Making Mac OS X Server 10.2 into a LDAP-based PDC

17 February 2003

Due to the length of this article, we have also made it available as a PDF.

Introduction

One of the benefits of Mac OS X and its BSD underbelly is the ability to leverage the open source community’s massive software library. In Mac OS X Server 10.2, Apple has provided one of the more popular open source products samba to allow Windows based PCs to connect to the server and share files and printers. This functionality, though, is currently limited to a subset of what the full samba server can provide.

A samba function not exposed in Mac OS X is its ability to use LDAP (Lightweight Directory Access Protocol) to store its user attributes. LDAP storage then makes it relatively easy to offer emulated PDC (Primary Domain Controller) services for a Windows network. This will allow Windows users to log into any machine in their network with the same username and password. With the inclusion of the popular open source LDAP server, OpenLDAP, in 10.2 server, more and more Mac OS X server admins are interested in accessing this function.

This white paper will walk us through the steps to get this done, to include:

Before you start this process, though, you should know you are heading into the land of open source software. This means that no vendor (including Apple) will be taking 800# support calls if something goes wrong, unless you contract with them directly. It also means that some of the Mac OS X Server tools become irrelevant for certain functions you have might have previously used them for. These are:

  1. The Windows admin portion of Server Settings can no longer be used. We will be modifying the smb.conf file by hand and once you do it once, you own it. This means for the long term that new additions of PC share points and PC shared printers will need to be done by editing this file directly vs using Server Settings. Because of this it would be wise to configure your Windows filesharing as much as possible before embarking on this course of action.
  2. Passwords. The addition of samba-ldap services gives every user 3 password hashes—one for Mac OS X and two for Windows authentication. These passwords must be stored directly in a user’s Netinfo/LDAP record. Workgroup Manager can either set the Mac OS X password, and/or use the built-in password server to store Windows passwords. Unfortunately, the password server is only compatible with Apple’s version of samba, so we are sort of stuck with using our own tools to manage passwords. We’ll look at a couple of these tools as part of this exercise.

Build it and they will come

Apple ships version 2.2.3a of samba with Mac OS X Server 10.2. The Apple version does not support LDAP access, so we’ll take our first fork and build our own. This will give us the side benefit of leaving the Apple samba in place so that it can be updated with official system updates and not mess our stuff up.

The current version of Samba is 2.2.7. We could get the source directly from www.samba.org, but we are going to go the route that gives you a way to easily get updates: fink. Fink is a project whose goal is to get as much open source software ported to Mac OS X as possible. It also has a very nice packaging and update feature that will enable you, once you have all the stuff installed, to keep up to date with new revisions of your chosen software (for us, it’s samba).

If you want to get your own source from www.samba.org and compile it yourself, these instructions should still be valid; the samba directory will be /usr/local/samba, however.

Fink does require the Apple developer tools. So, let’s begin:

Once Fink is up and running, you can now install samba. At this point (Jan. 22, 2003), the sambaldap package is available only as source code from fink, which means fink will download all the source code and then compile it on your machine (which will take a bit). At a later date, they’ll pre-compile it and it will just be a download. From the Terminal:

sudo apt-get install samba-ldap
sudo fink install samba-ldap

Read on as samba is installed, we’ll configure it a bit later.

LDAP—and they call this lightweight?

Mac OS 10.2 Server comes bundled with OpenLDAP 2.1x, a very popular open source LDAP server. We are going to leverage that installation as a place to store our PC user data. OpenLDAP can store its data in a variety of back-end databases. However, with the version installed only the NetInfo configuration is directly supported. For us this is a good thing since we can use NetInfo aware CLI and GUI tools to manage the LDAP data.

A quick segue here. Throughout the document it is assumed you have an admin user configured for your server. This user in the document is has a username of “admin” and rather than have to always call this out, we’ll assume you understand that when we say “admin,” you’ll replace it with your admin’s username if its different.

