[Samba] Machine auth request rejected

[samba1 at nym.hush.com]

I thought I had this working when I tested it a few months ago with 
a different test server, but I’ve tried everything from my previous 
notes, and can’t get it to work now.

I’m replacing a Samba 3.0.10 Unix server with a SerNet Samba 4.1.2 
Debian Wheezy server.  The new server has to look exactly the same 
to the existing workstations.  The workstations are all running 
Windows XP Pro.

I’ve set up the new server, and on a separate test network 
configured it so that it has the same IP address, name and domain 
etc as the old server.  I set SAMBA_START_MODE “classic” in 
/etc/default/sernet-samba.  My smb.conf seems fine.

On the server I’ve created unix users, groups and machines with the 
same passwords, UIDs and GIDs as on the old server, and added users 
and machines to the relevant groups.  I’ve created samba passwords 
for the users and machines.

The server has the same local and domain SIDs as the existing 
server.

I’ve mapped NT groups to Unix groups:
net groupmap add rid=512 unixgroup=d-admin ntgroup=”Domain Admins”
net groupmap add rid=513 unixgroup=d-user ntgroup=”Domain Users”
net groupmap add rid=514 unixgroup=nobody ntgroup=”Domain Guests”
net groupmap add rid=515 unixgroup=xp-name ntgroup=”Domain 
Computers”

On my test PC which had been logging in to the existing server, I 
checked the user SID, and also ran ‘pdbedit –L –v’ on the existing 
server to verify.  I issued the following command to set the user 
SIDs to be the same on the new server:

pdbedit –r –U 1252 –u carol
pdbedit –r –U 1396 –u xppc072$

pdbedit –L –v –u xppc072$ returns the same on both servers.

However, when I try to login from the test PC to the new server, 
the Samba log file for the machine says 
‘netlogon_creds_server_check failed. Reject auth request from 
client XPPC072 machine account XPPC072$’.

On another test machine I was able to login after taking the 
machine off the domain (setting it to a workgroup) then adding it 
back to the domain.  However, the system has more than 60 
computers, and in the past I’ve found that dabbling with a PC's 
domain membership can muck up a user’s local profile, needing quite 
a bit of work to resolve.  I can’t risk this sort of thing when 
switching to the new server.

I had a look at the Microsoft XP Support Tool called netdom.exe 
thinking that might let me more easily reregister a computer on the 
domain if that might be required, but I can’t get it to work.  I’ve 
also seen a product called ForensIT User Profile Wizard, but I’m 
not sure if that would be of use in this situation.

In any event, I’d prefer to get the new server configured so that 
no intervention is needed on any of the workstations.

I’d appreciate some help with this.  I’m (hopefully) probably 
missing something obvious!