Linux/Samba/Domain Member

Summary
Samba

Samba Configuration Option Quick Reference

Install Samba
yum install samba
 * 1) Install Samba Server

yum install samba-client
 * 1) Install Samba Client (mount.cifs, smbclient)

Mounting Samba Shares
HOWTO Setup Samba: mount -t cifs //server/share /mnt/samba -o username=username

Samba Configuration File
/etc/samba/smb.conf

NOTE: Whenever you modify this file you should run the command "testparm" to check that you have not many any basic syntactic errors. 

Joining a Domain
[http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html Samba: Chapter 7. Adding Domain Member Servers and Clients]

cd /etc/samba rm *tdb
 * Delete the tdb files that cache Samba information

[global] # note: set to short domain name workgroup = OEEY # note: set to full domain name realm = CORPORATE.OEEY.COM netbios name = DATA password server = snowbird.contractpal.com username map = /etc/samba/smbusers
 * Configure Samba (/etc/samba/smb.conf):

security = ADS encrypt passwords = yes passdb backend = tdbsam

winbind uid = 10000-65000 winbind gid = 10000-65000 winbind enum users = yes winbind enum groups = yes # winbind use default domain = yes

debuglevel = 1

# disable printers load printers = no       printing = bsd printcap name = /dev/null disable spoolss = yes

#nt acl support = yes #acl map full control = yes #dos filemode = yes

[homes] comment = Home Directories valid users = %S read only = No       browseable = No

[files] path = /test comment = Test read only = No       create mask = 0750 browseable = Yes guest ok = no       preserve case = yes #nt acl support = yes

[test] path = /test public = no       browsable = yes read list = @"OEEY\domain users" write list = @"OEEY\domain users" create mask = 0777 directory mask = 0777 force create mode = 0777 force directory mode = 0777

[release] path = /Release public = no       browsable = yes read list = @"OEEY\domain users" write list = read only = yes

testparm -s
 * Validate your Samba configuration:

net ads join -UAdministrator net ads join -UAdministrator%mypassword -d3
 * Join ADS domain:
 * 1) Samba does not need to be running at this step, but the smb.conf will be parsed
 * 1) for debugging purposes:

NOTE: never execute the net rpc join command in an attempt to join the Samba server to the domain, unless you wish not to use the Kerberos security protocols. 

Simple ADS information: net ads info
 * Test ADS connection:

One can also check that the connection was made by checking the secrets.tdb file. tdbdump secrets.tdb

Or way more information than you care for: net ads status -UAdministrator%mypassword

[libdefaults] default_realm = CORPORATE.OEEY.COM dns_lookup_kdc = true ... [realms] CORPORATE.OEEY.COM = { kdc = snowbird.contractpal.com:88 admin_server = snowbird.contractpal.com:749 default_domain = contractpal.com } ... [domain_realm] .corporate.OEEY.com = CORPORATE.OEEY.COM corporate.OEEY.com = CORPORATE.OEEY.COM
 * Configure Kerberos (/etc/krb5.conf):

kinit Administrator klist
 * Test Kerberos connection:

service winbind restart wbinfo -u wbinfo -g
 * Test Winbind:
 * 1) list domain users
 * 1) list domain groups

List winbind database information: tdbdump /var/cache/samba/winbindd_idmap.tdb tdbdump /var/cache/samba/winbindd_cache.tdb

passwd:    files winbind shadow:    files group:     files winbind hosts:     files wins
 * Edit /etc/nsswitch.conf
 * 1) passwd, group, hosts: winbind
 * 1) shadow:    files winbind
 * 1) possibly use:
 * 2) hosts:     files dns winbind

getent passwd getent passwd
 * Test nss:
 * 1) should now show domain users
 * 1) should now show domain groups

auth sufficient        /lib/security/pam_winbind.so try_first_pass account sufficient     /lib/security/pam_winbind.so try_first_pass session sufficient     /lib/security/pam_winbind.so try_first_pass
 * Edit samba PAM configuration (/etc/pam.d/samba):
 * 1) %PAM-1.0
 * 1) USE WINBIND FOR AUTHENTICATION

service smb start
 * Start samba:

smbclient -L DATA -UAdministrator
 * Test samba connection:

Old bad way of joining a domain (do not use):
 * 1) Join Domain: "sudo net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101.8"

Joining Domain References

 * Samba: Domain Member
 * Samba: Domain Membership
 * Samba 3 and joining an Active Directory/domain

List users and groups of domain
This article shows a cool script.

