samba - Jan 2015 - Kerberos Authentication problem "Username X is invalid on this system"

This is a new Samba config that has not yet worked.  I have installed
sernet-samba 4.1.14.

[root at sltltfsee samba]# rpm -qa | grep sernet
sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
sernet-samba-common-4.1.14-10.el6.x86_64
sernet-samba-4.1.14-10.el6.x86_64
sernet-samba-libs-4.1.14-10.el6.x86_64
sernet-samba-winbind-4.1.14-10.el6.x86_64
sernet-samba-client-4.1.14-10.el6.x86_64

I have been added to the domain and all of that appears to work fine.  I have
created shares, however am unable to access them.

Here are the contents of nsswitch.conf:
[root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"


passwd:     compat winbindd files
shadow:     compat files
group:      compat winbind files
hosts:      files dns wins

bootparams: nisplus [NOTFOUND=return] files

ethers:     db files
netmasks:   files
networks:   files dns
protocols:  db files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

krb.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.ORG
dns_lookup_realm = true
;dns_lookup_realm = false
dns_lookup_kdc = true
;dns_lookup_kdc = false
ticket_lifetime = 600
renew_lifetime = 7d
forwardable = true

[realms]
MYDOMAIN.ORG = {
  kdc = SL1TDC3.MYDOMAIN.ORG
  kdc = SL1DC5.MYDOMAIN.ORG
  admin_server = SL1TDC3.MYDOMAIN.ORG
  default_domain = MYDOMAIN.ORG
}

[domain_realm]
.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG
MYDOMAIN.org = MYDOMAIN.ORG
.MYDOMAIN.org = MYDOMAIN.ORG

Smb.conf file:
[root at sltltfsee samba]# cat /etc/samba/smb.conf
[global]

   workgroup = SL1
   netbios name = SLTLTFSEE
   server string = LTFSEE Server
   realm = SL1.MYDOMAIN.ORG
   security = ads
   encrypt passwords = yes
   idmap config * : range = 16777216-33554431
   idmap config * : backend = tdb
   template shell = /bash/bin
   allow trusted domains = Yes
   client ntlmv2 auth = yes
   force unknown acl user = yes
   auth methods = guest sam winbind
   passdb backend = tdbsam
   groupdb:backend = tdb
   interfaces = eth1 lo
   username map = /etc/samba/smbusers
   guest ok = yes

#LOGGING
log level =3
log file = /var/log/samba/smb.ltfsee.log
max log size = 50

#WINBIND
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind use default domain =true
winbind offline logon = true
winbind refresh tickets = Yes


#GPFS items
        gpfs:sharemodes = yes
        gpfs:prealloc = yes
        gpfs:dfreequota = yes
        gpfs:hsm = yes
        gpfs:winattr = yes
        gpfs:leases = yes

#General FS items
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = yes

#SHARES

[general]
   path = /gpfs/ltfsee/general
   read only = no
   valid users = @"Domain Users"

Things such as winbind lookups work just fine:
[root at sltltfsee samba]# wbinfo -a choatej%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root at sltltfsee samba]# wbinfo -i SL1\\choatej
choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin

[root at sltltfsee samba]# wbinfo -U 16777216
S-1-5-21-1823944398-2898753305-4095703837-125569

[root at sltltfsee samba]# wbinfo -s
S-1-5-21-1823944398-2898753305-4095703837-125569
SL1\choatej 1

User can authenticate using ntlm_auth:
[root at sltltfsee samba]# ntlm_auth --username=choatej
Password:
NT_STATUS_OK: Success (0x0)

Attempting to access share from a windows client gives "Access is
denied" message.

From the smb log "smb.ltfsee.log"
[2015/01/14 16:26:02.882034,  3] ../source3/smbd/negprot.c:672(reply_negprot)
  Selected protocol SMB 2.???
[2015/01/14 16:26:02.887418,  3]
../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2015/01/14 16:26:02.990573,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: choatej [Choate, James]
[2015/01/14 16:26:02.990632,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
[2015/01/14 16:26:02.991491,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username SL1\choatej is invalid on this system
[2015/01/14 16:26:02.991554,  1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/01/14 16:26:02.996300,  3]
../source3/smbd/server_exit.c:221(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


Kerberos ticket was generated using 'net ads kerberos kinit -P'

[root at sltltfsee samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hubijarm_u at SL1.STLUKES-INT.ORG

Valid starting     Expires            Service principal
01/14/15 15:52:23  01/14/15 16:02:23  krbtgt/SL1.MYDOMAIN.ORG at
SL1.MYDOMAIN.ORG
        renew until 01/21/15 15:52:23


I'm by no means a kerberos expert, but if I have a generated ticket then
what is being missed?  Where is the 'Username X is invalid on this
system" message coming from?


