So, yeah... I've referenced the Samba documentation nearly non-stop
over the course of the last couple of days, and while I've managed to
iron out most of the issues in my samba implementation, there are a few
nagging, persistent, completely frustrating issues that I can't fix.

My infrastructure consists of 2 Windows 2003 Domain Controllers and 2
Windows 2003 Member Servers. I'm trying to introduce two Linux/Samba
Member Servers into the environment. I've managed to get them to added
into the domain without issues, apparently with kerberos working.
wbinfo -g/-u/-t all work without incident on each box. smbclient -L
\\servername -k transparently authenticates as my local username and
displays all the shares on the server... in short... everything is
apparently working...

What's not working:

1. I can't get access to the samba box unless an account exists in
smbpasswd. This seems silly seeing as the server is supposed to be
doing authentications to the active directory. If this is the way
things are supposed to work, I must say I'm wholly disappointed. My
desired operation is to not have to worry about local user
administration on the samba box at all to get access to shares.

2. mapping root to domain\administrator doesn't seem to behave as
expected either. I have no explanation for this. Logged in as
administrator into one of the domain controllers, I am denied access to
shares available on the samba boxes.

3. access to printer and print queue administration does not work.
users are not able to connect. Administrators are able to connect, but
are unable to manage print jobs.

I'm sure there's other stuff... I typed a much more comprehensive set
of issues last night into linux.samba and my post was denied without
giving me back the whole of my original post...sigh... Here's my
configuration files that I'm pretty sure are applicable. I'll add
issues as I rediscover them to this thread... Any help or ideas are
greatly appreciated...

/etc/samba/smb.conf

[global]
unix charset = LOCALE
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = SERVERNAME
security = ADS
username map = /etc/samba/smbusers
log level = 5
syslog = 0
log file = /var/log/samba/%m
max log size = 50
ldap ssl = no
idmap uid = 500-10000000
idmap gid = 500-10000000
printing = cups
printcap name = cups
load printers = yes
printcap cache time = 750
cups options = raw
include = /etc/samba/dhcp.conf
wins proxy = yes
dns proxy = yes
name resolve order = wins hosts lmhosts bcast
# wins server = assigned by dhcp
domain master = no
local master = yes
preferred master = no
os level = 34
use kerberos keytab = Yes
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[printers]
comment = All Printers
path = /var/spool/samba
public = yes
guest ok = yes
printer admin = root, @ntadmins
printable = Yes
browseable = No
use client driver = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

/etc/samba/smbusers

root = MYDOMAIN\Administrator

okay... so where do I go to get help on stuff like this? Already tried iRC and Usenet... I guess I should take consolation in the fact that the problems I have are so complicated no one knows how to solve them...

bump bump bump

Isnt there supposed to be a "password server" entry in the smb.conf referring to your Active Directory DC? Also, did you check the logs in /var/log/samba/* I had to tail these logs while I tried stuff to see what was going on. Especially the winbindd log. Also, I take it your getent works ok?