[Samba] Migration from NT Domain to AD

[John Welch]

My company is in the process of migrating from an NT 4.0 Domain to a
Windows 2003 Active Directory Domain.  We have setup a pristine AD
domain and have begun moving machines and users over to it.  Part of
this migration process is moving to a new domain name.  We have several
Samba servers that are currently members of the NT 4.0 domain.  These
Samba servers are running on a mix of both Linux and AIX machines.  The
Samba servers are all used for basic file and print sharing.  My plan is
to leave these servers in "security = domain" mode, rather than
switching to "security = ads"; at least initially.  

The Linux servers are all running fairly current versions of Samba,
ranging from 3.0.7 to 3.0.11.  On most of these servers we are using
winbind to authenticate through the NT domain.  On a test server I
updated the smb.conf to reflect the new domain name and the new password
servers, and joined the new AD domain.  Everything seems to be working
OK on this test system.  The one question I have on these Linux/winbind
servers is: Are there any tools or scripts available to update file and
folder security?  For example, File.txt is owned by OLDDOMAIN+USER1.  Is
there anything available to update this file so that it is now owned by
NEWDOMAIN+USER1?  I know I can use the chown command to update the file,
but I'm wondering if there are any tools to do this on a complete
directory structure.
My bigger problem is with the AIX servers.  They are currently running
Samba version 2.2.8a.  I tried joining the new AD domain on one of these
systems and ran into "Access denied" problems.  I knew it was probably
about time to get these servers more up to date with Samba, so I didn't
waste too much time trying to figure out this problem.  Instead I
compiled and installed the latest (3.0.14a) version.  After doing this I
first checked to make sure everything was OK with this version before
migrating to the new domain.  Once I verified that things were OK, I
updated the smb.conf and joined the new AD domain (successfully).
However, when I started Samba back up I began getting errors and/or
prompts for user-name/password on the client side.  In the server logs I
am also seeing errors, the most significant of which seems to be the
following: "domain_client_validate: could not fetch trust account
password for domain BROSCO".  After trying a few things unsuccessfully,
I tried rejoining the original NT 4.0 domain.  Again the join was
successful, but I was getting the same errors/problems on both the
client and server.  I eventually had to restore Samba from backup in
order to get things working again.  I'm not sure where the problem lies
or what to try next.

Any help or suggestions for either my Linux/winbind question or (mostly)
my AIX problem would be appreciated.

Thanks in advance.

John