Kept getting prompted for a username and password when trying to connect to a samba share despite the permissions being correct. And got this error message in the samba logs:

[2011/10/31 13:54:16.781238,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
  Username DOMAIN\username is invalid on this system

Samba has to be able to map any connecting windows user to a linux user. So in ADS mode where it's getting it's list of users off a windows dc it still needs to be able to assign a linux uid and gid to the windows userid/sid.

So you need to add the idmap uid / idmap gid map settings as below

The fix is to add idmap uid and gid entry to the global section of smb.conf and restart your samba services.

[global]
	workgroup = DOMAIN
	realm = DOMAIN.LOCAL
	server string = Samba Server Version %v
	security = ADS
	password server = dc01.domain.local dc02.domain.local
	log file = /var/log/samba/log.%m
	max log size = 50
	idmap uid = 100000-200000
	idmap gid = 100000-200000
	winbind use default domain = Yes
	cups options = raw