samba - Oct 2003 - 3.0.0-2 on RH9 as domain member of win2k domain - not able to write to shares...

Hi,

I'm unable to write to shares on the RH9 box from win2k clients.

Have successfully joined domain with 'net join ads'
getent passwd lists local unix users and win2k domain users successfully
I've mapped a DOMAIN+user_group to unix user_group, which 'net groupmap
list' shows successfully
I have tried various ways to give DOMAIN+user.name access to the share, by
changing the 'valid users =' line to inlcude: DOMAIN+user_group,
user_group, DOMAIN+user.name
Can browse successfully to share, but not able to write to share unless I give
write permissions to other/world
Logs show user from win2k client connecting to service as DOMAIN+user.name
win2k client recieves error: access denied.

[global]
   realm = DOMAIN.COM
   workgroup = DOMAIN
   server string = Samba Server
   hosts allow = 192.168. 127.
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   security = ads
   password server = DC1 DC2 DC3
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8
  encrypt passwords = yes
  smb passwd file = /etc/samba/smbpasswd
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
;  passwd debug = yes
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
;  username map = /etc/samba/smbusers
;   include = /etc/samba/smb.conf.%m
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
   domain master = no 
   preferred master = no
   name resolve order = host wins lmhosts bcast
   dns proxy = yes 
# separate domain and username with '+', like DOMAIN+username
     winbind separator = +
     # use uids from 10000 to 20000 for domain users
     winbind uid = 10000-20000
     # use gids from 10000 to 20000 for domain groups
     winbind gid = 10000-20000
     # allow enumeration of winbind users and groups
     winbind enum users = yes
     winbind enum groups = yes

 [share]
   comment = Test Dir
   path = /home/share
   guest ok = no
   browseable = yes
   writable = yes
   share modes = yes
   valid users = DOMAIN+user_group
   hide dot files = yes

What I'd like to be able to do is control access to shares using
DOMAIN+user_group to unix user_group mappings - do I need to map
DOMAIN+user.name to a unix user.name as well, for every user within the group?

Hope you can help.

Luke.

______________________________________________________________________
Any views or opinions expressed in this e-mail are solely those of the author
and do not necessarily represent those of ENDEMOL UK plc unless specifically
stated.
This email and the information it contains are confidential and intended solely
for the use of the individual or entity to which it is addressed. If you have
received this email in error please notify us immediately and delete the copy
you have received from your system.
You should not copy it for any purpose, re-transmit it, use it or disclose its
contents to any other person. If you suspect the message may have been
intercepted or amended please call the sender.