Windows 7 cannot join samba domain

I have a 3.5.6 samba server with a LDAP backend (both on Debian 6.0). I've been successfully adding Windows XP machines to the domain for years. I now try to add Windows 7. I have made the recommended registry changes, but I don't have any success so far. Here is what happens:

1. I go to computer name, select "Domain" instead of "Workgroup", type in the domain name, click OK. It asks me for the username and password of an account that can add computers to the domain; I enter them. After about 40 seconds, I get the following message:

The following error occurred attempting to join the domain "ITIA":

The specified computer account could not be found. Contact an administrator to verify the account is in the domain. If the account has been deleted unjoin, reboot, and rejoin the domain.

Despite this, the samba server successfully creates the computer account.

2. Therefore, if I try again a second time, without deleting the already created computer account, I get a different error:

The following error occurred attempting to join the domain "ITIA":

The specified account already exists.

(Note that until a while ago samba wasn't configured to automatically create computer accounts. What I did whenever I wanted an XP to join was to manually create it. When I first attempted to solve the Windows 7 join problem, I setup samba to do this automatically, as this is what most people do, as I understand, and I thought that it might be related. I haven't attempted to add an XP since I made this change, so I don't know if it works, but whether it works or not, the problem remains.)

Update 1: Here are the relevant parts of smb.conf:

[global]

   panic action = /usr/share/samba/panic-action %d

   workgroup = ITIA
   server string = Itia file server
   announce as = NT
   interfaces = 147.102.160.1
   volume = %h

   passdb backend = ldapsam:ldap://ldap.itia.ntua.gr:389
   ldap admin dn = uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr
   ldap ssl = off
   ldap suffix = dc=itia,dc=ntua,dc=gr
   ldap user suffix = ou=people
   ldap group suffix = ou=groups
   ldap machine suffix = ou=computers
   unix password sync = no
   add machine script = smbldap-useradd -w -i %u

   log file = /var/log/samba/samba-log.all
   log level = 3
   max log size = 5000
   syslog = 2

   socket options = SO_KEEPALIVE TCP_NODELAY 

   encrypt passwords = true
   password level = 1
   security = user

   domain master = yes
   local master = no
   wins support = yes

   domain logons = yes
   idmap gid = 1000-2000

Update 2: The server has a single network interface eth1 (also an unused eth0 that shows up only in the kernel boot messages) and two ip addresses; the main, 147.102.160.1, and an additional one, 147.102.160.37, that comes up with "ip addr add 147.102.160.37/32 dev eth1" (used only for a web site that has a different certificate than other web sites served from the same machine). One of the problems I recently faced was that samba was using the latter IP address. I fixed that by adding the "interfaces = 147.102.160.1" statement in smb.conf.

Now:

acheloos:/etc/apache2# tcpdump host 147.102.160.40 and not port 5900
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:13:56.549048 IP lithaios.itia.civil.ntua.gr.netbios-dgm > 147.102.160.255.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549056 ARP, Request who-has acheloos2.itia.civil.ntua.gr tell lithaios.itia.civil.ntua.gr, length 46
13:13:56.549091 ARP, Reply acheloos2.itia.civil.ntua.gr is-at 00:10:4b:b4:9e:59 (oui Unknown), length 28
13:13:56.549324 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549608 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos2.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549741 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.550364 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.550468 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)

(acheloos2 is the second IP address, 147.102.160.37). The above dump occurs when I click "OK" (to join the domain), until it asks me for the username and password of a user that can join the domain. I don't know why the client is contacting the second IP address. I tried temporarily deactivating it, but I still had some related ARP traffic (though I think not IP traffic).

If I remove -i, the ldap entry created is not a sambaSamAccount and does not contain the necessary attributes, such as sambaLMPassword, sambaSID, and so on. The error message in that case is "The specified computer account could not be found" regardless whether it is the first or second try. I don't understand what good it would do to change the %u; the entry in LDAP is created correctly with the uid lithaios$.

The %u switch to %m was suggested because of the error The specified computer account could not be found. so perhaps Windows 7 checks on a different layer than XP

I tried it. %m has exactly the same results as %u.

I don't see any -W in the man page of smbldap-useradd.

smbldap-tools 0.9.7 does have a -W parameter, but I'm running 0.9.5, which doesn't seem to (at least not in the documentation). But why should this parameter solve the problem? What does this have to do with "manual addition of samba attributes"?

I'll be damned! 0.9.5 does have the (undocumented) -W parameter, and it did kind-of solve the problem. Still the first time I tried to join, it gave me the "account could not be found" message, but the second time it joined the domain!

I'd like to have more time to investigate this issue, but I certainly won't be able to do so before the bounty period ends. Therefore, I award you the bounty. It would be nice, however, if you could elaborate a little bit on the issue. I guess that many people are using a PDC with LDAP, and it strikes me why only I seem to have faced this problem.