samba - May 2010 - smb.conf works for 3.4.0; doesn't work for 3.4.7

Some may remember all my issues trying to get one Samba server to mount
shares from another Samba server. Well, I decided to completely reformat
my laptop with Ubuntu 10.04, and start over (leaving the other Samba
server at Ubuntu 9.10)

(to recap - I have a Win2003 AD (not R2), with SFU installed)

I took the smb.conf from the 9.10 server (running 3.4.0) and loaded it
on the Ubuntu 10.04 laptop, which is running 3.4.7. The only editing I
did was to remove the share definitions, which don't exist on the laptop
(no shares defined at all). Also copied the krb5.conf, to configure
Kerberos.  Cleared the /var/lib/samba, /var/cache/samba, /var/log/samba
directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files
already configured for samba, I copied over the common-account,
common-auth, common-password, common-session files from the 9.10 server
to the 10.04 server. Did the same with the nsswitch.conf file.

Figured I should get identical results, right? HA! :-(

Got a ticket.
Joined the domain. It gave me an error message, something about the
client not existing in the Kerberos database. It worked, tho, as the
computer account did appear in AD.

wbinfo -t works.
wbinfo -u works.
wbinfo -g works.
If I use sudo, then wbinfo -a DOMAIN+user works. (I used "+" as a
delimiter)

Getent passwd fails.
Getent group fails.

I am seeing this, in log.winbind on the 10.04 server:

[2010/05/07 23:16:59,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
  error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500
[2010/05/07 23:16:59,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
  could not lookup domain user Administrator
[2010/05/07 23:16:59,  1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
  Could not get unix ID

and repeating, for all domain users.

I'm pretty much ready to just give up, and use the Windows installed on
this laptop. That one has no problem accessing shares from the Samba
server, or the Windows stations on the LAN.

Anyone? Please. :-)

Testparm of smb.conf: (I had to add the "idmap uid/gid" statements to
the 10.04 server)

[global]
    workgroup = DACRIB
    realm = DACRIB.LOCAL
    server string = %h server (Samba %v, Domain: %D, Server: %L - %R)
    security = ADS
    auth methods = winbind
    allow trusted domains = No
    map to guest = Bad User
    obey pam restrictions = Yes
    password server = dim-win2300.DaCrib.local
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    client NTLMv2 auth = Yes
    log level = 3
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    server signing = auto
    os level = 2
    local master = No
    domain master = No
    dns proxy = No
    eventlog list = Application, System, Security, SyslogLinux
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap uid = 100000-200000
    idmap gid = 100000-200000
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nss info = sfu
    winbind refresh tickets = Yes
    idmap config DACRIB: schema_mode = sfu
    idmap config DACRIB: range = 100000 - 200000
    idmap config DACRIB: backend = ad
    hide dot files = No

Testparm of smb.conf of 9.10 server:

[global]
    workgroup = DACRIB
    realm = DACRIB.LOCAL
    server string = %h server (Samba %v, Domain: %D, Server: %L - %R)
    security = ADS
    auth methods = winbind
    map to guest = Bad User
    obey pam restrictions = Yes
    password server = dim-win2300.DaCrib.local
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    client NTLMv2 auth = Yes
    log level = 4
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    server signing = auto
    os level = 2
    local master = No
    domain master = No
    dns proxy = No
    eventlog list = Application, System, Security, SyslogLinux
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nss info = sfu
    winbind refresh tickets = Yes
    idmap config DCRIB:schema_mode = sfu
    idmap config DACRIB: range = 100000 - 200000
    idmap config DACRIB: backend = ad
    hide dot files = No
    wide links = No

Quoting Mike Leone (turgon at mike-leone.com):
> directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files
> already configured for samba, I copied over the common-account,
> common-auth, common-password, common-session files from the 9.10 server
> to the 10.04 server. Did the same with the nsswitch.conf file.
This is very very probably the source of all your problems.

Even though I don't know the details of changes introduced in Ubuntu
itself (not using Ubuntu myself), the 2:3.4.0-4 version of samba
packages has seen changes in the way PAM modules, and particularly
pam_winbind, are handled in samba packages postinst.

If the version in Ubuntu 9.10 is lower than this, the chances that
your manual changes broke the planned upgrade path are high.

All this is meant to cope with the pam-auth-update utility introduced in
pam 1.0.1-6.

So, these 3 files have the explicit mention:
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.


> If I use sudo, then wbinfo -a DOMAIN+user works. (I used "+" as a
delimiter)
> 
> Getent passwd fails.
> Getent group fails.
> 
> I am seeing this, in log.winbind on the 10.04 server:
> 
> [2010/05/07 23:16:59,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
>   error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500
> [2010/05/07 23:16:59,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
>   could not lookup domain user Administrator
> [2010/05/07 23:16:59,  1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> 
> and repeating, for all domain users.
> 
> I'm pretty much ready to just give up, and use the Windows installed on
> this laptop. That one has no problem accessing shares from the Samba
> server, or the Windows stations on the LAN.

Messing up with files owned by packages without letting the package
maintainer scripts handling this properly for you is quite probably
one of the reasons of your problems.

I'm suggest putting the common-* files you had after upgrading and
before replacing them with those of 9.10 (you kept them somewhere,
right?) in place and reconfigure packages with "dpkg-reconfigure
winbind".