[Samba] Default OU vs. CN per SAMBA-HOWTO?

[Jason Gerfen]

I have come accross a problem I have not been able to resolve.  I am 
attempting to create a Samba ADS Domain Membership machine to 
authenticate users which will be accessing the shares on the Samba 
server from a combination of Active Directory and Kerberos.

The problem I am experiencing is stemming from following the directions 
for the "Create the Computer Account" in chapter 6 part II of the 
Samba-Howto.  The last command says it is possible to create a machine 
trust account in a container called servers under a different OU.

ex: root# net ads join "Computer\BusinessUnit\Department\Servers"

Here are the steps I have taken, I have joined the Samba machine to the 
domain using the "net ads join -U<username>" command.

I have configured the /etc/krb5.conf to mimic our network environment as 
well as the nsswitch.conf, I am able to run the command "getent passwd" 
and I can see users, however the problem is they are not the correct 
users.  After running the command I described above "net ads join 
"Computer\BusinessUnit\Department\Servers"" I can only view and 
authenticate users in the OU.

I have attempted the following, removed the comupter trust account from 
the active directory, let the AD replicate and rejoined the domain only 
to have the same OU show up as default.  I have removed Samba, Winbind 
packages from the machine, changed the machine name, as well as any 
temporary files for samba and winbind, let the machine sit without any 
domain interaction for 3 days to make sure it was removed the computer 
trust account and all without any success.

Any assistance with this problem is definately appreciated.  I am 
including the /etc/samba/smb.conf and the /etc/krb5.conf.  Again any 
help is appreciated.
[smb.conf]
[global]
#
# Network configuration
#
       server string = doc-odin.domain.com
       workgroup = DOMAIN
       netbios name = DOC-ODIN
       realm = DOMAIN
       security = ADS
       password server = server.domain.com server2.domain.com

#
# Domain configuation options
#
       prefered master = no
       local master = no
       domain master = no
       prefered master = no
       domain logons = no

#
# Security options
#
       encrypt passwords = yes
       update encrypted = yes
       password level = 20

#
# Winbind options
#
#
       winbind use default domain = no
       winbind cache time = 5
       winbind separator = /
       winbind enum users = no
       winbind enum groups = no
       winbind nested groups = yes

#
# User/Group mapping options
#
       idmap uid = 500-500000
       idmap gid = 500-500000
       add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
/bin/false -M %u
       add machine script = /usr/sbin/useradd -c Machine -d 
/var/lib/nobody -s /bin/false %m$

#
# LDAP/AD configuration options
#
       passdb backend = ldapsam:LDAP://server2.domain.com
       ldap admin dn = "cn=readonly,cn=users,dc=domain,dc=com
       ldap user suffix = cn=users
       ldap group suffix = ou=groups
       ldap suffix = dc=domain,dc=com
       ldap delete dn = no
       use spnego = yes

#
# Networking options
#
       hide unreadable = no
       wins support = no
       dns proxy = no
       interfaces = eth* lo
       bind interfaces only = yes
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       hosts deny = 0.0.0.0/0

#
# Miscellaneous options
#
       os level = 20
       template shell = /bin/false
       template homedir = /odin/%D/%U
       load printers = no

#
# Logging options
#
       log level = 1 ads:5 auth:5 sam:5 rpc:5

[krb5.conf]
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
default_tgs_enctypes = rc4-hmac des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5

[realms]
UTAH.EDU = {
        kdc = 192.168.0.2
        default_domain = domain.com
        admin_server = 192.168.0.2
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
   ticket_lifetime = 1d
   renew_lifetime = 1d
   forwardable = true
   proxiable = false
   retain_after_close = false
   minimum_uid = 0
}


-- 
Jason Gerfen

"My girlfriend threated to
 leave me if I went boarding...
 I will miss her."
 ~ DIATRIBE aka FBITKK