samba - May 2007 - Samba on Debian: Sarge -> Etch = broken guest shares

I upgraded a server from Debian Sarge to Etch the other day. Today I 
discovered a fairly major issue... All the shares I had set up for guest 
access have stopped working. The shares are meant to be writable by me 
and a few others, and read only for guest, but it's flat out refusing to 
authenticate anyone using guest (or unknown users which should be 
mapping to guest).
SMB.conf is below (with a pile of unrelated shares stripped out for space).

[global]
   workgroup = wwhs
   server string = WWHS Main Data Server
   dns proxy = no
   map to guest = Bad User
   guest account = nobody
   log file = /var/log/samba/log.%m
   log level = 2
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap suffix = dc=wwhs
   ldap machine suffix = ou=machines
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap admin dn = "cn=admin,dc=wwhs"
   ldap delete dn = no
   obey pam restrictions = yes
   ldap password sync = yes
   pam password change = yes
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   printing = cups
   printcap name = cups
   socket options = TCP_NODELAY
   domain master = yes
   prefered master = yes
   domain logons = yes
   logon path = \\%L\Profiles\%U
   logon script = %G.bat
# The next line includes homes based on groups. Some groups need 
different options.
include = /etc/samba/homes-%G.conf
[netlogon]
   comment = Network Logon Service
   path = /samba/netlogon
   writable = yes
   share modes = no
   write list = @it-admin, root
   guest ok = no
[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = yes
   writable = no
   create mode = 0700
   guest ok = no
[print$]
   comment = Printer Drivers
   path = /samba/print$
   browseable = yes
   guest ok = no
   writable = yes
   write list = root, @it-admin
[profiles]
   comment = Account Profile Data
   path = /samba/profiles
   browsable = no
   read only = no
   guest ok = no
   create mode = 0750
   hide files = 
/desktop.ini/ntuser.ini/NTUSER.*/nethood/target.lnk/prf???.tmp/prf??.tmp/
[unattended]
    comment = Files for scripted Windows reinstalls
    path = /samba/unattended
    browsable = no
    writeable = yes
    write list = @it-admin
    create mode = 0664
    directory mode = 0775
    force group = it-admin
    valid users = @it-admin, guest, nobody
    guest ok = yes
[wpkg]
    comment = WPKG files
    path = /samba/wpkg
    browsable = no
    writeable = yes
    write list = @it-admin
    create mode = 0664
    directory mode = 0775
    force group = it-admin
    valid users = @it-admin, nobody
    guest ok = yes


**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************

OK, I have now used tdbtool to remove the entries for "nobody" from 
passwd.tdb, and I checked for anything relating to the share or the 
guest user in all the other tdb files. It still doesn't work.
I have just entered "security=share" for that share, and removed write
access and the other security options. That makes it work, but I don't 
really want to leave it in that state. I'm led to believe there's 
something up with my valid users list or something... Could someone 
check the "unattended" and "wpkg" shares I have listed in my
config (in
the quoted messages below) and tell me if there's something completely 
wrong with what I have? It used to work, but I guess something's changed.

TB

Dale Schroeder wrote:
> Tim,
>
> Going from Sarge to Etch, I am assuming you went from Samba 3.0.14 to 
> 3.0.24.  Major changes occurred, starting with 3.0.23.  I suspect your 
> problem lies within these changes.  If I had to guess, I would say the 
> Samba ldap schema changes are the culprit, but since I don't use ldap, 
> it's just a guess.  See 
> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
> for details.  The user and group changes would be the other likely 
> possibility.
>
> [BTW, [printers] has conflicting directives - "public = yes" and 
> "guest ok = no".]
>
> Good luck,
>
> Dale
>
> Tim Bates wrote:
>> I upgraded a server from Debian Sarge to Etch the other day. Today I 
>> discovered a fairly major issue... All the shares I had set up for 
>> guest access have stopped working. The shares are meant to be 
>> writable by me and a few others, and read only for guest, but it's 
>> flat out refusing to authenticate anyone using guest (or unknown 
>> users which should be mapping to guest).
>> SMB.conf is below (with a pile of unrelated shares stripped out for 
>> space).
>>
>> [global]
>>   workgroup = wwhs
>>   server string = WWHS Main Data Server
>>   dns proxy = no
>>   map to guest = Bad User
>>   guest account = nobody
>>   log file = /var/log/samba/log.%m
>>   log level = 2
>>   max log size = 1000
>>   syslog = 0
>>   panic action = /usr/share/samba/panic-action %d
>>   security = user
>>   encrypt passwords = true
>>   passdb backend = ldapsam:ldap://127.0.0.1/
>>   ldap suffix = dc=wwhs
>>   ldap machine suffix = ou=machines
>>   ldap user suffix = ou=users
>>   ldap group suffix = ou=groups
>>   ldap admin dn = "cn=admin,dc=wwhs"
>>   ldap delete dn = no
>>   obey pam restrictions = yes
>>   ldap password sync = yes
>>   pam password change = yes
>>   add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>   printing = cups
>>   printcap name = cups
>>   socket options = TCP_NODELAY
>>   domain master = yes
>>   prefered master = yes
>>   domain logons = yes
>>   logon path = \\%L\Profiles\%U
>>   logon script = %G.bat
>> # The next line includes homes based on groups. Some groups need 
>> different options.
>> include = /etc/samba/homes-%G.conf
>> [netlogon]
>>   comment = Network Logon Service
>>   path = /samba/netlogon
>>   writable = yes
>>   share modes = no
>>   write list = @it-admin, root
>>   guest ok = no
>> [printers]
>>   comment = All Printers
>>   browseable = no
>>   path = /tmp
>>   printable = yes
>>   public = yes
>>   writable = no
>>   create mode = 0700
>>   guest ok = no
>> [print$]
>>   comment = Printer Drivers
>>   path = /samba/print$
>>   browseable = yes
>>   guest ok = no
>>   writable = yes
>>   write list = root, @it-admin
>> [profiles]
>>   comment = Account Profile Data
>>   path = /samba/profiles
>>   browsable = no
>>   read only = no
>>   guest ok = no
>>   create mode = 0750
>>   hide files = 
>>
/desktop.ini/ntuser.ini/NTUSER.*/nethood/target.lnk/prf???.tmp/prf??.tmp/
>>
>> [unattended]
>>    comment = Files for scripted Windows reinstalls
>>    path = /samba/unattended
>>    browsable = no
>>    writeable = yes
>>    write list = @it-admin
>>    create mode = 0664
>>    directory mode = 0775
>>    force group = it-admin
>>    valid users = @it-admin, guest, nobody
>>    guest ok = yes
>> [wpkg]
>>    comment = WPKG files
>>    path = /samba/wpkg
>>    browsable = no
>>    writeable = yes
>>    write list = @it-admin
>>    create mode = 0664
>>    directory mode = 0775
>>    force group = it-admin
>>    valid users = @it-admin, nobody
>>    guest ok = yes
>>
>>
>> **********************************************************************
>> This message is intended for the addressee named and may contain
>> privileged information or confidential information or both. If you
>> are not the intended recipient please delete it and notify the sender.
>> **********************************************************************
>

**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************