Test joining the domain: wbinfo -t checking the trust secret via RPC calls succeeded

To view domain users: wbinfo -u

To view domain groups: wbinfo -g

To view user details (not local unix user): wbinfo -i

To view user groups id: wbinfo -r

To see all users (including those from winbind): getent passwd

Authenticate: wbinfo -a testuser%testpass

Test challenge/response: wbinfo -a [domain]\\[user]%[password]

PAM and Samba
This article shows how to use winbind for Samba PAM authentication: /etc/pam.d/samba: See /etc/pam.d/samba

How can I configure my Red Hat Enterprise Linux system to use pam_winbind.so so users can log into the server using their domain username and password?
 * It is also assumed that the domain user's home directory has already been created on the system in the correct location, because winbind cannot create home directories.

/etc/pam.d/system-auth: auth       required      /lib/security/$ISA/pam_env.so auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok auth       sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass auth       required      /lib/security/$ISA/pam_deny.so account     required      /lib/security/$ISA/pam_unix.so broken_shadow account    [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account     required      /lib/security/$ISA/pam_permit.so password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type= password   sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password   sufficient    /lib/security/$ISA/pam_winbind.so use_authtok password   required      /lib/security/$ISA/pam_deny.so session     required      /lib/security/$ISA/pam_limits.so session     required      /lib/security/$ISA/pam_unix.so
 * 1) %PAM-1.0
 * 2) This file is auto-generated.
 * 3) User changes will be destroyed the next time authconfig is run.

A single line can be added to the session section of /etc/pam.d/system-auth file, to make use of the pam_mkhomedir.so PAM module. This module will automatically create a user's home directory if they have authenticated successfully and if the home directory does not already exist. If pam_mkhomedir.so has to create the user's home directory, the template homedir statement in /etc/samba/smb.conf will be used to determine where to create the user's home directory.

session    required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077 session    required      /lib/security/$ISA/pam_limits.so session     required      /lib/security/$ISA/pam_unix.so

Auto creation of home directories:

Using Winbind to Resolve Active Directory Accounts in Debian:
 * We need to configure our system to create home directories for each of the Active Directory users. Insert a reference to the pam_mkhomedir module in /etc/pam.d/common-session as shown below:

session	required	pam_mkhomedir.so skel=/etc/skel/ umask=0022 session	sufficient	pam_winbind.so session required	pam_unix.so
 * 1) /etc/pam.d/common-session

nsswitch.conf
See /etc/nsswitch.conf

What changes do I need to make to nsswitch.conf for winbind to work?

passwd:      files winbind shadow:      files group:       files winbind

IDMAP
[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Samba: Chapter 14. Identity Mapping (IDMAP)]

Winbind
[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html Samba: Chapter 24. Winbind: Use of Domain Accounts]

Users and Groups with Samba (Winbind) and Active Directory

How do I set up winbind on our Samba server to create users and groups from our domain controller?

idmap uid = 15000-20000 idmap gid = 15000-20000 winbind enum groups = yes winbind enum users = yes winbind separator = + winbind use default domain = no  template homedir = /homes/%D/%U template shell = /bin/bash
 * 1)  WINBIND STUFF

A brief explanation of some of these settings:

* idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system and also make sure not to assign users to uid numbers in this range after you start using winbind. Also, it's probably a good idea to not change the number range once you start using winbind, as it could cause file ownership or group ownership problems.

* idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system. The idmap uid cautions noted above apply here as well.

* winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not. Leave these both set to yes unless you want to turn the functionality off for some reason.

* winbind separator - the character winbind will use to separate the domain name from the user or group name. Using such a configuration will cause domain usernames to appear like this - "MYDOMAIN+username" and domain group names to appear like this - "MYDOMAIN+Domain Users" for example.

* The template homedir statement is used to generate the home directory path for domain users. The example given uses variable substitution and would cause winbind-enumerated users' home directories to appear as /homes/MYDOMAIN/username.

Note that if you wish certain (or all) domain users to have a home directory on the Samba server, you will have to create it for them. While the template homedir statement does control where Samba thinks the user's home directory will be, winbind will not actually create the user's home directory for you.