The first thing we need to do is make sure LDAP is turned on, which is done through the Open Directory Assistant in /Applications/Utilities:

OK, we now have the Apple version of OpenLDAP installed, but we need to trick it out a bit for samba. The first thing to do is make sure any user or group we create in OpenLDAP can be used by samba. LDAP uses a concept called “schemas” to define the various attributes any data element can have, much like a database definition. The folks from the samba project were nice enough to create a schema file that includes all the data elements a samba user or group might need, we just need to get it and make sure OpenLDAP knows about it. We’ve pre-packaged this file and others on the on the Web, so:

sudo cp ~/Desktop/sambastuff/samba.schema /etc/openldap/schema 
sudo cp ~/desktop/sambastuff/netinfo+samba.schema /etc/openldap/schema

The netinfo+samba.schema file is a Mac OS X-specific file we need since we are using NetInfo as our LDAP database. It provides a mapping between the public attributes that LDAP exposes and the names NetInfo has historically used. Apple provides the file netinfo.schema to deal with the Apple attributes, netinfo+samba.schema adds an entry so that all users in LDAP are also specified as samba users. samba.schema is the standard samba schema file that comes with the 2.2.7 release of samba.

Now, let’s tell OpenLDAP about these new schema files—which means an edit of its configuration file: slapd.conf. Rather than have you do a hand edit, we’ve provided a replacement slapd.conf file that includes these edits, so make a backup of /etc/openldap/slapd.conf:

sudo mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.orig 
sudo cp ~/desktop/sambastuff/slapd.conf /etc/openldap

Restart the openldap server from the command line with sudo SystemStarter restart LDAP.

Connecting Mac OS X Server to OpenLDAP

Since we told the Open Directory Assistant that we wanted to provide user info to other servers, we get a couple of things for free. One, our server was configured for a network-based NetInfo domain called affectionately /NetInfo/root. Two, our OpenLDAP server points to that same network-based NetInfo domain for its data. So, hey we’re done with this part.

Samba Configuration

OK the system is now ready for Samba, we now have to get Samba ready for the system. This requires a number of steps, so we’ll do it in increments, adding complexity as we go.

First, let’s make sure we provide the equivalent service that Apple’s samba was providing.

Open Server Settings, click on the Windows admin icon and select Configure Windows Services. Make sure the data in all the tabs is how you want it, and also that the “Start Windows Services on system startup” is checked. This will make sure our samba is started on next restart.

Close the configure window, then select Stop Windows Services (say goodbye to your GUI…)

Let’s first make sure that when samba starts at system startup, it’s ours, not Apple's. From the Terminal, Backup original samba startup:

sudo tar cvf /System/Library/StartupItems/samba.tar \
   /System/Library/StartupItems/Samba

Remove it:

sudo rm –R /system/library/startupitems/Samba

From our fink distribution, copy the Samba folder to /Library/StartupItems:

sudo cp -R /sw/share/samba/startupitems/Samba /Library/StartupItems

Now let’s get the config file that the Apple samba was using:

sudo cp /etc/smb.conf /sw/etc/samba

Now that our Apple smb.conf file is in place for use with our new samba, let’s verify that we can connect to the server and see the shares (we won’t be able to log on as of yet, but we can at least view the shares). Let’s start up our samba services manually—from the Terminal type:

sudo /sw/sbin/smbd –D sudo sw/sbin/nmbd -D

In the Finder, select “Connect to Server” from the Go menu. Enter smb://your_IP_address_here and click “Connect". You should get an SMB Mount dialog box with a pop-up that lists the same shares that you had back with the Apple samba.

If you see the shares, close the dialog box and continue below. If not, go back and try the instructions again.

Hooking Samba to LDAP

Now to the fun stuff: hooking up our new samba with our LDAP server. Our first task is to verify the suffix that OpenLDAP is using to talk to our NetInfo database. By default, this suffix is the domain name that you entered when you set up your host, but we’ll verify this via the command line.

sudo niutil –list / /machines

Your result should be the hostname of your machine, but whatever it is, use the result in the next command:

sudo niutil –readprop / /machines/"your hostname here” suffix

You should get a result with something like

dc=domain,dc=top level domain.

Our example for the host jagular.demo.edu

[jagular:~] admin% sudo niutil -list / /machines
2        jagular
[jagular:~] admin% sudo niutil -readprop / /machines/jagular suffix
dc=demo,dc=edu
[jagular:~] admin%

Now let’s open our smb.conf and use this information:

Use a text editor to open /sw/etc/samba/smb.conf and ldap-samba.txt file that is located in the samba stuff folder you downloaded

In the beginning of the [global] section of your smb.conf file, copy and paste the text from ldap-samba.txt.