Regards,

Shaun Anderson
"Aut viam inveniam aut faciam"




DISCLAIMER: The information in this message (and any attachments hereto) may be
confidential and protected from disclosure. If the reader of this message is
neither the intended recipient nor an agent responsible for delivering the
message to the intended recipient, you are hereby notified that any unauthorized
disclosure of this information is strictly prohibited. Any unauthorized
disclosure may cause the breaching party to be liable to ConvergeOne Holdings
Corp. and/or its subsidiaries and affiliates for damages.  If you have received
this message in error, please notify the sender by replying to the e-mail
message, and delete it from your computer without reading it or saving it in any
manner.

On 14/01/15 23:33, Shaun Anderson wrote:
> This is a new Samba config that has not yet worked.  I have installed
sernet-samba 4.1.14.
>
> [root at sltltfsee samba]# rpm -qa | grep sernet
> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
> sernet-samba-common-4.1.14-10.el6.x86_64
> sernet-samba-4.1.14-10.el6.x86_64
> sernet-samba-libs-4.1.14-10.el6.x86_64
> sernet-samba-winbind-4.1.14-10.el6.x86_64
> sernet-samba-client-4.1.14-10.el6.x86_64
>
> I have been added to the domain and all of that appears to work fine.  I
have created shares, however am unable to access them.
>
> Here are the contents of nsswitch.conf:
> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"
>
>
> passwd:     compat winbindd files
> shadow:     compat files
> group:      compat winbind files
> hosts:      files dns wins
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     db files
> netmasks:   files
> networks:   files dns
> protocols:  db files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> krb.conf file:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.ORG
> dns_lookup_realm = true
> ;dns_lookup_realm = false
> dns_lookup_kdc = true
> ;dns_lookup_kdc = false
> ticket_lifetime = 600
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> MYDOMAIN.ORG = {
>    kdc = SL1TDC3.MYDOMAIN.ORG
>    kdc = SL1DC5.MYDOMAIN.ORG
>    admin_server = SL1TDC3.MYDOMAIN.ORG
>    default_domain = MYDOMAIN.ORG
> }
>
> [domain_realm]
> .mydomain.org = MYDOMAIN.ORG
> mydomain.org = MYDOMAIN.ORG
> MYDOMAIN.org = MYDOMAIN.ORG
> .MYDOMAIN.org = MYDOMAIN.ORG
>
> Smb.conf file:
> [root at sltltfsee samba]# cat /etc/samba/smb.conf
> [global]
>
>     workgroup = SL1
>     netbios name = SLTLTFSEE
>     server string = LTFSEE Server
>     realm = SL1.MYDOMAIN.ORG
>     security = ads
>     encrypt passwords = yes
>     idmap config * : range = 16777216-33554431
>     idmap config * : backend = tdb
>     template shell = /bash/bin
>     allow trusted domains = Yes
>     client ntlmv2 auth = yes
>     force unknown acl user = yes
>     auth methods = guest sam winbind
>     passdb backend = tdbsam
>     groupdb:backend = tdb
>     interfaces = eth1 lo
>     username map = /etc/samba/smbusers
>     guest ok = yes
>
> #LOGGING
> log level =3
> log file = /var/log/samba/smb.ltfsee.log
> max log size = 50
>
> #WINBIND
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind use default domain =true
> winbind offline logon = true
> winbind refresh tickets = Yes
>
>
> #GPFS items
>          gpfs:sharemodes = yes
>          gpfs:prealloc = yes
>          gpfs:dfreequota = yes
>          gpfs:hsm = yes
>          gpfs:winattr = yes
>          gpfs:leases = yes
>
> #General FS items
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = yes
>
> #SHARES
>
> [general]
>     path = /gpfs/ltfsee/general
>     read only = no
>     valid users = @"Domain Users"
>
> Things such as winbind lookups work just fine:
> [root at sltltfsee samba]# wbinfo -a choatej%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>
> [root at sltltfsee samba]# wbinfo -U 16777216
> S-1-5-21-1823944398-2898753305-4095703837-125569
>
> [root at sltltfsee samba]# wbinfo -s
S-1-5-21-1823944398-2898753305-4095703837-125569
> SL1\choatej 1
>
> User can authenticate using ntlm_auth:
> [root at sltltfsee samba]# ntlm_auth --username=choatej
> Password:
> NT_STATUS_OK: Success (0x0)
>
> Attempting to access share from a windows client gives "Access is
denied" message.
>
>  From the smb log "smb.ltfsee.log"
> [2015/01/14 16:26:02.882034,  3]
../source3/smbd/negprot.c:672(reply_negprot)
>    Selected protocol SMB 2.???
> [2015/01/14 16:26:02.887418,  3]
../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>    Selected protocol SMB2_10
> [2015/01/14 16:26:02.990573,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>    Found account name from PAC: choatej [Choate, James]
> [2015/01/14 16:26:02.990632,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>    Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
> [2015/01/14 16:26:02.991491,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>    Username SL1\choatej is invalid on this system
> [2015/01/14 16:26:02.991554,  1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>    Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)
> [2015/01/14 16:26:02.996300,  3]
../source3/smbd/server_exit.c:221(exit_server_common)
>    Server exit (NT_STATUS_CONNECTION_RESET)
>
>
> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>
> [root at sltltfsee samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>
> Valid starting     Expires            Service principal
> 01/14/15 15:52:23  01/14/15 16:02:23  krbtgt/SL1.MYDOMAIN.ORG at
SL1.MYDOMAIN.ORG
>          renew until 01/21/15 15:52:23
>
>
> I'm by no means a kerberos expert, but if I have a generated ticket
then what is being missed?  Where is the 'Username X is invalid on this
system" message coming from?
>
>
> Regards,
>
> Shaun Anderson
> "Aut viam inveniam aut faciam"
>
>
>
>
> DISCLAIMER: The information in this message (and any attachments hereto)
may be
> confidential and protected from disclosure. If the reader of this message
is
> neither the intended recipient nor an agent responsible for delivering the
> message to the intended recipient, you are hereby notified that any
unauthorized
> disclosure of this information is strictly prohibited. Any unauthorized
> disclosure may cause the breaching party to be liable to ConvergeOne
Holdings
> Corp. and/or its subsidiaries and affiliates for damages.  If you have
received
> this message in error, please notify the sender by replying to the e-mail
> message, and delete it from your computer without reading it or saving it
in any
> manner.
Don't think this is going to work, you have 'default_realm = 
MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in
smb.conf.
You don't have *anything* in smb.conf to pull from the domain, you pull 
from outside the domain.
Do you realise that 'passwd:     compat winbindd files' means 
'passwd:     files winbindd files' ?

