samba - Feb 2005 - Samba 3.0.11 as Domain member with ADS W2K

I've been following the forums on this subject. I am
still having problems implimenting this at my site. I
am trying to replace a Novell 5 file server doing 
single server signon(workstation manager) with a
linux/samba server and a W2K ADS server.
I tried this with slackware 10.0, samba 3.0.10, MIT
krb5 v 3.1 5, openldap-2.1.22 and got it pretty close
(could login wihtout password) but had trouble
creating users and groups). Decided to reload from
scratch to clean up and load newest versions(and to
understand more)

I now have the following:
W2K ADServer  = W2KADS.OURORG.OURDOMAIN.ORG

Slackware/Samba server = OURSAMBASERVER
HP570ML G3 w/Compaq Smart array 640

Slackware 10.1
2.4.29 kernel

Loaded the following:
Kerboros krb5-1.4
OpenLDAP openldap-2.2.23(Loaded for libraries)
Samba 3.0.11 (patched for clitar error)
copied
/usr/local/samba-3.0.10/source/nsswitch/libnss_winbind.so
/lib

Added entrys in /etc/hosts and in W2KADS
%Systemroot%\System32\drivers\etc\hosts

Don't know if I need to but:
added root and administrator w/smbpasswd
added root = administrator admin and
nobody = guest pcguest smbguest to smbusers
Changed administrator password on W2KADS

sync date/time

kinit  administrator@OURORG.OURDOMAIN.ORG
OK

klist gives:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@OURORG.OURDOMAIN.ORG
Valid starting     Expires            Service
principal
02/15/05 15:56:07  02/16/05 01:56:20
krbtgt/OURORG.OURDOMAIN.ORG@OURORG.OURDOMAIN.ORG
        renew until 02/16/05 15:56:07
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

When I try:
net ads testjoin
[2005/02/15 15:59:20, 0]
libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password
OURSAMBALINUX$@OURORG.OURDOMAIN.ORG failed:
Client not found in Kerberos database
[2005/02/15 15:59:20, 0]
libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password
OURSAMBALINUX$@OURORG.OURDOMAIN.ORG failed:
Client not found in Kerberos database
[2005/02/15 15:59:20, 0]
utils/net_ads.c:ads_startup(186)
  ads_connect: Client not found in Kerberos database
Join to domain is not valid
???????????????????????????????????

but if I:
net ads join -U administrator
administrator's password:
Using short domain name -- OURORG
Joined 'OURSAMBALINUX' to realm 'OURORG.OURDOMAIN.ORG'

I then start nmbd, winbindd and smbd

wbinfo -t
checking the trust secret via RPC calls succeeded

getent passwd only brings back local samba users.
I understand this is not right(it used to bring back
linux and ADS users on my old setup)

What do I check now???????????????????????????????

Following are my config files:
#etc/resolv.conf
search          OURORG.OURDOMAIN.ORG
domain          OURORG.OURDOMAIN.ORG
nameserver      OURNAMESERVER1
nameserver      OURNAMESERVER2
nameserver      OURNAMESERVER3
nameserver      OURNAMESERVER4
nameserver      (our W2KADS IP)

# more /etc/krb5.conf
[libdefaults]
        default_realm = OURORG.OURDOMAIN.ORG
[realms]
        OURORG.OURDOMAIN.ORG = {
                kdc  = W2KADS.OURORG.OURDOMAIN.ORG:88
                admin_server W2KADS.OURORG.OURDOMAIN.ORG:749
                default_domain = OURORG.OURDOMAIN.ORG
                }
[domain_realm]
        .ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG
        ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

# /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
hosts:          files dns wins
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files
automount:      files
aliases:        files

/usr/local/samba/lib/smb.conf
# Global parameters
[global]
        unix charset = LOCALE
        workgroup = OURORG
        netbios name = OURSAMBALINUX
        realm = OURORG.OURDOMAIN.ORG
        server string = OURORG Samba linux
        security = ADS
        password server = W2KADS.OURORG.OURDOMAIN.ORG
        username map = /etc/samba/smbusers
        log level = 3
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        add machine script = /usr/sbin/useradd -d
/dev/null -g 100 -s
/bin/false -M %u
        ldap ssl = no
        idmap uid = 10000-90000
        idmap gid = 10000-90000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind separator = +
[public]
        comment = Data
        path = /home/public
        read only = No
[locale]
        comment = usr local
        path = /usr/local
        valid users = @%D+Support
        read only = No
[homes]
        comment = Home Directories
        path = /home/%U
        valid users = %S
        read only = No
        browseable = No
[o_drive]
        comment = o_drive
        path = /home/o_drive
        valid users = @%D+oadmin
        inherit permissions = Yes
        read only = no
#       force user = smbuser
#       force group = nobody
[p_drive]
        comment = p_drive
        path = /home/p_drive
        valid users = @%D+padmin
        inherit permissions = yes
        read only = yes
#       force user = smbuser
#       force group = nobody
[web]
        comment = Private web
        path = /home/web
        read only = No
[printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        admin users = root, Administrator

testparm gives No errors


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail