samba - Dec 2007 - AD returns only one group for all users

Dear list,

I'm trying to get a Thumper (Sun Fire X4500) to play nice with AD so
that we can offer a nearline storage service. Since many of our users
will have multiple group memberships, it's imperative that samba be able
to recurse through the groups that a user is a member of to determine if
they have access to a resource.

What happens instead is that every user who authenticates is assigned
only one group, the "UIUC+domain users" group. Example:

   # ls -l /export
   total 72
   d---rwx---   2 root     UIUC+domain users       8 Dec  4 14:12 arrakis
   d---rwx---+  3 UIUC+vanhoudn UIUC+wsg staff       3 Dec  3 16:49 wsg

   # getent group UIUC+wsg\ staff
   UIUC+wsg
staff:x:10031:UIUC+cyliang,UIUC+vanhoudn,UIUC+cgoldsmi,UIUC+hougland,UIUC+johnshea,UIUC+jbooth,UIUC+mchesnut,UIUC+dbweber
 
   #groups UIUC+vanhoudn
   UIUC+domain users

   # getent passwd UIUC+vanhoudn
   UIUC+vanhoudn:*:10000:10004:vanhoudn:/home/samba/UIUC/vanhoudn:/usr/bin/false

So, even though UIUC+vanhoudn is listed as a member of "UIUC+wsg
staff",
the groups command only sees that he is a member of "UIUC+domain
users". 

I figured that maybe this had something to do with nested groups, so I
sat down with the docs. On page 256 of the Samba 3 howto, there is
mention of setting this up using 
  # net rpc group add ...

However, on my setup, it returns:
  Could not connect to server 127.0.0.1
  The username or password was not correct.
  Connection failed: NT_STATUS_LOGON_FAILURE

I'm assuming that this is because I'm using AD, instead of RPC. For
example: 
  # net rpc testjoin
  Unable to find a suitable server
  Join to domain 'UIUC' is not valid
  # net ads testjoin
  Join is OK

Which demonstrates that, AD is okay, and rpc is not. 

Perhaps I'm barking up the wrong tree about nested groups. Any pointers
to documentation (or just out-and-out fixes!) would be appreciative.
Version information and my smb.conf file follows after my sig, in case
it is useful to you. Also, I mostly followed the howto here:
   http://blogs.sun.com/jurasek/entry/ads_domain_member_server1
to initially set it up. (Just in case that helps.) 

Cheers,

Nathan VanHoudnos 

Kernel version:
# uname -a
SunOS shai-hulud.cites.uiuc.edu 5.10 Generic_127112-02 i86pc i386 i86pc

Samba version: 
# /usr/sfw/smbd -V
Version 3.0.25c

/etc/sfw/smb.conf
[global]
        realm = AD.UIUC.EDU
        workgroup = UIUC
        security = ADS
        use kerberos keytab = true

   encrypt passwords = yes
   server string = Samba 3.0.x ADS

#Winbind configuration:
   winbind separator = +
   template homedir = /home/samba/%D/%U
# Make their shell fail, just in case
   template shell = /usr/bin/false

   idmap domains = UIUC
   idmap config UIUC:default = yes
   idmap config UIUC:backend = tdb
   idmap config UIUC:range = 1000-200000

   idmap alloc backend = tdb
   idmap alloc config:range = 1000-200000

# Stuff to get all the users via winbind
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   idmap uid = 1000-200000
   idmap gid = 1000-200000

        # Logging
        log level = 5
        debug level = 3
        log file = /var/log/syslog/samba.log.%m

[arrakis]
        path = "/export/arrakis"
        comment = "Arraken Test share"
        writeable = yes
   user = @"UIUC+domain users"
   vfs objects = zfsacl
   nfs4: mode = special

[wsg]
        path = "/export/wsg"
        comment = "Only WSG should be able to access"
        writeable = yes
   valid users = @"UIUC+wsg staff"
   vfs objects = zfsacl
   nfs4: mode = special

> Sorry to bother you about another topic, but I've been trying to set up
> Winbindd on a Solaris workstation, and the issue for me is getting
> logins to work via PAM. Do you have a working pam.conf for Solaris that
> includes winbindd? For all of my web searching, I could never find one
> that worked right for me.
It's okay to bother, but I doubt that I can be much help. Since I don't
want AD users to have shell accounts on the box, I intentionally left
pam.conf well alone. 

I do, however, have a pam.conf-winbind that, I think, came with the SFW
samba. I've included it in-line, after my sig. 

Cheers,

Nathan VanHoudnos

#
#ident  "@(#)pam.conf-winbind   1.1     07/05/15 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_winbind.so
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_winbind.so
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#