Change /etc/nsswitch.conf to this:

passwd:     compat winbindd
shadow:     compat files
group:      compat winbind

hosts:      files dns
networks:   files

protocols:  db files
services:   db files
ethers:     db files
rpc:        db files

netgroup:   nis
bootparams: nisplus [NOTFOUND=return] files
netmasks:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

Change /etc/krb5.conf to:

[libdefaults]
default_realm = SL1.MYDOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = true

Change /etc/samba/smb.conf to:

[global]
    workgroup = SL1
    security = ADS
    realm = SL1.MYDOMAIN.ORG
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = LTFSEE Server
    #WINBIND
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind offline logon = Yes
    winbind refresh tickets = Yes
    winbind normalize names = Yes
    #IDMAP
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config SL1 : backend  = ad
    idmap config SL1 : range = 16777216-33554431
    idmap config SL1 : schema_mode = rfc2307
    template shell = /bash/bin
    interfaces = eth1 lo
    username map = /etc/samba/smbusers
    guest ok = yes
    printcap name = cups
    cups options = raw
    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user

    #LOGGING
    log level = 3
    log file = /var/log/samba/smb.ltfsee.log
    max log size = 50

    #General FS items
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = yes

#SHARES

[general]
    path = /gpfs/ltfsee/general
    read only = no
    valid users = @"Domain Users"

The above are based on my *working* laptop.

It might be better if you leave the domain before changing the files, 
delete /etc/krb5.keytab if it exists, then rejoin the domain.

