samba - Mar 2006 - problems adding machines after upgrade - sambaSID attribute incomplete!

Some days ago we were able to add machines to our Samba+OpenLDAP domain, 
but after we decided to update samba from 3.0.5a to 3.0.21c now we can't 
do that anymore!.

In adding a machine, the "wellcome to domain XXX" message appears, but
after rebooting the machine it doesn't works!.  Looking the openldap 
entries, now we are having these kind of entries:

sambaSID: S-1-5-21-2502698289-3639879065-4582
sambaPrimaryGroupSID: S-1-5-21-2502698289-3639879065-7544774837-515

note that "one part" of the Samba SID is missing, the correct should
be:
sambaSID: S-1-5-21-2502698289-3639879065-7544774837-4582

so, I tried to fix the sambaSID attribute by hand on the openldap server 
using phpldapadmin but no luck.  Also, I tried with the last 
smbldap-tools-0.9.2-1 without success.  Windows shows "please check 
your password".  How can this be fixed?  Our openldap samba.schema was 
taken from samba 3.0.14a and our PDC is red hat 9.

Thanks,

Pablo

p.d. this is an example of one ldif machine record:

dn: uid=sistemas-47$,ou=Computers,o=company
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: sistemas-47$
sn: sistemas-47$
uid: sistemas-47$
uidNumber: 1791
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2502698289-3639879065-4582
sambaPrimaryGroupSID: S-1-5-21-2502698289-3639879065-7544774837-515
displayName: SISTEMAS-47$
sambaPwdCanChange: 1142646485
sambaPwdMustChange: 2147483647
sambaNTPassword: 16686156AAC4D85D1BD046C3320FEE9C
sambaPwdLastSet: 1142646485
sambaAcctFlags: [W          ]

-- 
Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514
Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto

On Fri, 2006-03-17 at 21:22 -0500, Pablo Chamorro C.
wrote:
> Some days ago we were able to add machines to our Samba+OpenLDAP domain, 
> but after we decided to update samba from 3.0.5a to 3.0.21c now we
can't
> do that anymore!.
> 
> In adding a machine, the "wellcome to domain XXX" message
appears, but
> after rebooting the machine it doesn't works!.  Looking the openldap 
> entries, now we are having these kind of entries:
> 
> sambaSID: S-1-5-21-2502698289-3639879065-4582
> sambaPrimaryGroupSID: S-1-5-21-2502698289-3639879065-7544774837-515
> 
> note that "one part" of the Samba SID is missing, the correct
should be:
> sambaSID: S-1-5-21-2502698289-3639879065-7544774837-4582
> 
> so, I tried to fix the sambaSID attribute by hand on the openldap server 
> using phpldapadmin but no luck.  Also, I tried with the last 
> smbldap-tools-0.9.2-1 without success.  Windows shows "please check 
> your password".  How can this be fixed?  Our openldap samba.schema was
> taken from samba 3.0.14a and our PDC is red hat 9.
> 
> Thanks,
> 
> Pablo
> 
> p.d. this is an example of one ldif machine record:
> 
> dn: uid=sistemas-47$,ou=Computers,o=company
> objectClass:
> top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
> cn: sistemas-47$
> sn: sistemas-47$
> uid: sistemas-47$
> uidNumber: 1791
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaSID: S-1-5-21-2502698289-3639879065-4582
> sambaPrimaryGroupSID: S-1-5-21-2502698289-3639879065-7544774837-515
> displayName: SISTEMAS-47$
> sambaPwdCanChange: 1142646485
> sambaPwdMustChange: 2147483647
> sambaNTPassword: 16686156AAC4D85D1BD046C3320FEE9C
> sambaPwdLastSet: 1142646485
> sambaAcctFlags: [W          ]
> 
----
#1 - samba.schema should always be the one supplied with your samba so
using one from samba-3.0.14a doesn't make any sense at all.

#2 - what do you get from command... 'net getlocalsid'   ?

#3 - do other commands work such as... pdbedit -Lv  ?

#4 - from the process you described, it sounds like you are using the
Windows Network Wizard to join the computer to the domain which pretty
much relies on you properly configuring smbldap-tools and from your
description, it would seem that your smbldap-tools was updated but not
the configuration or if your smbldap-tools configuration was updated,
that you made some errors. You need to inspect the configuration there.

Craig