# ldap related parameters
# define the DN to use when binding to the directory servers
# The password for this DN is not stored in smb.conf. Rather it
# must be set by using 'smbpasswd -w secretpw' to store the
# passphrase in the secrets.tdb file. If the “ldap admin dn"
#values
# changes, this password will need to be reset.
ldap admin dn = “uid=admin,cn=users,dc=demo,dc=edu"
# specify the LDAP server’s hostname (defaults to locahost)
ldap server = jagular.demo.edu
# Define the SSL option when connecting to the directory
# ('off', 'start tls', or 'on' (default))
ldap ssl = off
# define the port to use in the LDAP session (defaults to 636 when
# “ldap ssl = on")
ldap port = 389
# specify the base DN to use when searching the directory
ldap suffix = “dc=demo,dc=edu"
# generally the default ldap search filter is ok
ldap filter = “(&(uid=%u)(objectclass=sambaAccount))"

Now we need to edit the uncommented lines for our specific server configuration:

ldap admin dn—replace “admin” with the shortname for your admin user, and the dc=demo, dc=edu with the suffix we got from our command line above.

ldap server—replace jagular.demo.edu with the fully qualified domain name or IP address of your server.

ldap suffix =—replace dc=demo,dc=edu"with the suffix we got from our command line above

We’ll leave ssl off for today as we communicating intra-machine, as well as the keep the ldap port and filter the same.

Save the file.

Now we need to get Samba configured so it can use admin to make requests to LDAP—type these instructions in the terminal:

sudo /sw/bin/smbpasswd –w “your admin password here"

Now let’s get our admin user configured with a samba password to match our already entered Mac OS X password. Enter the following command, and enter your password when it asks for SMB password:

sudo /sw/bin/smbpasswd admin

Finally: we need to get the smbd and nmbd processes to reload the new configuration from smb.conf. The processes will check each minute for a change to the smb.conf and reload it if changed, but we’ll show you how to do it manually anyway. From the terminal,

ps –aux | grep /sw

This will return something like this:

root    424   0.0  0.1     3360    136  ??  Ss     0:00.01 /sw/sbin/smbd –D
root    444   0.0  0.2     3576    640  ??  S      0:00.28 /sw/sbin/nmbd -D

The first number after root, the user that the process is running under, is the process ID. We need to restart the process(es), So, for each instance running

sudo kill –HUP process_ID

Or in our case

sudo kill –HUP 444 424

We are now ready to do our SMB test again, but really log on this time.

In the Finder, select Connect to Server from the Go menu. Enter smb://your_IP_address_here and click Connect.

You should get a SMB Mount dialog box like above. Select one of your shares, then click OK. You’ll get this dialog:

Enter your admin username and password and then click OK. If the volume mounts on the desktop congratulations, you have successfully used LDAP to authenticate a samba user on Mac OS X Server! If it did not work, please go back and re-read the instructions from above.

Going all the way to the PDC

We are now ready to bring up our samba server as a Windows PDC (Primary Domain Controller). This will require a number of edits to our smb.conf file and we’ve included a sample smb.conf file in our sambastuff folder called smb-pdc.conf if you want to do some cutting and pasting. Most of this file is below and we’ll highlight and describe the directives that you ll need to add/edit in order to make samba a PDC.

