resolved.
samba4 now forces to use NTLMv2, and WinXP uses NTLMv1 by default.
so, you have to change settings to support NTLMv2:
* open Administrative Tools
* open Local Security Policy
* open Security Settings\\Local Policies\\Security Options
* find Network security: LAN Manager authentication level
* change to Send NTLMv2 response only\\refuse LM and NTLM
* press apply, yes and you are ready.
full instructions:
https://www.imss.caltech.edu/node/396