[Samba] User problem (samba, w2k3)

[Markus Klimke]

Hello all,

:: Strategy ::

I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up 
to a W2k3 server and domain. The join worked as mentioned in the 
documentation. For auth of users I use nssldap to query the LDAP 
database of W2k3, so my windows users are visible either under linux and 
windows.

:: Problem ::

If I try to share the homes or other points I'm asked to type in a 
username and a password. When I type in a username, which is as 
described visible on both sides, windows says that this user is not 
valid to enter the share. As a workaround I used an "admin" entry in the 
smbpasswd, which has access to the shares. I think this is a very ugly 
hack. I also tried it with winbind, but it didn't work also. When I open 
the security tab under windows of a share or the subdirectories within, 
it shows entries like "FILER\user" which is not my domain just the samba 
server itself. Maybe this is correct, but I can't make any change of 
adding a user to the security context of windows.

I am not using the winbind name switch in nsswitch.conf and not any 
winbind pam auth, because of using nssldap for making users visible on 
linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in 
advanced mode (not native or mixed mode), which might be a problem, but 
I don't believe this. If I type "wbinfo -u" the users on windows side 
are listed, but not with the domain separator, just the user itself.

:: Question ::

How can I map samba shares with "security = ADS" on a windows machine, 
without using "smbpasswd"?

:: smb.conf ::

# Global parameters
[global]
         workgroup = DOMAIN
         realm = DOMAIN.DE
         security = ads
         password server = w2k3.domain.de
         encrypt passwords = yes
         #smb passwd file = /etc/samba/smbpasswd
	;; I don't want to use this line, because the documentation
	;; said I don't need this
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         os level = 10
         preferred master = no
         idmap uid = 500-6000
         idmap gid = 500-6000
         winbind separator = +
         winbind enum users = yes
         winbind enum groups = yes
         winbind trusted domains only = yes
	;; Catched the above line from a hint, which was mentioned
	;; to fix the problem

[homes]
         comment = %u's Home Directory
	;; This one's always showing, if smbpasswd entry above
	;; is enabled: "admin's Home Directory", where admin is
	;; is the smbpasswd entry to get shares mapped
         create mask = 0755
         read only = No
         browseable = No

[shared]
         comment = Share Point
         path = /shared
         read only = no
         browseable = yes

[backup]
         comment = Backup Repo
         path = /backup
         read only = yes
         browseable = no


Many thanks for every hint or assistance
Best regards
-markus