Rowland

On 15/01/15 09:23, Rowland Penny wrote:
> On 14/01/15 23:33, Shaun Anderson wrote:
>> This is a new Samba config that has not yet worked.  I have installed 
>> sernet-samba 4.1.14.
>>
>> [root at sltltfsee samba]# rpm -qa | grep sernet
>> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64
>> sernet-samba-common-4.1.14-10.el6.x86_64
>> sernet-samba-4.1.14-10.el6.x86_64
>> sernet-samba-libs-4.1.14-10.el6.x86_64
>> sernet-samba-winbind-4.1.14-10.el6.x86_64
>> sernet-samba-client-4.1.14-10.el6.x86_64
>>
>> I have been added to the domain and all of that appears to work 
>> fine.  I have created shares, however am unable to access them.
>>
>> Here are the contents of nsswitch.conf:
>> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v
"#"
>>
>>
>> passwd:     compat winbindd files
>> shadow:     compat files
>> group:      compat winbind files
>> hosts:      files dns wins
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers:     db files
>> netmasks:   files
>> networks:   files dns
>> protocols:  db files
>> rpc:        files
>> services:   files
>> netgroup:   files
>> publickey:  nisplus
>> automount:  files
>> aliases:    files nisplus
>>
>> krb.conf file:
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = MYDOMAIN.ORG
>> dns_lookup_realm = true
>> ;dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ;dns_lookup_kdc = false
>> ticket_lifetime = 600
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> MYDOMAIN.ORG = {
>>    kdc = SL1TDC3.MYDOMAIN.ORG
>>    kdc = SL1DC5.MYDOMAIN.ORG
>>    admin_server = SL1TDC3.MYDOMAIN.ORG
>>    default_domain = MYDOMAIN.ORG
>> }
>>
>> [domain_realm]
>> .mydomain.org = MYDOMAIN.ORG
>> mydomain.org = MYDOMAIN.ORG
>> MYDOMAIN.org = MYDOMAIN.ORG
>> .MYDOMAIN.org = MYDOMAIN.ORG
>>
>> Smb.conf file:
>> [root at sltltfsee samba]# cat /etc/samba/smb.conf
>> [global]
>>
>>     workgroup = SL1
>>     netbios name = SLTLTFSEE
>>     server string = LTFSEE Server
>>     realm = SL1.MYDOMAIN.ORG
>>     security = ads
>>     encrypt passwords = yes
>>     idmap config * : range = 16777216-33554431
>>     idmap config * : backend = tdb
>>     template shell = /bash/bin
>>     allow trusted domains = Yes
>>     client ntlmv2 auth = yes
>>     force unknown acl user = yes
>>     auth methods = guest sam winbind
>>     passdb backend = tdbsam
>>     groupdb:backend = tdb
>>     interfaces = eth1 lo
>>     username map = /etc/samba/smbusers
>>     guest ok = yes
>>
>> #LOGGING
>> log level =3
>> log file = /var/log/samba/smb.ltfsee.log
>> max log size = 50
>>
>> #WINBIND
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind nested groups = Yes
>> winbind use default domain =true
>> winbind offline logon = true
>> winbind refresh tickets = Yes
>>
>>
>> #GPFS items
>>          gpfs:sharemodes = yes
>>          gpfs:prealloc = yes
>>          gpfs:dfreequota = yes
>>          gpfs:hsm = yes
>>          gpfs:winattr = yes
>>          gpfs:leases = yes
>>
>> #General FS items
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = yes
>>
>> #SHARES
>>
>> [general]
>>     path = /gpfs/ltfsee/general
>>     read only = no
>>     valid users = @"Domain Users"
>>
>> Things such as winbind lookups work just fine:
>> [root at sltltfsee samba]# wbinfo -a choatej%password
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> [root at sltltfsee samba]# wbinfo -i SL1\\choatej
>> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin
>>
>> [root at sltltfsee samba]# wbinfo -U 16777216
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>>
>> [root at sltltfsee samba]# wbinfo -s 
>> S-1-5-21-1823944398-2898753305-4095703837-125569
>> SL1\choatej 1
>>
>> User can authenticate using ntlm_auth:
>> [root at sltltfsee samba]# ntlm_auth --username=choatej
>> Password:
>> NT_STATUS_OK: Success (0x0)
>>
>> Attempting to access share from a windows client gives "Access is 
>> denied" message.
>>
>>  From the smb log "smb.ltfsee.log"
>> [2015/01/14 16:26:02.882034,  3] 
>> ../source3/smbd/negprot.c:672(reply_negprot)
>>    Selected protocol SMB 2.???
>> [2015/01/14 16:26:02.887418,  3] 
>> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
>>    Selected protocol SMB2_10
>> [2015/01/14 16:26:02.990573,  3] 
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>    Found account name from PAC: choatej [Choate, James]
>> [2015/01/14 16:26:02.990632,  3] 
