[Samba] Problems with Samba 3.0.1 authenticating through AD

[Justin Baugh]

Hello,

I am trying to set up Samba 3.0.1 to be a member of Active Directory.
The setup is very simple: There is one Windows 2003 AD server on the 
network. Samba is running on FreeBSD 5.1R.

So far, I can successfully join the domain (using net ads join -U 
Administrator), and I can use kinit / smbclient successfully against the 
Windows domain controller (kinit user at REALM followed by smbclient -L 
\\host -k). However, whenever I try to authenticate against the machine 
running Samba from a Windows domain client, I get prompted for a 
username and password. Even if I enter in a valid domain username and 
password, Samba says that the password is incorrect.

Here is my smb.conf:

[global]

    server string = Samba 3.0
    security = ads
    load printers = yes
    log file = /var/log/samba/log.%m
    max log size = 500
    workgroup = REQUEST

    realm = CORP.REQUEST.COM
    encrypt passwords = yes
    debuglevel = 100
    socket options = TCP_NODELAY
    local master = no

    wins support = yes
    wins server = 10.1.8.7

    client use spnego = yes

A full debug log can be found at http://www.aosda.net/samba.txt .

I am confused by the fact that the logs seem to indicate it is using 
NTLM authentication - I thought with security = ads it was only supposed 
to use Kerberos?

Also, is it possible to use security = ads along with nss_ldap (i.e. 
Samba would get a static uid/gid/etc from an AD server for local use)? I 
suppose I am a bit confused as to how these different parts work 
together. Essentially, I want statically mapped uid/gid's and usernames
across all machines.

Thanks for any help or pointers to documentation,

-Justin