[Samba] W2k to W2k3 winbind enumeration issue?

[Thomas Reed]

I've been in the process of decommissioning a W2k domain controller and
moving the whole show to a new machine with W2k3.  Everything has moved
along quite well except changing the samba setup to use the new system. 

A little background:

Samba 3.0.10 on gentoo
KRB5 ver 1.3.1-r1
using winbind/kerberos to integrate the samba server as an AD member server.

The Samba server holds departmental fileshares, and the contents of all
user's "My Documents" folders.

This setup has worked great for the past 2 years.

I have joined the w2k3 server to the current domain, dcprom'd it, moved
all fsom's to it, moved the dns, dhcp, everything is set for this final
step before I remove the old system.

The problem comes when I make the change in the smb.conf to point samba
to the new DC.  There seems to be an issue with winbind numbering the
users differently (or maybe getting the list of users differently form
the new DC) and consequently the sid's arent getting 'mapped' correctly
to match the permissions on the folders.  I haven't had time to do a
full investigation into this, as this is a live production system and I
only get a couple of hours here and there to tinker with it.

I determined that there was a problem after checking permissions on some
of the user's home directories and finding names that didn't go with the
users there.

Here are the steps I followed to redirect samba to the new DC.

Disabled client signing on the w2k3 dc
changed password server = old.dc.box to password server = new.dc.box
backed up and the removed all /var/cache/samba/*tdb
physically unplugged the old dc form the network just to make sure.
restarted smb, winbind, nmb.

net ads info gives me all the correct information (the new DC)
wbinfo -u and wbinfo -g give all the users/groups I expect although in a
different order.

Now when I cruise over to an XP box I can't hit the fileshares or "My
Documents" as expected.

Any Ideas?


Thanks
Thomas