samba - Jul 2003 - Samba 3.0 + Active Directory + Debian + Profiles?

How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a
member server in a AD-Domain running in Native Mode, and be able to
store user profiles on the Samba server? I just can make no heads nor
tails from any documentation, have I missed something fundamental?
Adding the server to the domain was easy enough. But then user
authentication does not seem to work?

>How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a
>member server in a AD-Domain running in Native Mode, and be able to
>store user profiles on the Samba server? I just can make no heads nor
>tails from any documentation, have I missed something fundamental?
>Adding the server to the domain was easy enough. But then user
>authentication does not seem to work?
Maybe I am closer then I thought. 

I removed samba completely, reinstalled it, joined it to the domain, and
"net ads" sort of started to work, I got a "no credential in
cache" from
Kerberos. 

And when doing a net view from a windows box, I get "access denied"
and
the following in my logs.

==> log.nwl105 <=[2003/07/23 10:49:02, 1]
libads/kerberos_verify.c:ads_verify_ticket(91)
  krb5_parse_name(HOST/ndc5-router-1@) failed (Malformed representation
of principal)
[2003/07/23 10:49:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(175)
  Failed to verify incoming ticket!

==> log.smbd <=[2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(487)
  idmap uid range missing or invalid
  idmap will be unable to map foreign SIDs
[2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499)
  idmap gid range missing or invalid
  idmap will be unable to map foreign SIDs

where should I be looking?

>How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a
>member server in a AD-Domain running in Native Mode, and be able to
>store user profiles on the Samba server? I just can make no heads nor
>tails from any documentation, have I missed something fundamental?
>Adding the server to the domain was easy enough. But then user
>authentication does not seem to work?
Ok, now I added "realm = NWL.SE" to my smb.conf, and now I get

==> log.ndc2-w2k-1 <=[2003/07/23 11:00:01, 1]
smbd/sesssetup.c:reply_spnego_kerberos(221)
  Username Administrator is invalid on this system
[2003/07/23 11:00:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(221)
  Username Administrator is invalid on this system

Seem to be a step forward, but not there yet....

Hi Jan,

Jan Johansson wrote on Wednesday, 23 July 2003 8:49
p.m.:
> ==> log.smbd <=> [2003/07/23 10:49:02, 1]
sam/idmap_tdb.c:db_idmap_init(487)
>   idmap uid range missing or invalid
>   idmap will be unable to map foreign SIDs
> [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499)
>   idmap gid range missing or invalid
>   idmap will be unable to map foreign SIDs
Add the following settings in smb.conf and restart winbind:

        idmap uid = 10000-65000
        idmap gid = 10000-65000

One good way to test if you have things set right is to use the wbinfo
command (eg. wbinfo -u). If this correctly lists domain users, great. If
not, check the winbind log file for details.

Cheers,
Paul