SAMBA net ads leave / join desperation

[kiwi128]

hi everyone!

i'm desperate. all i was supposed to do, was leave the current ADS (w2k DC) in which samba
has been working flawlessly (except for the excel sharing bug and permission problems) for
1,5 years and integrate it into the new w2k3 DC.

now for versions and misc data:
gds-2.6.11-r3 SMP
samba-3.0.11 something (latest ~x86 as of Mar14)
mit-krb5 (latest ~x86 as of Mar14)
old domain: ABC.com
new domain: DEF.local
(well not ABC and DEF but you get the point)
old DC 10.0.0.10 (w2k)
new DC 10.0.0.5 (w2k3)
local IP 10.0.0.20

unfortuneatly i forgot the net ads leave command and edited all files like smb.conf krb5.conf resolv.conf
yp.conf.
anyways i couldn't join, because it somehow remembered the old domain name and it still does

1) what files to clean??? i removed all .tdb files (/etc/samba/private and /var/lib/samba/private) and removed
all /var/cache/samba/files and somehow it remembers ABC.com - that was driving me crazy

2) because i couldn't join, i undoed all config stuff and tried leaving the old domain, didn't work either.
the problem was that i always was asked for the machine account password (fileserver$)?! nobody can
know this one, as it's random garbage i thought (stored somewhere in some form).
options like -U are ignored for the leave command and i have never seen it ask for the machine account password,
doesn't make any sense to my simple mind at least...

3) i tried harder cleaning up and joining the new domain, but to no avail
i rebooted enough times and times were always checked to be within <60s of each other (because of krb5)

now this is as far as i can get

fileserver # net ads join -UAdministrator@DEF%desperation
[2005/03/15 01:07:40, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password Administrator@DEF failed: KDC reply did not match expectations
[2005/03/15 01:07:40, 0] utils/net_ads.c:ads_startup(186)
ads_connect: KDC reply did not match expectations

before that i had pre-auth errors or other stuff.
IF i use the wrong pass i get pre-auth error, so at least SOMETHING must be working
if i leave out the @DEF it appends @ABC.COM driving me crazy because i already did a
"grep ABC -iR *" in /etc a zillion times, but there's no trace left, must be some binary
storage somewhere.

i tried resetting the machine account in the old domain, i deleted it, i created one in the new domain in advance (and
set it to allow older stuff, i think this means older protocols) etc.etc.

please help me, i'm desperate, my employer was never too fond of linux and i'm losing faith in my skills etc.
i shall digitally reward you as well as i can

many thanks,
regards from austria

p.s.: also during winbind startup i get "Could not fetch sid for our domain DEF" in the logfile. do i need winbind anyways?
i thought i did when i setup this server ~1,5 years ago and never bothered again, as it was working.

[kiwi128]

30 views, no ideas? anyone?
i can't beleive i'm the only one using ADS mode

thanks

[kiwi128]

anyone please?

[kiwi128]

nevermind, have to convert it to w2k3 now
you can delete this monological post