[Samba] comments/questions about HOWTO collection contents

[Alan Munter]

I am trying to get Samba 3.0.0 going on a RedHat 9.0 machine to join my
Win 2003 ADS domain and use winbind for authentication and running into
snags getting shares, local login permissions, and PAM to work
consistently.

I am trying to follow the instructions in chapter 7 (mostly 7.4) and
chapter 21 and am finding some confusing things.

In 7.4.1 the first line that must be in smb.conf is 

realm = your.kerberos.REALM

given all of the issues with case-sensitivity and kerberos realms I am
not sure if that means that I should use the FQDN of my AD domain, if it
should be in all caps, or lowercase or what.  Does the case matter for
that statement?

Next, in 7.6.3 it says that Windows 2003 requires SMB signing and gives
the option "client use snpego = yes" to use.  Well, I forgot to add this
one before doing the "net ads join" stuff (since it was at the end of
the chapter way after the net ads commands and I did not read the whole
chapter first), and I was still able to join the domain and verify that
it created a computer account for my Samba workstation.  Not sure what
the signing is used for.  Maybe this is the result of the functional
level of my AD domain?

Actually, I am also confused about functional levels.  Microsoft, in the
help pages for domain functional levels in Server 2003, lists 4
different domain functional levels and 3 different forest functional
levels for the Windows 2003 Server.  The 4 domain functional levels
are:  Windows 2000 mixed, Windows 2000 native, Windows Server 2003
interim, and Windows Server 2003.  The 3 forest functional levels are:
Windows 2000, Windows Server 2003 interim, Windows Server 2003.  The
interim levels are related to upgrading from an NT4 to 2003 domain, but
the others are all selectable on the Win2003 DC.  

I have gotten various responses to questions about which of those
functional levels is compatible with having Samba 3.0 join the domain as
a full member.  I think that section 7.6.3 should include that kind of
info (or if it exists elsewhere in the docs and I am just an idiot for
not finding it I take the blame. 8) ).  

Next, in 21.5.3.3 the uid and gid map lines given in the winbind config
example look wierd to me since the two of them are not consistent: one
uses idmap and one uses winbind.  In searching the lists I see some
people using idmap uid and idmap gid and some people using winbind uid
and winbind gid and even others using winbind idmap uid and winbind
idmap gid.  Which is it?

Next, in 21.5.3.4 the example does not seem to match the paragraph above
it.  The whole command confuses me.  I thought the command would be
something like

root# net ads join -S PDC -U Administrator

not 

root# net rpc join...

also the paragraph says that the commands makes the Samba server join
the PDC domain.  Seems like it should read "make the Samba server join
the domain controlled by the server called PDC."  It goes on to say
"where DOMAIN is the name of your Windows domain." but DOMAIN is not
used in the example.  Anyway, I think I understand what it is trying to
say, but it is still confusing.

Lastly, the last sentence of 21.5.3.6 says 

"If you restart the smbd, nmbd, and winbindd daemons at this point, you
should be able to connect to the Samba server as a Domain Member just as
if you were a local user."

I am not sure how to test this.  Does that mean that I should be able to
go to some Windows machine that is part of the domain, log on with a
domain account, browse to my Samba server, double-click, type my domain
username/password, and access the server?

Basically since I am new to this stuff I am just adding options and
taking them out randomly in some cases.  For instance, like the "winbind
use default domain = yes" option in smb.conf (which I found out about
through reading the list archives).  This is not in the HOWTO collection
anywhere, but it seems to have a big difference on how it all works.  It
stops the domain from being prepended to your users and groups.  I
briefly had the sshd setup working with winbindd in PAM and before
adding the winbind use default domain line I had to type
"MYDOMAIN+username" to log in locally to the Linux machine.  Not sure if
that is how it is supposed to work or not.

OK.  Too long already.  The most valuable feedback for me from one of
the samba.org addresses would be probably info about how much they
charge per hour for configuration consulting (over the phone, email, or
using a login to poke at the config files) if such is available.  That
would solve two of my problems: give something back to the creators of
this amazing product and get my config up and humming in the shortest
amount of time.

Thanks,

Alan
-- 
Alan E. Munter                         NIST Center for Neutron Research
Physical Scientist                     100 Bureau Dr., Stop 8562
alan.munter at nist.gov                   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/              (301)975-6244