samba - Jul 2004 - Domain logon against a Windows Server 2003 based AD

Hi,  
 
I'm trying to configure my Mandrake V10 box to do user authentication 
against an ActiveDirectory domain hostet on Windows Server 2003. 
 
And guess what, I have some problems :) 
 
I used drakauth (similar to authconfig on RedHat) to configure the 
authentication against a windows domain. I was asked some questions 
concerning domain, domain controller, administrator account and 
password.. 
 
drakauth configured my smb.conf the following way: 
[global] 
	workgroup = IDEALTEC.LOCAL   
	server string = Samba Server %v 
	security = domain 
	encrypt passwords = Yes 
	password server = * 
	log file = /var/log/samba/log.%m 
	max log size = 50 
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
	character set = ISO8859-15 
	os level = 18 
	local master = No 
	dns proxy = No 
	winbind uid = 10000-20000 
	winbind gid = 10000-20000 
	winbind separator = + 
	template homedir = /home/%D/%U 
	template shell = /bin/bash 
	winbind use default domain = yes 
 
But after a net join, I get the following errors, when I try to logon 
a domain user on my linux box: 
 
Jul 12 16:56:22 linux kde3(pam_unix)[3610]: auth could not identify 
password for [marcus] 
Jul 12 16:56:22 linux winbindd[2410]: [2004/07/12 16:56:22, 0] 
nsswitch/winbindd_util.c:get_trust_pw(951)  
Jul 12 16:56:22 linux winbindd[2410]:   get_trust_pw: could not fetch 
trust account password for my domain IDEALTEC.LOCAL  
Jul 12 16:56:22 linux pam_winbind[3610]: request failed: 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO 
Jul 12 16:56:22 linux pam_winbind[3610]: internal module error (retval = 
4, user = `marcus' 
 
 
I even modified in the ActiveDirectory the SecurityPrincipal
"Everyone"
to be a member of the "pre-windows 2000 authentication" group,
don't
know if the name is right, as I have a german version of Windows :) 
 
Last things I modified on my linux box was to change the  
security = domain to security = ads, as the net join gave me some 
hints that it could not find the ads realm and had to use RPC for 
interaction with my domain. 
 
According to the man-page I set the following lines: 
	security = ads 
	.nf realm = dc-hh-001.idealtec.local   
 
name resolution works, I have checked this, as I know how critical 
DNS is for ActiveDirectory based domains. 
 
Im currently working my way down the Samba-Howto-Collection Chapter 20: 
Use of Domain Accounts, but currently Im somewhat puzzled, need to get 
some ground under my feet.. 
 
 
Bye, 
Marcus 
 
 

-- 
pedo mellon a minno