samba - Nov 2003 - Samba 3 & ADC problem.

Greetings all.

I am banging my head about this one, I will try to be as specific as
possible, bear with me please.

I have a W2KDC ADC, and trying to join a Samba 3 linux workstation to it.

What works:

net join:? succeeded

wbinfo -t:? checking the trust secret via RPC calls succeeded

wbinfo -m: return to prompt, no output

wbinfo -u: correct list of local + AD members

wbinfo -g: correct list of local + AD groups

kinit: succeeded

klist output for root from the samba machine:
Default principal: sambasol@THIS.DOMAIN

Valid starting     Expires            Service principal
11/04/03 23:35:33  11/05/03 09:35:33  krbtgt/THIS.DOMAIN@THIS.DOMAIN
11/04/03 23:37:26  11/05/03 09:35:33  adc1$@THIS.DOMAIN
11/05/03 00:28:14  11/05/03 09:35:33  samba1$@THIS.DOMAIN


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

pam.d/login modified and working
??? AD users can log into local terminal of samba
??? machine, and if home dir is missing, created
??? via use of pam_mkhomedir

telnet/ssh/ftp/etc. all working with local & AD accounts

No accounts in AD overlap linux system accounts

Any windows (all WinXP Pro or Win2K) client's shares can
??? be accessed from the samba/linux system, including any
?? dfs from the AD system.? Example:
?????? smbclient -k //adc1/dfs1
??? Succeeds.

Any windows client's shares can be accessed from any other
?? windows client, or the AD server.

What DOESN'T work:

Cannot access any samba shares on the linux machine, from
? the samba system itself, or any windows client.

smbclient -k //samba1/tmp
session setup failed: NT_STATUS_LOGON_FAILURE

However, I can do this:
smbclient //samba1/tmp
Enter password when prompted, and access success.

Of course, any windows client cannot access the samba shares at all, cannot
even browse the machine's share list, and it does not show up in Network
Places although all other systems do.

/etc/samba/smb.conf: (edited for brevity)

[global]
?????? ?workgroup = THIS
??????? realm = THIS.DOMAIN
??????? security = ADS
        netbios name = SAMBA1
??????? map to guest = Bad User
??????? obey pam restrictions = Yes
??????? password server = *
??????? wins server = 50.50.50.50? #(IP of ADS)
??????? idmap uid = 10000-20000
??????? idmap gid = 10000-20000
??????? template shell = /bin/bash
??????? winbind separator = +
??????? winbind use default domain = Yes

[homes]
??????? comment = Home Directories
??????? path = %H
??????? valid users = %S
??????? read only = No
??? ????create mask = 0600
??????? directory mask = 0700
??????? browseable = No

[tmp]
??????? comment = Temporary file space
??????? path = /tmp
??????? read only = No
??????? guest ok = Yes

Ron L. Smith

>??????? obey pam restrictions = Yes
OMG... ok, after careful backtracking and following through not the howto,
but the smb.conf documentation (btw, not blaming the howto here, but
myself).. obey pam restrictions, of course, was causing the problem.

I changed a couple things to get homes to work right, perhaps not the
prettiest, but I'm tired LOL:

Template homedir = /home/THIS/%S

[homes]
??????? comment = Home Directory
        browseable = No
??????? read only = No
??? ????create mask = 0600
??????? directory mask = 0700
        path = /home/THIS/%S


Ron L. Smith