You can test the basic user and group enumeration functionality of winbind with wbinfo and getent commands:

MYDOMAIN+vince MYDOMAIN+Administrator MYDOMAIN+Guest MYDOMAIN+Domain Admins MYDOMAIN+Domain Users MYDOMAIN+Domain Guests quaggavty:x:102: quagga:x:92: radvd:x:75: radiusd:x:95: MYDOMAIN+Domain Admins:x:15008:MYDOMAIN+Administrator MYDOMAIN+Domain Users:x:15009: MYDOMAIN+Domain Guests:x:15010:MYDOMAIN+Guest radvd:x:75:75:radvd user:/:/sbin/nologin radiusd:x:95:95:radiusd user:/:/bin/false MYDOMAIN+vince:x:15001:15009:Vince:/homes/MYDOMAIN/vince:/bin/bash MYDOMAIN+administrator:x:15009:15009:Administrator:/homes/MYDOMAIN/ administrator:/bin/bash MYDOMAIN+guest:x:15010:15009:Guest:/homes/MYDOMAIN/guest:/bin/bash
 * 1) wbinfo -u
 * 1) wbinfo -g
 * 1) getent group
 * 1) getent passwd

winbindd (8)

Read Write Groups
Domain Groups write list = @"AMITY+Domain Admins" write list = @"Domain Admins"

Controlling Access to Shares
Controlling Access to Shares

How can I restrict access in Samba?: [global] workgroup = WORKGROUP netbios name = LOCALHOST security = share hosts allow = 127.0.0. 10. [share1] comment = First Share path = /home/share1 valid users = bob janet @groupa hosts allow = 10.0.0.5 10.2.5.10 10.0.1.
 * 1) bob janet and all members of groupa are permitted access
 * 1) only machines with 10.0.0.5, 10.2.5.10, and 10.0.1.1-255 are allowed

Mounting disk with loopback device to test ACLs
See Mounting Loopback Device

7. Mount with ACL option mkdir /mnt/disk.image mount -t ext3 -o loop,defaults,acl disk.image /mnt/disk.image

Disable Printers
Novice question - How to completely disable printing and /etc/printcap errors: load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes

Firewall
Samba and IPTables

netbios-ns 137/udp # NetBIOS Name Service netbios-dgm 138/udp # NetBIOS Datagram Service netbios-ssn 139/tcp # NetBIOS Session Service microsoft-ds 445/tcp # Microsoft Directory Service

Easier: system-config-security-tui (which writes out to /etc/sysconfig/system-config-securitylevel)

Troubleshooting

 * 1) Check /var/log/messages
 * 2) Ceheck /var/log/samba/*

Could not connect to server snowbird
$ net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101. Password: Could not connect to server snowbird The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE

Cannot find KDC for requested realm
The log files are repoting: ==> /var/log/samba/log.wb-OEEY <== [2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm [2007/10/10 14:00:21, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114) ads_connect for domain OEEY failed: Cannot find KDC for requested realm ==> /var/log/messages <== Oct 10 14:00:21 stage winbindd[20879]: [2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208) Oct 10 14:00:21 stage winbindd[20879]:  kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm

NT_STATUS_NO_SUCH_USER
==> /var/log/samba/smbd.log <== [2007/10/10 15:06:44, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [test] -> [test] FAILED with error NT_STATUS_NO_SUCH_USER

The user exists in the domain, but not on the local box.

This means that the /etc/krb5.conf is not setup correctly. Reconfigure the file and try 'kinit administrator'. This should connect to the correct default domain, else you still have the krb5.conf file wrong.

winbindd: idmap uid range missing or invalid
The log files are reporting the following when starting winbind: ==> /var/log/samba/winbindd.log <== [2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(953) winbindd version 3.0.24-7.fc5 started. Copyright The Samba Team 2000-2004 [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787) winbindd: idmap uid range missing or invalid [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788) winbindd: cannot continue, exiting. [2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(986) Could not init idmap -- netlogon proxy only ==> /var/log/messages <== Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787) Oct 10 14:14:17 stage winbindd[21382]:  winbindd: idmap uid range missing or invalid Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788) Oct 10 14:14:17 stage winbindd[21382]:  winbindd: cannot continue, exiting.

According to this thread simple include the following lines: /etc/samba/smb.conf: idmap uid = 10000-20000 idmap gid = 10000-20000

Access is denied upon changing ACL
[Security] Unable to save permission changes on . Access is denied.

