samba - Aug 2009 - Question about remote users and groups management

Hi all,

	
I have a RHEL5-update 3 x86_64 system, and I installed Samba 3.2.14-40
(from http://ftp.sernet.com/pub/samba/tested/rhel/5/x86_64/ ). I'm
using OpenLDAP ( 2.3.43-3.el5 ,comes with RHEL5u3) as backend for
winbind+samba in my PDC. With samba-3.0.33 that comes with RHEL5u3, i
dont get that "eventlogadm" works how explain in
http://wiki.samba.org/index.php/Event_Logging: For this reason I
upgraded samba to 3.2.14-40.

And now, all works fine.

I have read http://wiki.samba.org/index.php/Ldapsam_Editposix and i
noticed the last section: "Managing your DB". Then, I have read
"Oreilly, Using Samba 3rd". In the 9th chapter (
http://book.opensourceproject.org.cn/sysadmin/samba/sambao3rd/opensource/0596007698/samba3-chp-9-sect-7.html
), section 7th, i can see tree figures: 9-14, 9-17 and 9-19, are shown
compmgmt.msc from a workstation Windows XP/2k3, connected remotely to
SLES9 computer (linux with samba3), and it shows the "Users and Groups
Management".

	
And ... here's my question: this should works in a PDC Samba 3.2 that
uses as backend LDAP+winbind? ... because I can't get works.

 - From the console of Windows XP can create users and groups in my
domain, using  NET USER/GROUP command perfectly.

 - From Windows NT4SP6 can also create users and groups with user
management,  as stated  at chapter 9.2
(http://book.opensourceproject.org.cn/sysadmin/samba/sambao3rd/opensource/0596007698/samba3-chp-9-sect-2.html)

 - From Windows 2003, when i run dsa.msc and try to connect to my PDC,
It can't connect to domain pre-windows 2000, which I expected, because
it seems that is a feature in Samba4.

... and I'm confused because i don't know if samba3.2  should work or
not, as shows these figures.
	
Here I show my samba configuration file for my PDC:

-----------8<----smb.conf-----8<--------------
#  "Using samba 3", chapter 9.2
#
[global]
    netbios name = DRAW
    workgroup = OP.CARM.ES
    security = user
    encrypt passwords = yes

    ## Enable as PDC
    domain master = yes
    domain logons = yes

    ## Configure as master-browser
    ## See chapter 8.2.4, table 8.3
    os level = 35
;    os level = 34 ## For BDCs
    preferred master = yes
    local master = yes

    ## Enable management for Domain Admins
    enable privileges = yes

    ## Wins configuration (enabled)
    ## See chapter 8, "Using Samba"
    wins support = yes
;    wins hook = /usr/local/bin/dns_update
    ## See 8.2.6 from the book
;    remote browse sync = 147.84.32.76 147.84.32.77

    ## Default profile in logon
    logon path ;    logon script = prueba.bat
;    logon drive = Y:


    ## Some configurations
    ## /usr/share/doc/samba-3.0.33/Samba3-ByExample.pdf
    ## page 123
    debug level = 1
    log file = /var/log/samba/%m.log
    max log size = 500
    time server = yes
    time offset = 60

    load printers = no
    printcap name = CUPS

    socket options = SO_KEEPALIVE TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

    ## More Options
    enhanced browsing = yes
;    use spnego = yes
;    client use spnego = yes
;    client signing = auto
;    server signing = auto

    ## Options proposed in
    ## http://wiki.samba.org/index.php/Ldapsam_Editposix
    passdb backend = ldapsam

    ldapsam:trusted=yes
    ldapsam:editposix=yes

    ldap admin dn = cn=admin,ou=op,o=carm,c=es
    ldap delete dn = yes
    ldap ssl = off
    ldap idmap suffix = ou=idmap
    ldap suffix = ou=domains,ou=op,o=carm,c=es
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers
    ldap user suffix = ou=users

## I have commented this block, because winbind says
## WARNING: idmap backend and idmap domains are mutually exclusive!
##
#    idmap domains = OP.CARM.ES
#    idmap config OP.CARM.ES:backend = ldap
#    idmap config OP.CARM.ES:readonly = no
#    idmap config OP.CARM.ES:default = yes
#    idmap config OP.CARM.ES:ldap_base_dn ou=idmap,ou=domains,ou=op,o=carm,c=es
#    idmap config OP.CARM.ES:ldap_user_dn = cn=admin,ou=op,o=carm,c=es
#    idmap config OP.CARM.ES:ldap_url = ldap://localhost
#    idmap config OP.CARM.ES:range = 10000-20000

    idmap alloc backend = ldap
    idmap alloc config:ldap_base_dn = ou=idmap,ou=domains,ou=op,o=carm,c=es
    idmap alloc config:ldap_user_dn = cn=admin,ou=op,o=carm,c=es
    idmap alloc config:ldap_url = ldap://localhost
    idmap alloc config:range = 10000-20000


    ## View RedHat Kbase:
    ## http://kbase.redhat.com/faq/docs/DOC-4844
    ## http://kbase.redhat.com/faq/docs/DOC-4822
    winbind separator = +
    winbind use default domain = no
    winbind enum users = yes
    winbind enum groups = yes
    ## From Orelly book, 10.5.2
    winbind nested groups = yes



    ## Orelly book Cap 9.7.2
    svcctl list = cups crond httpd syslog

    ## Orelly book Cap 9.7.3
    ## http://wiki.samba.org/index.php/Event_Logging
    eventlog list = application system security syslog


[ netlogon ]
    comment = Scripts de inicio de sesion
    path = /var/lib/samba/netlogon
    guest ok = yes
    locking = no
    writable = no
    share modes = no
    browseable = yes
-----------8<----smb.conf-----8<--------------

thanks for all in advance,
greetings,

Ignacio Barrancos.