[global]
guest account = unknown
max smbd processes = 0
encrypt passwords = YES
print command = /usr/sbin/PrintServiceAccess printps %p %s
lpq command = /usr/sbin/PrintServiceAccess jobs %p
lprm command = /usr/sbin/PrintServiceAccess remove %p %j
lppause command = /usr/sbin/PrintServiceAccess hold %p %j
lpresume command = /usr/sbin/PrintServiceAccess release %p %j
printer admin = unknown, @staff
server string = OS X Server
client code page = 437
coding system = utf8
log file = /Library/Logs/WindowsServices/WindowsFileService.log
netbios name = jagular
   workgroup = DEMO
log level = 2
wins support = NO
##
## Network Browsing
##
# set local master to no if you don’t want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
  local master = yes
# OS Level determines the precedence of this server in master browser
# elections. The default value (20) should be reasonable
  os level = 20
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don’t use this
# if you already have a Windows NT domain controller doing this job
  domain master = yes
# Preferred Master causes Samba to force a local browser election on
# startup and gives it a slightly higher chance of winning the election
  preferred master = yes
##
## Domain Control
##
  # Enable this if you want Samba act as a domain controller.
  # make sure you have read the Samba-PDC-HOWTO included in the documentation
  # before enabling this parameter
  domain logons = yes
  # if you enable domain logons then you may want a per-machine or
  # per user logon script
  # run a specific logon batch file per workstation (machine)
  #logon script = %m.bat
  # run a specific logon batch file per username
  #logon script = %U.bat
  # or just make it generic
  logon script = netlogin.bat
  # Where to store roving profiles (only for Win95 and WinNT)
  # %L substitutes for this servers netbios name, %U is username
  # You must uncomment the [Profiles] share below
  logon path = \\%L\Profiles\%U
# UNC path specifying the network location of the user’s home directory
# only used when acting as a DC for WinNT/2k/XP. Ignored by Win9x
# clients
  logon home = \\%L\%U
# What drive should the “logon home” be mounted at upon login ?
# only used when acting as a DC for WinNT/2k/XP. Ignored by Win9x
# clients
  logon drive = H:

 domain admin group = @admin
[Netlogon]
path = /library/samba/netlogon
public = YES
read only = YES
comment = Netlogon Share
valid users = @staff
browseable = NO
[Profiles]
path = /library/samba/profiles
public = YES
read only = NO
comment = Users Profiles
browseable = NO

workgroup = demo—Replace demo with the name of your domain.

domain master = YES—This parameter tells nmbd to claim a special domain-specific NETBIOS name that identifies it as a domain master browser for a given workgroup. This enables clients to receive the domain wide browse list, instead of just the list for their broadcast-isolated subnet.

preferred master = YES—If set to “yes,” nmbd will force an election at startup and will have an advantage in winning the election. It is recommended to use this in conjunction with “domain master = yes” so that your Samba machine can be almost guaranteed to become a domain master.

domain logons =YES—This parameter must be turned on to utilize the PDC capabilities of Samba. It enables nmbd to process requests that are used by Win9x clients to log into the domain and by clients to find a domain controller.

logon drive = H:—This specifies which drive letter will be used when mapping the user’s logon home (home directory).

logon home = \\%L\%u—This parameter specifies the UNC path to use for mapping the previously mentioned logon drive. In this case “%L” is the server s name macro and “%u” is a samba macro that holds the username. So at login, user “xyz” would have H: automatically mapped to \\jagular\xyz.

logon path=\\%L\Profiles\%u—Lets you specify where you would like users profiles kept. The default, the users home directory, does encourage a bit of fiddling.

logon script= netlogin.bat—This specifies the path and filename to be used for domain logon script processing.

domain admin group = @admin—This specifies which group becomes “administrator” on their local box when logging in. In this case, anyone who is a member of the admin group becomes “administrator” on their local box. You may choose not to use this at all, or only for certain users you deem capable, or for every user. It depends on the policy you have within your department. It should be noted that this also allows them to become administrator on ANY machine in the domain, as well as gives them other domain privileges.

Share Definitions:

[Netlogon]                     <– Share definition 
PATH = /library/samba/netlogon <– The directory that is shared 
public = YES                   <– Will this directory be publicly? 
read only = YES                <– Is the directory writeable? 
comment = Netlogon             <– Share Directory Information 
valid users = @staff           <– What users have rights to the dir? 
browseable = NO                <– Is it listed in Network Neighborhood?

After you ve made your required edits, save your smb.conf and we’ll keep on moving (we’re getting close).

Creating Dependent Directories

Netlogon

In our smb.conf we set the share [netlogon] that points to “PATH = /libary/samba/netlogon". By default this directory does not exist. Using Terminal, type in these commands to create the directory and set the appropriate rights:

cd /library
mkdir samba
chown root samba
chgroup wheel samba
cd samba
mkdir netlogon
chown root netlogon
chgrp staff netlogon

Profiles

In our smb.conf we also set the share [Profiles] that points to “PATH = /Library/samba/profiles". By default this directory does not exist. Using Terminal, navigate to /Library/samba and type in these command to create the directory and set the appropriate rights.

mkdir profiles
chown root profiles
chgrp staff profiles
chmod 700 profiles

Creating Users and Machine Accounts

We will first add users and machines to NetInfo (and thus LDAP) and use user Brian Jones as an example.

