samba - Oct 2013 - From 3.0.11 to up-to-date versions protocol problem

Hi.

We have been using samba 3.0.11 for years and now we need to add some win7
machines to our domain.

So I test up-to-date Samba versions (3.6.19, 4.1.0 compiled, and Centos
today "native" binary package 3.6.something) and with all of them I
run
into the same problem.
I get stuck with protocols when checking XP machines (which works like a
charm in 3.0.11 domain)
When max protocol is NT1 (as in 3.0.11), I can add XP into domain, but can
not do domain logon nor "net view /DOMAIN:NIS7" -> the domain is
not longer
available. "Net view /DOMAIN:NIS"   works good - NIS is 3.0.11 samba
domain.
When I set protocol to LANMAN2, "net view" shows my SAMBA7 server, I
can
log into domain from already-in-domain XP, but I can not add the XP into
domain, when it was removed from it - with "incorrect parameter"
message.
(The XP is in LDAP and can join the domain with max protocol NT1, as I
said).

I have tried many combinations of options, but with no luck. I suppose NT1
should be used as max protocol, is it right? Where can be the problem with
logging into domain and "net view" command then? I did wiresharking,
tcpdumping, log reading, googling for days...

Thanks,

                     Michal

This is my global section right now.

[global]
        dos charset = CP852
        unix charset = ISO8859-2
        workgroup = NIS7
        server string         passdb backend = ldapsam:ldap://10.200.11.11
        lanman auth = Yes
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 50
        max protocol = LANMAN2
        name resolve order = host bcast
        server signing = auto
        socket options = TCP_NODELAY,SO_KEEPALIVE
        add user script = /usr/sbin/useradd -d /dev/null -g users -s
/bin/false -M %u
        add machine script = /usr/local/bin/AM %u
        logon script = smbprofile.bat
        logon path = \\%h\home\profiles\%U
        logon drive = S:
        domain logons = Yes
        os level = 35
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=Manager,dc=nspuh,dc=cz
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines
        ldap suffix = dc=nspuh,dc=cz
        ldap ssl = no
        ldap user suffix = ou=people
        allow insecure wide links = Yes
        panic action = /usr/share/samba/panic-action %d
        template homedir = /profiles/DEFAULT
        idmap config * : range         idmap config * : backend = tdb
        admin users = root
        root preexec = /usr/local/bin/RPE '%u' 'GLOBALS'
>>
/var/log/RPE.log 2>&1
        wide links = Yes