samba - Jul 2008 - Samba 3.2 experiences

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I've been trying to get Samba 3.2 to work in the past few days, and I'm
running into a few problems which I have been unable to solve myself.

My first problem isn't blocking for me, but it seems not consistent with
documentation. I can't join my server using a domain admin's kerberos
ticket. I need to specify "-U <username" and then type in the
password
to join.

The second problem is weird, and I'm not sure if it's a problem, but
when I join the domain (with specifying -U <username>) I get an error
telling me that it failed to create the Kerberos keytab. If I run a
testjoin after that it tells me everything is okay :-)
Output of a "net ads join -d3" and a listing of the created keytab
over
here: http://pastebin.org/56716

So far I've assumed that the error about not being able to join the
domain is bogus, since everything appears to be working. A "wbinfo -u"
returns all users it ought to report.
However, I can't get the nss details from the trusted domain. It's
working awesome for the primary domain though (where the Samba machine
is in itself). What am I doing wrong here? Please see my smb.conf linked
at the bottom.

I hope I'm providing enough information, if not, please let me know and
I'll provide whatever is needed

Thanks in advance,

Jelmer Jaarsma

== Configuration details =
I'm using Ubuntu Hardy 8.04 with the package from the Intrepid
repository (which is synched with Debian), currently at version
3.2.0-4ubuntu1. I also build the package for libtalloc1 from Intrepid
(version 1.2.0~git20080616-1) which is Jelmer Vernooij's package)

My smb.conf: http://pastebin.org/56705
My krb5.conf: http://pastebin.org/56707

Our Windows environment exists of w2k8 servers, running in w2k3 native
mode. We have 4 domains in total with some trusts in between them, the
domains are: KA, VANCIS, PROJECTS and VPROJECTS.

KA and VANCIS trust eachother
KA and PROJECTS trust eachother
VANCIS and VPROJECTS trust eachother

All trusts are 2-way, non-transitive

The schema for the KA and VANCIS domains have been extended with the
rfc2307 schema and for the relevent users and groups the details have
been filled in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIiJHr3bV1+S5veEgRAoiFAJ0TfmZv5uwrOz6gvnt67PJMm8P/GACeKr1h
ltB8xrScx7MEgzbHaRzHlLM=zW/2
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doh, I forgot 1 important thing in my story, the log entries produced in
log.winbindd when I do a "getent passwd":

For each user in 1 of the trusted domains, an entry like this is logged:

[2008/07/24 17:07:21,  1] winbindd/winbindd_user.c:winbindd_getpwent(766)
  could not lookup domain user jelmeradmin


Once again, all rfc2307 fields are present in the trusted domain
(VANCIS), nss lookups using libnss-ldap function properly, but I would
like it to be handled with winbind.

Regards,

Jelmer Jaarsma
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIiJuH3bV1+S5veEgRAjiAAJ9KZPvhgZcC+/vacLYEHGiWmhfehgCfRbSp
/tGTY04sRTIdy71tjlwIOVM=uTFU
-----END PGP SIGNATURE-----