Adding Users

From the Workgroup Manager application we will add Brian Jones as a user to the directory /NetInfo/root. Brian Jones will be used as the long name, brianj as the short name; he will have logon rights, but not be able to administer the server. In the advanced tab make sure his password type is Basic. In the Home tab he will have a Network based Home Directory, and Share Point will be set to Users. Click on Save when you’ve made these entries. Mac OS X Server 10.2 does not create home directories for users until they’ve logged on from a Mac, but we can get by that with a quick command that was included in 10.2.2. From the terminal, type

sudo createhomedir -n /NetInfo/root -u brianj

Adding Machines

We add machines using the same procedure as adding users. To keep the Machine accounts and User accounts organized, name the Machine Long Name 'Brian Jones Computer' and the short name 'brianjs'. We add an 's' at the end of the shortname because NetInfo does not allow us to use the $ character. We will replace the 's' with '$' by manually editing the name in NetInfo. Set the Login Shell to none and home directory to none. Give the user some random password that you like (make sure it’s a “basic” password). Then click Save.

We will now need to edit the Machine to include a '$' at the end of the name. Open NetInfo Manager and authenticate as root. Clik the Open Parent button to navigate to the Network-based directory Select the Users sub-directory, then select the entry: brianjs. Edit all the fields that have brianjs and change it to brianj$. Choose save and quit NetInfo manager.

The next step is to add samba attributes to the user records. Because we are storing all of the information together in NetInfo (and thus LDAP), we’ll be able to easily edit this information later with some GUI-based tools.

Adding Samba Attributes

We are now ready to edit users and machines such that they can log-in to the domain and our samba server. We’ll do this through the smbpasswd utility that we used earlier. Use the same passwords you used when you created the records in Workgroup Manager.

sudo /sw/bin/smbpasswd brianj

Next add the machine info. The –m tag tells samba this is a machine. You don’t need to add the $ when creating a machine. Samba does that for you.

Set the Machine password:

sudo /sw/bin/smbpasswd –m brianj

For a quick look-see at what smbpasswd does to the user records, open up NetInfo Manager again and browse to /Users/brianj. You’ll now see all the attributes that samba cares about loaded into brianj’s account—the most important being those attributes for LM and NTpasswords, which allow Windows machines to log on to your account. For a full description of the other attributes, check out the how to on LDAP PDCs.

Finishing Up

Restart the samba processes (like we did above) so we can get the edits to the smb.conf to take.

Now we must join our windows machine to the domain.

WINDOWS NT

WINDOWS 2000

Windows XP

When the Windows box comes back up you should now see your ability to log on to the domain. Enter brianj’s username and password. Good ole brian’s home directory should be mapped to H, and when brianj logs out, his profile info should get saved to /library/samba/profiles/brianj. Yeah!

You’ll obviously want to further customize the profile setup for your specific site, as this setup is for full roaming profiles. If you haven’t done profiles before, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;161334.

So, how do I make this work for my n users (n users being anything > brianj).

The two areas where our fantastic new Windows PDC start to make us not as excited are:

Machine accounts

The fact that you have to edit each machine account in NetInfo manager can get old; there are two ways around this

  1. You can write a shell script to automatically add the machine when it asks to join the domain. You add this script to the smb.conf directive “add user script". With time we might do this?
  2. You can use the Passenger utility from MacinMind to do a bulk add of all your machines. It is a great tool for getting info into Mac OS X Server, and in this case will actually allow $’s in the shortname.

Passwords:

As stated previously, with the addition of samba attributes to a user record we in fact are storing 3 different passwords for the user. The issue is trying to keep these passwords in sync if you have users moving between the Mac, PC and even some UNIX stations.

Both clients (Mac and PC) can reset their own passwords. The issue would be having the password reset do it for all 3 passwords. Samba has a directive called “password chat” that should enable a Windows user to change their passwords (and the Mac OS X password also), but at this point that functionality seems broken in the 2.2.7 version for Mac OS X.

At the same time, there is no easy way to change the smb password from Mac OS X/OS 9 client logging on to the server, so it’s not a universal solution.

