samba - Nov 2010 - Windows doesn't show groups/users of AD in security tab when connected to Samba server

Dear all
After lots of reading and testing I'm still not able to setup a fully
functional Samba server with AD integration. The environment looks like

- Solaris x86 build 129 (the OpenSolaris "nevada builds")
- Samba 3.5.6 with kerberos 1.8.3 and OpenLDAP 2.4.23
- Active Directory Server 2008 R2
- WindowsXP clients which are _NOT_ members of the AD domain
- already existing UNIX UIDs and GIDs are in the 200-60000 range

One base requirement is that the UNIX side of the IDs have to be
provided by an existing UNIX NIS server via nsswitch but authentication
must be provided against the mentioned AD server. So we cannot allocate
UIDs and GIDs by the idmap backend.

Q: Is idmap_nss is the backend to use with it's range specified to cover
the above one (200-60000)?



We don't allow people to log-into the machine on the UNIX side so PAM
isn't required (right?)

Q: will I need both nss_windbind or just windbindd?

Joining the domain works smoothly.

A WindowsXP client is able to authenticate against AD _WITHOUT_ being a
member of the domain. Adding files works just as expected but when I try
to add users/group security entries (right-click, properties,
security-tab) none of the AD users or groups show up, only the Samba
build-in ones. Using

net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514
type=d
...

makes the mapped groups show up but none of the users or other AD
groups. Also 'wbinfo --user-info=whatever_name' does not list any
information even though the user exists in AD

I'll be grateful for any hint, walk-through or other enlightenment :)

Thomas
-----------------------------------------------------------------
GPG fingerprint: B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED