[Samba] NT4 Domain Member Server Access Denied v3.07

[Dennis]

I want to set up a Samba Server (Cactus_3) as member server in our NT4 
domain (PDC is Cactus_1, BDC is Cactus_2). We have about 50 client 
workstations most of which are WinXP but we have a few Win2K and Win98 
machines.  Shortly we will migrate off the NT4 servers but in the 
meantime we wish to test some real time scenarios.  It is for this 
reason that I want SSO so the tests are transparant to the users.  I 
don't want to replicate 40 users into the unix environment.  I followed 
the setup in Chapter 2 of the HOWTO Collection for a Domain Member server.

I am using Samba 3.07 on Suse 9.1. My smb.conf file follows the 
signature line as well as nsswitch.conf file.

I have reread chapters 3,6, & 9 from the HOW-TO Collection.  I have read 
through the archives for October & September and googled the user group, 
but i am still not finding what I am missing.  Here is an outline of 
whats happening.

1) "linux~# net rpc join -U<domainadmin>%<password>" works, at least it 
responds with 'Joined domain DOMAIN'.

2) "linux~# wbinfo --set-auth-user=,<domainadmin>%<password>" appears to 
succeed.

3) "linux~# wbinfo -u" succeeds in giving a list of all domain users 
(same for groups with -g flag) however it shows "domainuser" only and 
not "DOMAIN+domainuser" as indicated in the chapter text.

4) "linux~# getent passwd <domainuser>" succeeds.

5) "linux~# chown <domainuser> /export/a_file" appears to succeed 
however a listing of "/export/a_file" shows owner remaining as 'root'.

6) "linux~# net rpc trustdom list" fails with the message:
linux:~ # net rpc trustdom list
Password:
Could not connect to server CACTUS_1
The username or password was not correct.
[2004/10/06 16:31:06, 0] utils/net_rpc.c:rpc_trustdom_list(3030)
  Couldn't connect to domain controller
linux:~ #

7) Other 'net rpc' commands fail as illustrated:
linux:~ # net rpc samdump
[2004/10/06 16:36:41, 0] utils/net_rpc_samsync.c:rpc_samdump_internals(216)
  Could not fetch trust account password
linux:~ # net rpc getsid
Storing SID S-1-5-21-1930001043-1750228388-9522986 for Domain DOMAIN in 
secrets.tdb
linux:~ # net rpc vampire
Could not retrieve domain trust secret

8) From Windows Explorer on a Windows PC workstation I see the Samba 
server (Cactus_3) and I see shares (ACCTMATE, DOCUMENTS, PICTURES, 
Printer LexMark T522) but I get 'Permission Denied' when attempting to 
access.  Mapping through "net use k: \\cactus_3\documents" succeeds but 
access is still denied. A directory listing from the command window 
responds as "File not found."

Please be so kind as to point out what I am missing.  Thank you for your 
kind help.

Dennis A. Johnson
Controller
K.M.B., Inc.
Phoenix, Arizona, USA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
smb.conf
#~  Configuration for Samba Server (Cactus_3) to be a member server on 
NT4 domain DOMAIN
#~  Shares should be accessible to every authenticated user on DOMAIN.  
#~  PDC is Cactus_1 (192.168.0.70) is also WINS server
#~  BDC is Cactus_2 (192.168.0.252) is also DHCP server
#~  Network is 192.168.0.0/24
#~  revisions 1.0 10/06/2004 1:00PM
#
#
[global]
   workgroup = domain
   server string = Samba Server
   netbios name = Cactus_3
   security = domain
   password server = CACTUS_1 CACTUS_2
   wins server = 192.168.0.70
   winbind separator = +
   winbind use default domain = yes
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind cache time = 15
   winbind enum users = yes
   winbind enum groups = yes
   idmap uid = 15000-20000
   idmap gid = 15000-20000
   use sendfile = yes
   interfaces = 127.0.0.1 eth0
   hosts allow = 192.168.0. 127.
   bind interfaces only = true
   local master = no
   printing = cups
   printcap name = cups
   printer admin = @ntadmin, root, administrator
   disable spoolss = yes
   map to guest = Bad User
   encrypt passwords = yes
   passdb backend = smbpasswd
#   SO_RCVBUF=8192 SO_SNDBUF=8192
#   socket options = TCP_NODELAY
 
#   add machine script =
#   domain master = false
#   domain logons = yes
#   local master = no
#   preferred master = auto
#   ldap suffix = dc=example,dc=com
    
[homes]
   comment = Home Directories
   valid users = %S
   browseable = no
   read only = no
   guest ok = no
   printable = no

[ACCTMATE]
   comment = Accounting Application Only
   path = /export/ACCTMATE
   writeable = yes
   inherit permissions = yes
#   veto files = /aquota.user/groups/shares/
   browseable = yes
   guest ok = no
   printable = no

[Documents]
   comment = Public Documents
   path = /export/Documents
   writeable = yes
   inherit permissions = yes
   browseable = yes
   guest ok = no
#  printable = yes

[Pictures]
   comment = Public Pictures
   path = /export/Pictures
   read only = no
   writeable = yes
#  printable = yes
   browseable = yes
   inherit permissions = yes
   guest ok = no

[printers]
   comment = All Printers
   path = /var/spool/samba
   printer admin = root, itadminkmb, dennis
   printable = yes
   create mask = 0600
   browseable = no
   guest ok = no
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/drivers
   write list = @ntadmin root
   force group = ntadmin
   create mask = 0664
   directory mask = 0775
   browseable = yes
   guest ok = no
   printable = no

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nsswitch.conf
#
# /etc/nsswitch.conf
#

passwd: files winbind
# shadow: files nis
group:  files winbind
hosts:  files dns winbind

# passwd:    compat
# group:    compat

# hosts:    files dns
#networks:    files dns

services:    files
protocols:    files
rpc:    files
ethers:    files
netmasks:    files
netgroup:    files
publickey:    files

bootparams:    files
automount:    files nis
aliases:    files