samba - Jun 2007 - 2003 R2 IDMAP Backend issues

Hello I am new to this post.  My current setup is
this.

2003 R2 with Identity managment installed - I have
statically mapped Unique Unix attributes (UID and
GID)to each user.

Multiple CentOS 4.4 servers with Samba 3.0.25a-32
installed.

Everything works greats wbinfo -u -g -t, getent passwd
group.  

But when I access any shares I get this error message.
[2007/06/11 11:27:35, 1]
smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username DOMAIN\COMPUTER-NAME$ is invalid on this
system

SMB.CONF

[global]
        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = File Server
        security = ADS
        password server = *.*.98.3
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password*
%n\n*passwd:*all*authentication*tokens*updated*successfully*
        use kerberos keytab = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        smb ports = 139
        socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
        printcap name = cups
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = *.*.98.3
        idmap backend = ad
        template shell = /bin/nologin
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307

[Public]
        comment = Group Shares
        path = /smb/public
        read only = No

If I take out idmap backend = ad and add the idmap uid
and gid = commands and let winbind map the accounts
the errors goes away, but I want the servers to get
all the UID and GID info from AD. Is this a kerberos
timing issue?  My DC and Samba servers are seperated
by a T-1 links that are not heavily used.





 
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew Oberhansley wrote:
> Hello I am new to this post.  My current setup is
> this.
> 
> 2003 R2 with Identity managment installed - I have
> statically mapped Unique Unix attributes (UID and
> GID)to each user.
> 
> Multiple CentOS 4.4 servers with Samba 3.0.25a-32
> installed.
> 
> Everything works greats wbinfo -u -g -t, getent passwd
> group.  
> 
> But when I access any shares I get this error message.
> [2007/06/11 11:27:35, 1]
> smbd/sesssetup.c:reply_spnego_kerberos(439)
>   Username DOMAIN\COMPUTER-NAME$ is invalid on this
> system
I usually just say that all machine's need a uid.  But you
might be able to work around this by disabling any msdfs
related setting the server and rebooting your client.
Windows clients use the machine creds to browse DFS referrals.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGbaPhIR7qMdg1EfYRAm49AJ9g5S/gfRv+ltDYrpHnvVHB7QzOoACgx2Yr
VXHErljbCTDZ2oNHhJzoe/s=Zi57
-----END PGP SIGNATURE-----