Logon failure: unknown user name or bad password
C:\>net use x: \\stage\files /user:OEEY\administrator The password or user name is invalid for \\stage\files. Enter the password for 'OEEY\administrator' to connect to 'stage': System error 1326 has occurred. Logon failure: unknown user name or bad password.

This is caused by the username not existing on the local unix machine. See

Set ACL failed
==> /var/log/samba/smbd.log <== [2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502) set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported). [2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502) set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported).

This is because the file system does not support ACLs

Add User Not Working
Add user script, with winbind, without PAM (Solaris 9): add machine script = /path/tothesame/adduserscript %u The 'add machine script' is used to create machine trusts accounts when running Samba as a PDC (which you are not in this case) But if you are using winbindd then the user already exists in UNIX. The getpwnam call for the DOMAIN\user will succeed and so the 'add user script' will never be called. This is by design. Do you run winbindd on the 2.2.8a server? The better way to solve your problem is with a 'root preexec' script of the share in question.

Vista workstation unable to connect to Samba share
\\server\share The parameter is incorrect.

\\server\share A device attached to the system is not functioning.

\\server\share The referenced account is currently locked out and may not be logged on to.

Samba and Vista

Microsoft's security policy on Windows Vista is interestingly set by default to exclude mapping to Samba shares.

To fix this:
 * 1) click START | Run | secpol.msc.
 * 2) Go to Local Policies | Security Options and find Network Security: LAN Manager authentication level
 * 3) Change the settings from Send NTLMv2 response only to Send LM & NTLM - use NTLMv2 session security if negotiated.

Vista defaults to only send the more secure NTLMv2 protocol, which Samba (and, incidentally, some NAS devices) do not support.

If you are using Vista Premium: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

This controls the security level mandated or allowed for logins. In Vista it defaults to 0x3, which means "NTLMv2 only". This is not supported by Samba, or at least not supported by any of the Samba servers I use (Mac OS X, Debian Sarge, or Buffalo TeraStation). This is despite the fact that the Samba documentation implies that it should work.

The fix is to change it to 0x1, which means "use NTLMv2 if available, or older versions if not." Reboot. Samba shares will work just fine.

If we try \\build\release we get "A device attached to the system is not functioning.". This thread suggests trying by IP address \\10.161.101.12\release\. This worked. Also by full domain \\build.contractpal.com\release\.

"The referenced account is currently locked out and may not be logged on to." This is caused by a non domain member vista box attempting to connect to a samba share that is domain authenticated, but does not have the LM security setting enabled.

Kinit(v5) KDC reply did not match expectations while getting initial credentials
Note: this should probably go under Kerberos

Kinit(v5) KDC reply did not match expectations while getting initial credentials

Answer:

You can get this error when the case of your principal name doesn't match the one returned by the AD KDC. For example: administrator@mydomain.com But the KDC returns the ticket as Administrator@MYDOMAIN.COM

Answer:

Note: If you don't capitalize your realm, you will receive an error

Another article: Using Samba to Authenticate GNU/Linux Against Active Directory

"net ads join" fails, but "net rpc join" works
http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html

Q. When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it?

A. No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.

change permissions of a file
3.1.2. I'm logged in as Administrator - why can't I edit permissions or change ownership of a file on a domain-connected Samba share? 

Under Linux and probably most Unixes, you can't change permissions on a file unless you are the current owner of the file or root, and you can't change ownership of a file unless you are root. So you will need to make yourself operate as root when you are logged in as Administrator. To do this, add the following line to the section in smb.conf for the share you are trying to administer:

admin users = DOMAINNAME\Administrator

Currently, if you are using the winbind use default domain option then you will need to omit the domain name:

admin users = Administrator

Samba Configuration
Inherit ACLs : inherit acls = yes

Include Configuration Files : include = /etc/samba/shares.conf

/etc/samba/smb.conf
workgroup = OEEY
 * 1) Your Workgroup or Domain that you want
 * 2) to login to

netbios name = STAGE


 * 1) realm = CORPORATE.OEEY.COM

security = domain
 * 1) Tell Samba to talk to domain controller
 * 2) for authentication

password server = 10.161.101.8
 * 1) Specify the server to get authenticate
 * 2) from. You can specify the
 * 3) NetBIOS # names of the servers or simply
 * 4) put in a "*" here to let
 * 5) Samba find the server through broadcast


