My company is trying to migrate from NT4-style domains to Active Directory
domains. We've read the Samba Docs and Wiki, inside and out, but are having
issues setting it up as per what we are thinking is "expected".

Our expectation:

1 instance running the DC
1 instance running a replicated DC (2 DCs in total)
1 instance "joined" to the domain to serve files

We can do the first two, but we cannot, for the life of us, get the member
server to allow users on the DC to access shares on the file server.

Although I do not have access to the smb.conf files (the servers are in
another building and turned off at the moment, since we're only testing), I
can tell you what we've tried:

1. Get the first DC up. Kerberos authenticates perfectly, internal DNS
working. Client computers can join the domain, and log in with our newly
created AD accounts.
2. Running "net ads join -u Administrator" works on the member server.
Verified in AD Users and Computers as a Computer (not a domain controller)
3. Create the share in smb.conf on the file server. Security is already set
to ads, the idmap entries added, etc.
4. Anyone tries to connect to the share, Access is Denied. The only way we
can access it is by using a user map for Administrator to root, and using
the AD Administrator account. Domain Admins cannot access the shared
folder, either.
5. On the member server, wb-info works, getent does not, for verifying
users and groups existing.

1. Are we on the right path for setting up AD correctly?
2. How bad would it be to share the folders from the DC itself? We would
have anywhere between 20 and 1000 users logged in at a time, all from
Windows 7, 8.1 and 10 computers.

Thanks in advance! Once I get the smb.conf files, I'll get them posted as
