In order to allow Windows XP Pro client to join a samba domain you have to make some security policy changes. This can be done in one of two ways: Using the XP control panels or doing a registry edit (which can be done from a script). ---------------------------------------------------------------- Method 1: use Win XP control panels to change security policy ==>Start==>Control Panel==>Switch to Classic View==>Administrative Tools ==>Local Security Settings ==>Local Policies ==>Security Options The following should be DISABLED: Domain Member: Digitally encrypt or sign secure channel data Domain Member: Digitally encrypt secure data channel Domain Member: Digitally sign secure data channel To change to disabled, double click on the policy, then click on "DISABLED", then ==>OK After making changes, reboot ------------------------------------------------------------- Method 2: edit registry directly to change security policy This registry key is needed for a Windows XP Pro client to join and logon to a Samba domain server. (Note: Win XP Home can NOT join a samba domain, no way). Note: Samba 2.2.3a contained this key, but in a broken format which did nothing to the registry, but Win XP reported "registry key imported". If in doubt, check the registry key by hand with regedt32. ==>Start==>run==>regedit (or regedt32) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RequireSignOrSeal"=dword:00000000 If you still have changes, you may want to change the following two parameters: (by default they are set to value of dword:000001) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "sealsecurechannel"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "signsecurechannel"=dword:00000000 Also, if using plain text passwords (because providing Macs file service with netatalk), then you need the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000001 Possibly add the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "CompatibleRUPSecurity"=dword:00000001 Use the Group Policy Editor (gpedit.msc) and enable "Computer Configuration\Administrative Templates\System\User Profiles "Do not check for user ownership of Roaming Profile Folders". ==>My Computer, right click, ==>Properties ==>Change ==>Domain Yourdomainname (e.g. AACS) When joining the domain for the first time, enter userid as root and give the samba password. Make sure there is an entry for the root in smbpasswd file. Also, check to see if your XP box is attempting to be a domain master browser or maintaining server list: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters] IsDomainMaster = FALSE MaintainServerList = AUTO If your machine is not yet a member of a DOMAIN (just a WORKGROUP) or to CHANGE THE MACHINE NAME: ==>Start==>Settings==>Control Panels==>System==>Computer Name ==>Change ("To rename this computer or join a domain, click Change") ==>Computer Name: yourpc1 Member of: ==>Domain (instead of Workgroup) ==>yourdomainname ==>OK Computer Name Changes Enter name and password of an account with permission to join the domain. User name: Password: ==>OK (a valid domain user and password required) ---------------------------------------------------------------- Method 3: (simplified version of Method 2) run regedit: ==>Start ==>Run ==>regedit ==>Edit ==>Find ==>signorseal (looking for "Requiresignorseal") IGNORE the FIRST instance that you find (it's ok). ==>F3 (to search for ALL OTHER INSTANCES, which you will edit) ==>(RETURN) (opens up the key value, which is currently at "1") ==>0 (enter the value 0) F3 for next, repeat 2 more times (until done)