samba - Aug 2004 - winbind, active directory and solaris 8

Hi All,
I have a sparc solaris 8 server running samba 2.2.11 (which i complied with
winbind).
The server has been running for years and has about 20 local users setup
using local files for openssh and rexec logins,  and samba shares.
They each use samba to map to their home directory and a common shared
folder.
They also use rexec and openssh to login on the command line.

4 users are in a special group called "sap" and only those 4 have
write
access to the shared folder, the rest are in a group called
"dataentry" and
only have read access to the shared folder.

I now have a requirement to have the unix server get its passwords for
these users from our win2000 active directory server.
I used this guide to try and set this up:

http://us3.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt


I am now able to map to the samba share using winbind, but i have some
problems:


1) When the users login using ssh or rexec, they get the local UID, but
when they map with samba they get the UID from samba and active directory.
These do not match and im having permission problems. Also when they login
local, they get their group "sap" or "dataentry" but when
they use
winbind/AD to map they are in a group called "domain users", so the
permissions are wrong here also. Is there a way to have them keep their
UID's and GID's that im now using from local files when i switch to
winbind
and AD? The users have different groups for unix local files and AD.
If not I have to change the perms on thousands of files.

2) I only want these 20 users to be able to map to the samba share, but it
seems that anyone in the windows active directory can now map to this
share. How do i only allow the 20 users to map?

3) I am trying to setup logins with rexec and openssh to use winbind and
active directory, but its not working for me. I think my pam.conf is setup
wrong. How can i fix this? Do i need to delete their entries from the local
passwd, shadow and group files when i switch to AD?

Thank you in advance gurus!

Here is my pam.conf and my smb.conf:





root@egotest1:/export# cat /etc/pam.conf
#
# ident "@(#)pam.conf   1.19    03/01/10 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required   /usr/lib/security/pam_winbind.so
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient /usr/lib/security/pam_winbind.so
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   account sufficient      /usr/lib/security/pam_winbind.so
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass







root@egotest1:/usr/local/samba/lib# cat smb.conf
[Global] parameters
        workgroup = ego
        netbios name = egotest1
        wins support = Yes
#security = share
        security = domain
        hosts allow = all
        encrypt passwords = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        update encrypted = No
        lm announce = true
        log file = /var/adm/messages.smb
# winbind
        # use uids from 10000 to 20000 for domain users
        winbind uid = 10000-20000
        # use gids from 10000 to 20000 for domain groups
        winbind gid = 10000-20000
        # allow enumeration of winbind users and groups
        winbind enum users = yes
        winbind enum groups = yes
        # give winbind users a real shell (only needed if
        # they have telnet access)
        #template homedir = /home/winnt/%D/%U
        template homedir = /export/%U
        template shell = /bin/bash
[export]
        path = /export
        comment = export
        browseable = yes
        writable = yes
        read only = No
        public = No



____________________________________
This e-mail message is for the sole use of the intended recipient(s) and
may contain proprietary, confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited.  If you
are not the intended recipient (or an employee or agent responsible to
deliver it to the intended recipient), you may not copy or deliver this
message to anyone. In such case, you should destroy this message and kindly
notify the sender by reply e-mail.