Нужно пускать ~200 юзеров в нет через проксю squid, авторизация через AD по логинам/пассам. домен под win2k3.

Есть некоторые проблемы при вводе в домен.
Для начала:
$ uname -a
Linux test 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:36:14 EST 2006 i686 i686 i386 GNU/Linux

$ rpm -qa |grep -i -e ldap -e krb
krb5-devel-1.5-7
krb5-libs-1.5-7
pam_krb5-2.2.11-1
krb5-workstation-1.5-7
openldap-2.3.27-4
openldap-devel-2.3.27-4
nss_ldap-257-4.fc6

samba ставил из сырцов

$ smbd -V
Version 3.0.28a

$ cat /etc/hosts
::1             test       localhost.localdomain   localhost
127.0.0.1       test.main.domain.by localhost test
10.130.129.33           test.main.domain.by test
10.130.129.52           test
10.1.100.133            main.domain.by
$ping main.domain.by
PING main.domain.by (10.1.100.133) 56(84) bytes of data.
64 bytes from main.domain.by (10.1.100.133): icmp_seq=1 ttl=127 time=1.19 ms
64 bytes from main.domain.by (10.1.100.133): icmp_seq=2 ttl=127 time=0.436 ms
$ nslookup main.domain.by
Server:         10.1.100.133
Address:        10.1.100.133#53

Name:   main.domain.by
Address: 10.130.129.100
Name:   main.domain.by
Address: 10.1.100.133
Name:   main.domain.by
Address: 10.254.0.2
Name:   main.domain.by
Address: 10.1.100.181
Name:   main.domain.by
Address: 10.1.100.182
Name:   main.domain.by
Address: 10.144.129.30
Name:   main.domain.by
Address: 10.254.0.3

$ grep -e "HAVE_KRB5 " -e "WITH_ADS" /home/user/samba-3.0.28a/source/include/config.h
#define HAVE_KRB5 1
#define WITH_ADS 1

# cat /etc/krb5.conf
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log


[libdefaults]
        default_realm = MAIN.DOMAIN.BY
        dns_lookup_realm = false
        dns_lookup_kdc = false
#       ticket_lifetime =

[realms]
        MAIN.DOMAIN.BY = {
#               admin_server = SRV-DC-002.MAIN.DOMAIN.BY
                admin_server = 10.1.100.133
#               kdc = SRV-DC-002.MAIN.DOMAIN.BY
                kdc = 10.1.100.133
#               kpasswd_server = SRV-DC-002.MAIN.DOMAIN.BY
                kpasswd_server = 10.1.100.133
                default_domain = MAIN.DOMAIN.BY
# main.domain.by
        }

[domain_realm]
        .main.domain.by = MAIN.DOMAIN.BY
        main.domain.BY = MAIN.DOMAIN.BY

[kdc]



$ cat /usr/local/samba/lib/smb.conf | sed -e '/^$/d' -e '/^#/d' -e '/^;/d'
[global]
   workgroup = DOMAIN
   netbios name = test
   server string = "test serv"
security = ads
   hosts allow = 10. 127.
 #  load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50000
   password server = 10.1.100.133
        # and AD
        encrypt passwords = yes
winbind uid = 10000-25000
winbind gid = 10000-25000
winbind enum groups = yes
winbind enum users = yes

   realm = MAIN.DOMAIN.BY
   passdb backend = tdbsam
   local master = no
   os level = 0
   domain master = no
   preferred master = no
   domain logons = no
   wins server = 10.1.100.100
   wins proxy = no
   dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
display charset = UTF-8
dos charset = CP866
unix charset = UTF-8
        log level = 3
[share]
path = /data/public
read list =
write list = 
read only = no
public = yes
writable = yes
browsable = yes
guest ok = yes

# cat /etc/nsswitch.conf
group:      files winbind
passwd:     files winbind
shadow:     files winbind
passwd:     files
shadow:     files
group:      files
#hosts:     db files nisplus nis dns
hosts:      files winbind dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files dns
protocols:  files winbind
rpc:        db files
services:   files winbind
netgroup:   nisplus winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus


Итак:
все вроде как прописано. Получаю билет под рутом для своего юзера из AD (не имеющего право вводить в домен), ntpd запущен, для уверенности предварительно синхронизируемся с сервером
# net time set -> OK

# kinit my_domain_user@MAIN.DOMAIN.BY
Password for my_domain_user@MAIN.DOMAIN.BY:

получаем, смотрю вывод klist.
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: my_domain_user@MAIN.DOMAIN.BY

Valid starting     Expires            Service principal
08/07/08 09:34:33  08/07/08 19:35:14  krbtgt/MAIN.DOMAIN.BY@MAIN.DOMAIN.BY
        renew until 08/14/08 09:34:33
08/07/08 09:35:14  08/07/08 19:35:14  test$@MAIN.DOMAIN.BY
        renew until 08/14/08 09:34:33


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

далее adminDomain вводит в домен:
# net ads join -U adminDomain%password
Using short domain name -- DOMAIN
Joined 'test' to realm 'MAIN.DOMAIN.BY'


# smbd -D
# winbindd -i -d3
# nmbd -D

Проверяем:
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -p
Ping to winbindd succeeded on fd 4
# wbinfo -u
после 50-70 сек выдает
Error looking up domain users

При этом winbindd c debuglevel=4 сыплет мессагами
no reply received to cldap netlogon 
и 
Not a user account? atype=0x30000000  # <-как лечить


повторно:
# wbinfo -u ; wbinfo -u | wc -l
список пользователей
их количество

т.е. отрбатывает, далее

# wbinfo -g ; wbinfo -g | wc -l
список груп
их количество

# wbinfo -D DOMAIN
Name              : DOMAIN
Alt_Name          : MAIN.DOMAIN.BY
SID               : S-1-5-21-1549627856-163330409-526660263
Active Directory  : Yes
Native            : Yes
Primary           : Yes
Sequence          : -1

Теперь сама проблема:
на запрос, тут же вывод
# id my_domain_user     
id: my_domain_user: No such user


По этой причине ставить squid пока не решаюсь...
подозреваю что дело с /etc/nsswitch.conf, но что именно?

>>>