 * 1) add user script = /usr/sbin/useradd -s /bin/false -m %u

encrypt passwords = yes
 * 1) Make sure Samba is using encrypted
 * 2) passwords

debuglevel = 2

idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = yes
 * 1) winbind separator = \
 * 1) template homedir = /home/winnt/%D/%U
 * 2) template homedir = /dev/null
 * 1) template primary group = "Domain Users"
 * 1) winbind enum users = yes
 * 2) winbind enum groups = yes
 * 3) winbind cache time = 300
 * 4) no is default
 * 5) winbind nested groups = No

load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
 * 1) DISABLE PRINTERS

nt acl support = yes
 * 1) acl map full control = yes
 * 2) dos filemode = yes

[homes] read only = no       create mask = 0750 browseable = yes guest ok = no       preserve case = yes

[files] path = /test comment = Test read only = No       create mask = 0750 browseable = Yes guest ok = no       preserve case = yes #nt acl support = yes

[test] path = /test public = no       browsable = yes read list = @"OEEY\domain users" write list = @"OEEY\domain users" create mask = 0777 directory mask = 0777 force create mode = 0777 force directory mode = 0777 directory security mask = 0777 admin users = DOMAINNAME\Administrator force group = "OEEY\domain users"

/etc/nsswitch.conf
... passwd:    files winbind shadow:    files group:     files winbind hosts:     files dns winbind ...
 * 1) passwd:    files
 * 1) group:     files
 * 1) hosts:    db files nisplus nis dns

/etc/pam.d/samba
auth sufficient        /usr/lib/security/pam_winbind.so try_first_pass account sufficient     /usr/lib/security/pam_winbind.so try_first_pass session sufficient     /usr/lib/security/pam_winbind.so try_first_pass
 * 1) %PAM-1.0
 * 2) auth      required    pam_nologin.so
 * 3) auth      required    pam_stack.so service=system-auth
 * 4) account   required    pam_stack.so service=system-auth
 * 5) session   required    pam_stack.so service=system-auth
 * 6) password  required    pam_stack.so service=system-auth
 * 1) USER WINBIND FOR AUTHENTICATION

/etc/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = CORPORATE.OEEY.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes

[realms] OEEY = { kdc = snowbird:88 admin_server = snowbird:749 default_domain = corporate.OEEY.com }

[domain_realm] .corporate.OEEY.com = CORPORATE.OEEY.COM corporate.OEEY.com = CORPORATE.OEEY.COM

[kdc] profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

To Read
Samba PDC + ACL : default ACLs ignored on directory:
 * http://lists.samba.org/archive/samba/2006-June/122252.html
 * http://lists.samba.org/archive/samba-technical/2006-July/048430.html
 * http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
 * http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
 * http://marc.info/?l=samba&m=108669545304698&w=2
 * http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC
 * http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
 * http://osdir.com/ml/org.user-groups.linux.gnhlug/2006-01/msg00293.html
 * http://www.ibm.com/developerworks/library/l-samba/index.html
 * http://help.lockergnome.com/linux/Domain-public-shares-ftopict489907.html

Fix a Vista to Mac failure to connect problem:
 * http://www.macosxhints.com/article.php?story=20070405070132724
 * http://lists.samba.org/archive/samba/2004-March/081772.html

[Samba] domain user map:
 * http://lists.samba.org/archive/samba/2003-March/064122.html
 * http://ckdake.com/projects/documentation/sambamysql
 * http://www.zytrax.com/tech/howtos/samba.html
 * http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html
 * http://ubuntuforums.org/archive/index.php/t-132025.html
 * http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html
 * http://marc.info/?l=samba&m=111539109116227&w=2

