I'm having a bit of trouble setting up this Samba domain correctly. I'm getting an Access Denied error when trying to add a Windows XP machine to the domain. I'll go through my scenario in detail, but for those of you wanting a TLDR summary it'll be at the bottom of this post.

I have HP Proliant server with Ubuntu 12.04 LTS installed. For this particular environment, I need this server to act as a PDC, file server, and print server. I began by updating and upgrading the packages (of course). Then went to install samba, gnome-desktop, wine, and cpanm. Samba was, of course, for the PDC and file/print services. The GUI was needed because a certain software has to be installed on there that needs a GUI. Wine was needed because the software is Windows-native. And cpanm was for a perl script I have running.

For Samba, I went into the smb.conf file and enabled domain logons, changed the workgroup/domain name, the logon script for a per-group basis (netlogon/%g), enabled the netlogon and profiles share, and setup a couple of custom shares for the file service. The printer was added later, and seems to be working just fine. I then restarted the services, and used the net groupmap command to ensure my unix groups were mapped correctly to the Windows groups. After this, I went to a Windows box, and was able to successfully join the domain without a problem. After some fidgeting with the software to get it running on the win boxes from the server (it's a records management system program, which stores it's database files on the server), I went to add another computer to the domain. But now it's saying Access Denied.

Before when I had this trouble it was because I forgot to add the group "machines" so Samba could create machine accounts. Thinking this was the case, I manually created the machine account to test this theory. However, it would still give me an Access Denied error. That must mean it has something to do with permissions now, correct?

I've been fighting with this server for the past two weeks. If it's not one thing that;s wrong, then it's something else completely different. This would be the third time I've actually reinstalled everything to start over.

I'll post snippets of my system settings below. If anything else is needed, just say the word and I'll gather up the info.

The unix group 'domadmin' is the Domain Admins group.

Samba Administrator account

administrator:x:1000:1000:Administrator,,,:/home/administrator:/bin/bash

Adminstrator's groups

administrator adm cdrom sudo dip plugdev lpadmin sambashare domadmin crimestar

Samba's Configuration FIle (a snippet anyways)

[global]
  workgroup = CITYPD
  server string = BPDServer
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes
  map to guest = bad user
  domain logons = yes
  logon path = \\%L\srv\samba\profiles\%U
  logon script = logon.bat
  add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
  domain master = yes
  usershare allow guests = yes
[netlogon]
  comment = Network Logon Service
  path = /srv/samba/netlogon/%g
  guest ok = yes
  read only = yes
  browseable = no
[profiles]
  comment = All Printers
  browseable = no
  path = /var/spool/samba
  printable = yes
  guest ok = no
  read only = yes
  create mask = 0700
[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no
  write list = root, @lpadmin
[crimestar]
  comment = "Crimestar DB"
  path = /srv/crimestar/db
  valid users = @domadmin, @crimestar
  admin users = administrator
  writeable = yes
  guest ok = no
  browseable = no
  create mask = 0666
  directory mask = 0777
[crimestarfiles]
  path = /home/administrator/.wine/drive_c/crimestar
  admin users = administrator
  browseable = yes

ls -la on /srv/samba/profiles

drwxrwxrwx 2 root machines 4096 Nov 21 15:27 .
drwxr-xr-x 4 root root     4096 Nov 21 15:28 ..

ls -la on /srv/samba/netlogon

drwxr-xr-x 6 root root 4096 Nov 21 15:30 .
drwxr-xr-x 4 root root 4096 Nov 21 15:28 ..
drwxr-xr-x 2 root root 4096 Nov 21 15:30 crimestar
drwxr-xr-x 2 root root 4096 Nov 21 18:13 domadmin
drwxr-xr-x 3 root root 4096 Nov 21 15:30 guests
drwxr-xr-x 2 root root 4096 Nov 21 15:29 users

GrouMap list

Domain Users (S-1-5-21-2978508755-2341913247-928297747-513) -> users
Domain Admins (S-1-5-21-2978508755-2341913247-928297747-512) -> domadmin
Domain Guests (S-1-5-21-2978508755-2341913247-928297747-514) -> nogroup

TLDR

I'm getting an Access Denied error message while trying to join a windows box to a samba domain, even after I successfully joined another computer without a problem. System settings / files are quoted above.

Anyone have any ideas or suggestions?