samba - Jun 2003 - Win2K Machine Accounts No Longer Valid after Samba PDC Upgrade (2.2.2 to 2.2.8a)

Symptom:   After upgrading our Primary Domain Controller
           from Samba 2.2.2 to Samba 2.2.8a, users attempting 
           to login from Windows 2000 clients are no longer 
           able to do so. 

Details:   After some research it was discovered that if a Windows
           2000 client re-joins the domain served by the upgraded
           version of Samba, users are then able to, once again,
           log into this domain.

           It was also discovered that if the Samba PDC was downgraded
           to its original version of 2.2.2, any windows 2000 client
           that re-joined the domain while the Samba PDC was at  
           version 2.2.8a, was still able to log into the domain.

           As additional information, both versions of the Samba
           PDC were compiled on SPARC architecture running Solaris 8.0


As the above comments suggest, machine accounts are backward-compatible,
but *not* forward-compatible between Samba versions 2.2.2 and 2.2.8a.

After researching the Samba mailing lists and newsgroups it is more
or less understood that in order to deal with problems of this nature
each windows 2000 machine account needs to be recreated. Which is
a very time-consuming effort.

Is there a better way to deal with this upgrade path?

Ideally where I don't have to visit each windows 2000 machine in order
to re-create their machine accounts?  A migration utility or set of
server-side steps perhaps? 


Regards,

Geoff Stitt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030603/7daa3b43/attachment.bin

My apolgies in posting this again. However I was hoping someone
had a suggestion...

Symptom:   After upgrading our Primary Domain Controller
           from Samba 2.2.2 to Samba 2.2.8a, users attempting 
           to login from Windows 2000 clients are no longer 
           able to do so. 

Details:   After some research it was discovered that if a Windows
           2000 client re-joins the domain served by the upgraded
           version of Samba, users are then able to, once again,
           log into this domain.

           It was also discovered that if the Samba PDC was downgraded
           to its original version of 2.2.2, any windows 2000 client
           that re-joined the domain while the Samba PDC was at  
           version 2.2.8a, was still able to log into the domain.

           As additional information, both versions of the Samba
           PDC were compiled on SPARC architecture running Solaris 8.0


As the above comments suggest, machine accounts are backward-compatible,
but *not* forward-compatible between Samba versions 2.2.2 and 2.2.8a.

After researching the Samba mailing lists and newsgroups it is more
or less understood that in order to deal with problems of this nature
each windows 2000 machine account needs to be recreated. Which is
a very time-consuming effort.

Is there a better way to deal with this upgrade path?

Ideally where I don't have to visit each windows 2000 machine in order
to re-create their machine accounts?  A migration utility or set of
server-side steps perhaps? 

...geoff