samba - Sep 2003 - Samba 3.0.0 + ADS authentication and login

Hi list,

At a customer site, we have a number of Linux workstations (Mandrake 9.1)
with samba 2.2.7a installed running in an NT domain. We use winbindd to do
user authentication against the domain server via pam_winbind. When
logging in a first time, we create the local user's home directory with
pam_mkhomedir. We mount the user's network ressources with pam_mount. This
all works very fine.

The organization is now migrating from NT to ADS, and we have to provide
the same behaviour as before.

I installed samba 3.0.0 stable on a test workstation, and configured it as
per HOWTO. I was able to successfully join the machine into the ADS
domain. The "net ads group" and "net ads user" commands work
fine.

Logging in as a domain user against the domain server succeeds, but
winbindd does not provide the local uid/gid. The next pam modules (login
and kde3) report "User not known to the underlying authentication
module",
so login fails.

In the documentation there is no detailed howto for configuring winbindd
so that it authenticates with LDAP/Kerberos and creates the local idmap
uid and gid for the user. A minimum configuration example would be nice
here. I guess that once this step is OK, the next step of creating the
local user's directory structure with pam_mkhomedir would work like
before...

Can anyone help me with this?

Robert

My analysis of the source code indicates that winbindd(the nsswitch related
ones) is broken in 3.0 for 'non-trusted' domains. In other words, it
cannot handle accounts of its own domain(be it a Samba PDC/BDC or in your case a
member server of a domain).