[Samba] Upgrade difficulty - Version 3.0.6b to 3.6.3

[Frank Thynne]

I'm upgrading Samba from V3.0.6b to 3.6.3 on a new server.

The original configuration, installed in 2006, is Samba V3.0.6b PDC on SUSE LINUX Enterprise Server 9 replacing a Windows NT Server.

The intended configuration is Samba V3.6.3 PDC on Ubuntu 12.04.5 LTS running on new hardware, replacing the 2006 configuration. The upgrade is needed to support new Windows 7 workstations.

There are only a few workstations so the old server was also the main fileserver, and the same is intended for the new server.

The plan is to introduce and test in steps to ensure uninterrupted service:

Stage 1. Establish proper DHCP and DNS services on the new server.

Stage 2 Configuration new server as Standalone server.

Stage 3 Reconfigure new server as Member Server in the original domain

Stage 4 Reconfigure new server as BDC

Stage 5 Reconfigure new server as PDC

Stage 6 Retire or redeploy the old server.

Stages 1 and 2 are completed and worked as expected. The new server is configured as the DHCP and DNS server but the old server is currently the WINS and login server.

Problems begin in stage 3.

The new server joined the original domain aparently without fault. However, clients cannot authenticate correctly with the new server's shares using the domain credentials stored on the old server in its original configuration. I have tried to access shares on the new server using smbclient on both the new and old servers.

Windows XP clients can see the old and new servers, but cannot connect to a test share on the new server using domain passwords. To connect to the new server, smbpasswd needs to be run on the new server and the client needs to login as <newserver>\<username>. <domainname>\<username> does not work.

I have run the Samba Checklist up to step 7 but things fail at step 8.

When I look for a share on the new server using smbclient on the new server (ie itself) I see in the logs messages such as:

NTLMSSP_NEGOTIATE_KEY_EXCH followed by

NT_STATUS_BAD_NETWORK_NAME

When I do the same from the old server I see

NTLMSSP_NEGOTIATE_KEY_EXCH followed by

NT_STATUS_LOGON_FAILURE

It seems that there are compatibility problems between V3.0.6b and 3.6.3. In anticipation of such a problem I did not make the login parameters more advanced than for the old server, but it didn't help.

I don't think I need to have copies of the old server secrets on the new server at this stage, although I will need to have them in stage 4. Experiments with trying to replicate the secrets show that it is difficult to import from the old server which does not have pdbedit and where I am finding it difficult to establish whether Domain SIDs or Local SIDs are being used. That difficulty might disappear when I configure the new server as a Domain Controller instead of a Member Server.

I'm not attempting LDAP and Active Directory as Samba 3.6.3 has no provisioning tool and my fingers were badly burnt by a broken Samba 4.