One option is to offer ssh access to the server for your users, and then have them run a shell script that would change both the Mac OS X and SMB passwords. It not too tough then to imagine a cgi that could be called from a web browser. The beginnings of such a beast, create_user.sh written by Jon Gardner, is located in the sambastuff folder for your perusal.

Another up and coming option, and this leads us into the final section of our white paper, is to look at other admin utilities that take into account both samba and Mac OS X users.

Other Admin tools

Three tools to check out that can take you out of the command line for doing admin:

WebMin

Provides a web user interface to pretty much every service you can think of running on Mac OS X. The samba webmin interface allows you to create new PC shares and print queues, editing the smb.conf for you.

LDAP Browser/Editor

This is a great Java applet that runs on both Mac and PC that will allow you to view and edit any of your user attributes. On OS X, just double-click on the lbe.jar file. Important note for OS X server, when you create your connection, use this info:

Base dn: dc=demo,dc=edu <– replace with your suffix

User dn: uid=admin,cn=users,dc=demo,dc=edu <– replace with your admin shortname and your suffix

LDAP Manager

SingleStep

LDAP Manager provides a GUI for LDAP management, but big bonus is its ability automate password creation and updating for our samba user records! A cool user template feature is provided so that you can quickly create new users without having to hand-edit'specific attributes. Its built on top of VNOS—so if you don’t like how something works you can go in and edit it your self. Runs on Mac and Windows. Important note for Mac OS X Server, when you create your connection, use this info:

Base dn: dc=demo,dc=edu <– replace with your suffix

User dn: uid=admin,cn=users,dc=demo,dc=edu <– replace with your admin shortname and your suffix

Samba Resources:

Web sites:

Overall documentation that covers how to configure samba with LDAP: http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html#SAMBA-LDAP-HOWTO

More detailed documentation with specific examples of his installation: http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html

Mailing Lists:

Official samba mailing list: http://us3.samba.org/samba/archives.html

Searchable archive: http://marc.theaimsgroup.com

Updates:

31 May 2002: Reader Mike Visintainer forwarded the following potential solution to the problem of Windows XP machines not being able to join a Domain, from the IBM Developer Site:

Client configuration: Windows XP

Enter Windows XP, and the most complex beast of the lot. But first a word of warning for those unaware: Windows XP Home Edition cannot join a Windows domain. For domain functionality, you must use Windows XP Professional. Second, sometimes joining an XP machine to a Samba PDC involved all the steps below; on other occasions, however, you can get away with just the registry patch. Don’t ask—I haven’t a clue.

To join a Windows XP machine to a domain:

  1. Open the Local Security Policy editor (Start –> All Programs –> Administrative Tools –> Local Security Policy).
  2. Locate the entry “Domain member: Digitally encrypt or sign secure channel (always)". Disable it.
  3. Locate the entry “Domain member: Disable machine account password changes". Make sure it’s disabled as well.
  4. Locate the entry “Domain member: Require strong (Windows 2000 or later) session key". Disable it.
  5. Next, download the WinXP_SignOrSeal registry patch from www.samba.org. Apply it by double-clicking and answering Yes to the dialog prompt.
  6. Now join the domain the same as you would for Windows NT or 2000.
  7. Right-click My Computer, select Properties, Computer Name, and Change. Or click the Network ID button and run the Network Wizard.

31 May 2002: Reader Espen Koht alerted us to some additional information that may make the Samba PDC solution more effective:

  1. This might be more generally applicable to a NetInfo-based setup, but only came up when I was working on the PDC issue. If you have a NetInfo hierarchy set up, you may well have more than one root account on the server (for example top and machine level). When Samba is performing certain actions that have to be done as root, you might get authentication failures because your root passwords in NetInfo don t match each other. In our case, we had all sorts of problems until we discovered that the root password in the top level of the NetInfo hierarchy hadn t been reset during a password change. Normally this didn t matter, because NetInfo would look at the local machine accounts too, but for some reason Samba didn't.
  2. Don t use upper-case characters for machine names on the PC clients. Unfortunately there is a mismatch between the way Windows and Samba deal with case-sensitivity of account names. If you give a PC an upper-case name, Windows will automatically convert it to lower-case when attempting to register it in the domain. If you have created the machine account with upper-case letters in Samba too, the names will not match, because Samba does not treat its upper-case entry the same as the lowercased registration attempt it gets from the windows machine. To avoid this problem, simply stick to lower-case names.