samba - Sep 2009 - Can't find users from WinXP with Samba+ADS+ACL environment

Hi all:

I'm running Samba 3.3.7 as a member of an ADS domain. I configured ACLs that
are working almost fine (I'll ask about this later), and I'm trying to
delegate administration like this:

1. I'm using "acl group control = yes" and changing the primary
group owner
of a directory to let users member of that group change ACLs settings.
2. From a Windows XP machine I select the Security tab, then the button Add
and then I write the username to add (i.e bob user) but I'm asked about an
authorized username/password. I enter Administrator username with his
password which get validated correctly but Windows XP says that can't find
'bob' username.

Why can't WinXP find bob username? From the Samba machine I'm able to
see
that user from 'wbinfo -u' and 'getent passwd' list. Is it
correct that
WinXP tries to find usernames from the Samba server instead from the AD
Server?

This is the current sceneario:

- Samba server and AD Server are in a network working fine
- WinXP is connected via OpenVPN to that network and access Samba shares
with a valid username/password
- WinXP isn't joined to the ADS domain.

Is it mandatory for WinXP to be part of the domain to get the list of users
correctly?

I hope someone can help me. Thanks

> Windows XP says that can't find 'bob' username.
I'm not 100% sure of the situation, but if you're using local accounts
(particularly when you are on a domain) you will usually have to put the
machine name in where the domain would go, e.g. the username is
"SAMBAPC\bob"
> Why can't WinXP find bob username? From the Samba machine I'm able
to see
> that user from 'wbinfo -u' and 'getent passwd' list. Is it
correct that
> WinXP tries to find usernames from the Samba server instead from the AD
> Server?
> Is it mandatory for WinXP to be part of the domain to get the list of users
> correctly?
If XP is *not* in the domain but Samba is, then I'm not sure how it
would work.  You would need to put usernames in of the form
"DOMAIN\user" for the Samba server to understand them, but then if you
did this XP would probably look for a domain instead of forwarding the
name onto Samba as-is.

You may need to look at username mapping to get this to work without the
XP machine being on the same domain as Samba.

Cheers,
Adam.