samba - Mar 2006 - [homes] access failing when security=domain

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello.

I'm having real difficulty in getting access to my [homes] shares on my
samba server using any method (smbclient, from any windows machines etc).

My setup:
Samba: 3.0.14a (Debian precompiled binaries)
Winbind: 3.0.14a (Debian precompiled binaries
Domain controller: Windows 2003 SP1

The machine's joined to the domain and users are authenticating via SSH
(/etc/nsswitch.conf is configured correctly) and to any of the
non-[homes] shares they're entitled to access (ie shares that are
specifically defined in smb.conf.)

Proof of this working setup:
officeserver:/home# wbinfo -t
checking the trust secret via RPC calls succeeded
officeserver:/home# wbinfo -u | head -2
adam
administrator
officeserver:/home# wbinfo -g | head -2
BUILTIN+system operators
BUILTIN+replicators
officeserver:/home# id tullettj
uid=15003(tullettj) gid=15001(domain users) groups=15001(domain
users),15000(domain admins)

The smb.conf file I'm using contains the following:
[global]
        workgroup = DWPUB
        server string = %h server (Samba %v)
        security = DOMAIN
        client schannel = No
        obey pam restrictions = Yes
        password server = opmaster1.dwpub.com
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /home/DWPUB/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        invalid users = root

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

I've run the server with 'log level = 3' to see what's going on,
and the
relevant parts of the output debug are:
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[DWPUB]\[tullettj]@[OFFICESERVER] with the new password interface
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DWPUB]\[tullettj]@[OFFICESERVER]
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [tullettj] succeeded
[2006/03/21 20:05:29, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [tullettj] -> [tullettj]
- -> [DWPUB+tullettj] succeeded
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(222)
  User name: DWPUB+tullettj     Real name:
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(241)
  UNIX uid 15003 is UNIX user DWPUB+tullettj, and will be vuid 100
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(270)
  Adding homes service for user 'DWPUB+tullettj' using home directory:
'/home/DWPUB/tullettj'
[2006/03/21 20:05:29, 3] param/loadparm.c:lp_add_home(2368)
  adding home's share [tullettj] for user 'DWPUB+tullettj' at
'/home/DWPUB/tullettj'

which all look great, but then it says:

[2006/03/21 20:05:29, 3] smbd/process.c:process_smb(1091)
  Transaction 3 of length 102
[2006/03/21 20:05:29, 3] smbd/process.c:switch_message(886)
  switch message SMBtconX (pid 10909) conn 0x0
[2006/03/21 20:05:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/21 20:05:29, 2] smbd/service.c:make_connection_snum(321)
  user 'DWPUB+tullettj' (from session setup) not permitted to access
this share (tullettj)
[2006/03/21 20:05:29, 3] smbd/error.c:error_packet(129)
  error packet at smbd/reply.c(415) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

The home directory has been created:
officeserver:/home/DWPUB# ls -tlrd tullettj
drwxr-xr-x  2 tullettj domain users 4096 Mar 21 20:05 tullettj

but I haven't been able to access it.

I've been trying different things, have read the news group and mailing
lists but have so far been unsuccessful.  If anyone is able to shed some
light on this problem I would be _very_ greatful - this machine is
supposed to be in production in a week or so.

Many thanks in advance for any help you can provide,
Jonathan.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEIF4CDxo//3ift0URAuFbAJ48St5ssNOhl/5bsWL3u1q2Om1o7wCeNoeH
Y1NRcLWtQboaqcFWVPuloVQ=V3EC
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Tullett wrote:
> I'm having real difficulty in getting access to my [homes] shares on my
> samba server using any method (smbclient, from any windows machines etc).
> 
> My setup:
> Samba: 3.0.14a (Debian precompiled binaries)
> Winbind: 3.0.14a (Debian precompiled binaries
> Domain controller: Windows 2003 SP1
Following on from last night, I've just upgraded the server so it's
running samba-3.0.21c and the problem still remains.

If anyone can offer any help it would be greatly appreciated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIUJEDxo//3ift0URAmwYAJ0bThCGpMDHp2M64jvbJYs1WdzNSwCgn8OQ
CbWg7r5Kwr0NDqeosT/g1C8=vsxD
-----END PGP SIGNATURE-----

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________