to. My problem is this, with a winxppro client, I can join the workgroup, cruise the entire network, map drives, see all clients and shares, see the server, everything but join the domain. When I attempt to, it comes back with either bad password, user, or domain controller does not exist. I have done the "seal" reg patch that's widely touted, as I have also done the "digital encrypt channel" and "win2000 require strong" changes in the security policy. I have followed the smb.conf instructions to a "T" and have the encryption and update password set. The only this I really have a question about in terms of the smb.conf setup is the os level, I have seen it set in various example set from a value of 22 to 255. Is it possible this is my problem? I currently have it set to 64. I am hopeful someone can point out what I am missing. Thanks in advance for any clues! :)

The company I work for had the same problem to solve. I found a lot of people with the same problem en got to this solution: In the samba.conf I added the following lines: add user script = /usr/sbin/useradd -g machines -c NTMachine -d /dev/null -s /bin/false %m$ domain admin group = @adm doman master = yes Furthermore I added root to the smbpasswd file like this smbpasswd -add root smbpasswd root smbpasswd -e root (the last line did it for me) And I added the group "machines" like this: groupadd -g 600 machines Now check if root is mentioned in the smbpasswd file and that the entry is NOT followed bij a bunch of x's but bij a numerical code. Also check in the /etc/group file if root is member of the adm group (there should be a line similar to adm:x:5:root,adm) and that the group machine exists. On the Windows XP machine you have to set the following entries to disabled. All the entries are found under: Control panel--> administrative tools --> local security policies --> security options. Domain member: Digitally encrypt or sign secure channel data (Always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Require strong (windows 2000 or later) session key In the group policy editor (gpedit.msc) I enabled the following entries: Computer configuration\administrative templates\system\user profiles\do not check for user ownership of roaming profiles folders (As i use cleartext passwords, also the following) computer configuration\security settings\local policies\security options\Microsoft network client: Send unencrypted passwords to third party smb-clients. Using regedit I changed the following registry entries to 1: Hkey_local_Machine\software\policies\microsoft\windows\system\compatibleRUPSecurity Now I can add machines to domain and log on just like onto a Windows 2000 server. There are a ew quirks I encountered: I had to use the root account (another account of the adm group wouldn't work) The samba password of the root account had to be the same as the root password for linux First I had to place the workstation into a workgroup with a dissimilar name to the domain. As for the OS level. I understood this is only important when working with multiple servers in a single domain, but i am not sure. My level is set to 99. I hope this will help you. With kind regards Maxim van Luttikhuizen CSL-HSI bv

Maxim, I applied all changes as suggested and was initially disappointed when the same errors returned. I made an assumption that threw me for a loop. I JUST re-installed RedHat and I set the update encrypted password to yes in SWAT without considering that the db needed to be created first by terminal, smbpasswd -a root. then smbpasswd root. I checked again and voila! I was able to join the domain! First, I will share my settings in smb.conf security = user updated encrypted = yes add user script = /usr/sbin/useradd -d /dev/null -g 100 /bin/false -M %u domain logons = yes os level = 64 preferred master, local master and domain master all set to yes I applied all your suggestions, then I removed the send unencrypted passwords to third party smb clients, and reboot, and tested leaving and joining the domain - no problem. A small clarification; computer configuration\security settings\local policies\security options\Microsoft network client: Send unencrypted passwords to third party smb-clients is found in local security policy under control panel. At present, I do not have a domain admin group defined in smb.con; I found it doesn't work for beans anyhow. It would seem the culprit in my case was either the registry change or the gpedit.mcs change! Thanks so much for your assistance! This was a nasty one that I spent hours on... Wes