samba30b1 - net join responds failure - but machine accountwas created:
 * http://www.mail-archive.com/samba@lists.samba.org/msg19061.html
 * http://www.mail-archive.com/samba@lists.samba.org/msg37693.html
 * http://lists.olug.org/pipermail/olug/2002-July/006052.html
 * http://www.tek-tips.com/viewthread.cfm?qid=1049929&page=1
 * http://www.experts-exchange.com/Networking/Linux_Networking/Q_20375677.html
 * http://gentoo-wiki.com/HOWTO_Add_a_gentoo_server_to_a_windows_network
 * http://readlist.com/lists/lists.samba.org/samba/1/7248.html
 * http://www.nabble.com/Is-there-any-way-to-talk-to-a-preferred-PDC-IP-address--t4560185.html
 * http://www.fedoraforum.org/forum/showthread.php?page=3&t=92804
 * http://www.linuxquestions.org/questions/linux-networking-3/win2k-ad-server-because-of-very-tight-secuirty-i-cant-make-my-linux-box-join-domain-141701/
 * http://www.webservertalk.com/archive217-2006-8-1626382.html
 * http://threebit.net/mail-archive/samba/msg02379.html
 * http://lists.zerezo.com/samba/msg21928.html

[Samba] create_canon_ace_lists: unable to map SID:
 * http://lists.samba.org/archive/samba/2004-April/085007.html
 * http://lists.samba.org/archive/samba-ntdom/2001-October/020105.html
 * http://www.mail-archive.com/samba@lists.samba.org/msg35659.html
 * http://www.mail-archive.com/samba@lists.samba.org/msg38419.html
 * http://archives.devshed.com/forums/samba-120/create-canon-ace-lists-unable-to-map-sid-307806.html
 * http://www.hostingforum.ca/240299-re-samba-relationship-between-2-pdc-samba-acl.html
 * http://lists.slug.org.au/archives/slug/2004/08/msg00839.html
 * http://lists.slug.org.au/archives/slug/2004/08/msg00828.html

[Samba] Cannot find KDC for requested realm:
 * http://lists.samba.org/archive/samba/2005-August/109339.html
 * http://lists.samba.org/archive/samba/2004-March/082074.html
 * http://www.webservertalk.com/archive217-2004-4-202585.html
 * http://www.webservertalk.com/message555089.html
 * http://www.nabble.com/Cannot-find-KDC-for-requested-realm-t214937.html
 * http://www.mail-archive.com/samba@lists.samba.org/msg26098.html
 * http://www.mail-archive.com/samba@lists.samba.org/msg45564.html
 * http://archives.devshed.com/forums/samba-120/problems-when-i-want-join-a-w2k-domain-140075.html
 * http://www.redaht.com/archives/redhat-install-list/2004-November/msg00056.html
 * http://www.linuxquestions.org/questions/linux-networking-3/samba-as-a-windows-2003-ads-member-231606/

Linux Extended Attributes and ACLs:
 * http://acl.bestbits.at/
 * http://www.vanemery.com/Linux/ACL/linux-acl.html
 * http://www.uwsg.iu.edu/hypermail/linux/kernel/0310.0/1284.html
 * http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.0/1119.html
 * http://lists.openwall.net/linux-ext4/2006/12/20/3
 * http://lists.openwall.net/linux-ext4/2006/12/20/1
 * http://osdir.com/ml/linux.vserver/2003-03/msg00000.html
 * http://osdir.com/ml/file-systems.ext4/2006-12/msg00142.html
 * http://lwn.net/Articles/69839/

ACLs on Samba:
 * http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
 * http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
 * http://docs.hp.com/en/B8725-90053/ch03s06.html
 * http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
 * http://c.mills.ctru.auckland.ac.nz/Samba/XfsAclWinAuth.html
 * http://home.subnet.at/~max/fs/xfs.php
 * http://bugs.opensolaris.org/view_bug.do?bug_id=2149388
 * http://oss.sgi.com/archives/xfs/2001-05/msg00804.html
 * http://lists.freebsd.org/pipermail/posix1e/2001-April/000428.html
 * http://lists.freebsd.org/pipermail/posix1e/2001-April/000427.html

Samba ACL Linux:
 * http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
 * http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
 * http://docs.hp.com/en/B8725-90053/ch03s06.html
 * http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
 * http://c.mills.ctru.auckland.ac.nz/Samba/XfsAclWinAuth.html
 * http://home.subnet.at/~max/fs/xfs.php
 * http://www.faqs.org/docs/samba/ch08.html

Installing Fermi Kerberos on a Linux System: (all good articles) http://www.fnal.gov/docs/strongauth/linuxinstall.html http://weblog.bignerdranch.com/?p=6 http://www.linuxjournal.com/article/7336 http://www.net-security.org/advisory.php?id=7909 http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html