Ситуация следующая: есть pdc на W2K, сервер FreeBSD с шарой. Надо чтоб юзеры домена на эту шару ходили так же как и на шары виндовых серверов.
Изначально pdc pdc.Bdomain.adomain.ru IP=192.168.0.2
Делал все по "многотиражной" доке "Samba + AD"
Ставлю FreeBSD 7.0
hostname core.Bdomain.adomain.ru IP=192.168.0.8
Обновляю порты
Ставлю самбу 3.0.32
пишу в файлы:

hosts
::1            localhost localhost.bdomain.adomain.ru
127.0.0.1        localhost localhost.Bdomain.adomain.ru
192.168.0.2        pdc.Bdomain.adomain.ru pdc
192.168.0.8        core.Bdomain.adomain.ru core

resolv.conf
domain    BDOMAIN.ADOMAIN.RU
nameserver    192.168.0.2

nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

krb5.conf
[libdefaults]
default_realm = BDOMAIN.ADOMAIN.RU
dns_lookup_realm = false
dns_lookup_kdc = false
krb4_get_tickets = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5

[appdefaults]
proxiable = true
ticket_lifetime = 24h
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[realms]
BDOMAIN.ADOMAIN.RU = {
kdc = tcp/pdc.BDOMAIN.ADOMAIN:88
admin_server = pdc.BDOMAIN.ADOMAIN.RU
default_domain = BDOMAIN.ADOMAIN.RU
}

[domain_realm]
.BDOMAIN.ADOMAIN.RU = BDOMAIN.ADOMAIN.RU
BDOMAIN.ADOMAIN.RU = BDOMAIN.ADOMAIN.RU

[kdc]
enable-kerberos4 = false

[logging]
default = FILE:/nas-1/logs/samba/krb5libs.log
kdc = FILE:/nas-1/logs/samba/krb5kdc.log
admin_server = FILE:/nas-1/logs/samba/kadmind.log

smb.conf
[global]
    log file = /var/log/samba/log.%m
    display charset = koi8-r
    load printers = no
    socket options = TCP_NODELAY
    winbind trusted domains only = yes
    hosts allow = 192.168.0.0/24 127.0.0.1
    realm = BDOMAIN.ADOMAIN.RU
    winbind use default domain = yes
    dns proxy = no
    netbios name = core
    server string = CORE
    password server = 192.168.0.2
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    workgroup = ADOMAIN
    os level = 1
    winbind enum groups = yes
    create mode = 777
    security = ads
    unix charset = koi8-r
    max log size = 500
    directory mode = 777
    
[qwerty]
    writeable = yes
    valid users = pupkin@ADOMAIN
    path = /nas-1
    write list = pupkin@ADOMAIN,@"domain admins"
    
После загрузки
core# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: admin@BDOMAIN.ADOMAIN.RU

  Issued           Expires          Principal                                  
Sep 22 14:45:10  Sep 22 22:45:10  krbtgt/BDOMAIN.ADOMAIN.RU@BDOMAIN.ADOMAIN.RU

core# kinit admin
admin@BDOMAIN.ADOMAIN.RU's Password:
kinit: NOTICE: ticket renewable lifetime is 8 hours
core# net ads join -U admin
admin's password:
Using short domain name -- ADOMAIN
DNS update failed!
Joined 'CORE' to realm 'BDOMAIN.ADOMAIN.RU'
core# net ads info
LDAP server: 192.168.0.2
LDAP server name: pdc.Bdomain.adomain.ru
Realm: BDOMAIN.ADOMAIN.RU
Bind Path: dc=BDOMAIN,dc=ADOMAIN,dc=RU
LDAP port: 389
Server time: Mon, 22 Sep 2008 15:49:08 MSD
KDC server: 192.168.0.2
Server time offset: 2

core# wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

core# wbinfo -u
Error looking up domain users

Рестарт самбы:
core# /etc/rc.d/samba stop
core# /etc/rc.d/samba start

после чего:
core# wbinfo -t
checking the trust secret via RPC calls succeeded

core# wbinfo -D ADOMAIN
Name              : ADOMAIN
Alt_Name          : Bdomain.adomain.ru
SID               : S-1-5-21-789336058-152049171-1801674531
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : 1744635

core# wbinfo -u
Много юзеров
core# wbinfo -g
куча групп

core# wbinfo -a pupkin%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

core# testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[qwerty]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

-= НО!!!!! =-
core# id admin
id: admin: no such user
-=            =-

Пытаюсь виндами с 192.168.0.38 зайти на шару qwerty в сетевом окружении - бросает запрос авторизации. Ввожу pupkin@ADOMAIN и пароль - не пускает.
Смотрю - появился в /var/log/samba лог с именем log.192.168.0.38 в котором написано:
[2008/09/22 16:42:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username ADOMAIN\pupkin is invalid on this system
  
При более полной детализации:
[2008/09/22 18:10:17, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.0.38)
[2008/09/22 18:10:17, 2] smbd/reply.c:reply_special(324)
  netbios connect: name1=CORE            name2=STANLEY_38    
[2008/09/22 18:10:17, 2] smbd/reply.c:reply_special(331)
  netbios connect: local=core remote=stanley_38, name type = 0
[2008/09/22 18:10:27, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.0.38)
[2008/09/22 18:10:27, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/09/22 18:10:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username ADOMAIN\pupkin is invalid on this system
  
кусочек еще более детального
[2008/09/22 18:12:58, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
  Doing spnego session setup
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1280
[2008/09/22 18:12:58, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type
[2008/09/22 18:12:58, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type
[2008/09/22 18:12:58, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [pupkin@BDOMAIN.ADOMAIN.RU]
[2008/09/22 18:12:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username ADOMAIN\pupkin is invalid on this system
[2008/09/22 18:12:58, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/09/22 18:12:58, 3] smbd/process.c:timeout_processing(1329)
  timeout_processing: End of file from client (client has disconnected).

  
  
Отсюда и вопросы. Их собственно два.
1.Username ADOMAIN\pupkin is invalid on this system
Как сделать чтоб в шару пускала?
Подозреваю что две траблы пофиксяться одним решением, но каким?

2. core# id admin
id: admin: no such user
как исправить? Подозреваю что дело где-то в /usr/local/etc/samba/secrets.tdp
log.winbindd
[2008/09/23 01:20:00, 0] lib/util_tdb.c:tdb_log(664)
  tdb(/var/db/samba/messages.tdb): tdb_reopen: open failed (No such file or directory)
[2008/09/23 01:20:00, 0] nsswitch/winbindd_dual.c:fork_domain_child(935)
  tdb_reopen_all failed.
[2008/09/23 01:20:00, 1] nsswitch/winbindd_util.c:trustdom_recv(230)
  Could not receive trustdoms