>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>    Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
>> [2015/01/14 16:26:02.991491,  1] 
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>    Username SL1\choatej is invalid on this system
>> [2015/01/14 16:26:02.991554,  1] 
>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>>    Failed to map kerberos principal to system user 
>> (NT_STATUS_LOGON_FAILURE)
>> [2015/01/14 16:26:02.996300,  3] 
>> ../source3/smbd/server_exit.c:221(exit_server_common)
>>    Server exit (NT_STATUS_CONNECTION_RESET)
>>
>>
>> Kerberos ticket was generated using 'net ads kerberos kinit -P'
>>
>> [root at sltltfsee samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG
>>
>> Valid starting     Expires            Service principal
>> 01/14/15 15:52:23  01/14/15 16:02:23 
>> krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
>>          renew until 01/21/15 15:52:23
>>
>>
>> I'm by no means a kerberos expert, but if I have a generated ticket
>> then what is being missed?  Where is the 'Username X is invalid on 
>> this system" message coming from?
>>
>>
>> Regards,
>>
>> Shaun Anderson
>> "Aut viam inveniam aut faciam"
>>
>>
>>
>>
>> DISCLAIMER: The information in this message (and any attachments 
>> hereto) may be
>> confidential and protected from disclosure. If the reader of this 
>> message is
>> neither the intended recipient nor an agent responsible for 
>> delivering the
>> message to the intended recipient, you are hereby notified that any 
>> unauthorized
>> disclosure of this information is strictly prohibited. Any unauthorized
>> disclosure may cause the breaching party to be liable to ConvergeOne 
>> Holdings
>> Corp. and/or its subsidiaries and affiliates for damages.  If you 
>> have received
>> this message in error, please notify the sender by replying to the 
>> e-mail
>> message, and delete it from your computer without reading it or 
>> saving it in any
>> manner.
>
> Don't think this is going to work, you have 'default_realm = 
> MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG'
in
> smb.conf.
> You don't have *anything* in smb.conf to pull from the domain, you 
> pull from outside the domain.
> Do you realise that 'passwd:     compat winbindd files' means 
> 'passwd:     files winbindd files' ?
>
> Change /etc/nsswitch.conf to this:
>
> passwd:     compat winbindd
> shadow:     compat files
> group:      compat winbind
>
> hosts:      files dns
> networks:   files
>
> protocols:  db files
> services:   db files
> ethers:     db files
> rpc:        db files
>
> netgroup:   nis
> bootparams: nisplus [NOTFOUND=return] files
> netmasks:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
>
> Change /etc/krb5.conf to:
>
> [libdefaults]
> default_realm = SL1.MYDOMAIN.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Change /etc/samba/smb.conf to:
>
> [global]
>    workgroup = SL1
>    security = ADS
>    realm = SL1.MYDOMAIN.ORG
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    server string = LTFSEE Server
>    #WINBIND
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind expand groups = 4
>    winbind nss info = rfc2307
>    winbind offline logon = Yes
>    winbind refresh tickets = Yes
>    winbind normalize names = Yes
>    #IDMAP
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-9999
>    idmap config SL1 : backend  = ad
>    idmap config SL1 : range = 16777216-33554431
>    idmap config SL1 : schema_mode = rfc2307
>    template shell = /bash/bin
>    interfaces = eth1 lo
>    username map = /etc/samba/smbusers
>    guest ok = yes
>    printcap name = cups
>    cups options = raw
>    domain master = no
>    local master = no
>    preferred master = no
>    os level = 20
>    map to guest = bad user
>
>    #LOGGING
>    log level = 3
>    log file = /var/log/samba/smb.ltfsee.log
>    max log size = 50
>
>    #General FS items
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = yes
>
> #SHARES
>
> [general]
>    path = /gpfs/ltfsee/general
>    read only = no
>    valid users = @"Domain Users"
>
> The above are based on my *working* laptop.
>
> It might be better if you leave the domain before changing the files, 
> delete /etc/krb5.keytab if it exists, then rejoin the domain.
>
> Rowland
>
OOPS, I missed something else:

You have this in /etc/nsswitch.conf: 'passwd: compat winbindd files', it
should be 'passwd: compat winbind' #NOTE only one 'd' at the
end.

Rowland