samba - Dec 2010 - PDC on 3.0.8 upgraded to 3.5.6-70 now getting 'Access Is Denied' from clients

Wow! this got long on me.  

The problem seems similar to the one expressed here:
http://www.mail-archive.com/samba at lists.samba.org/msg111029.html
but I already had server signing = no in my config, and the 4 
relevant options all seem correct.

	client schannel = Auto
	server schannel = Auto
	client signing = auto
	server signing = No

On one of my PC's I can see 'If possible = yes' on the ones 
that are 'auto' and 'no' on the one that is 'no', so I
think they
are in sync.

I'm not 100% sure what might be relevant, so I included a lot 
following.  For the cliff notes, read the next 2 paragraphs
and then skip down to my results of 38.1.7 from the troubleshooting guide.
Here I can more or less reproduce the error, but the guide provides no
expectation of an error the way I'm getting it.  

In a nutshell, I tarred up all files I felt were important from 
my Fedora core 3 installation and did a clean Fedora core 14 
installation and then untarred all the content for my shares and 
put /etc/samba/* back in place and fired up the new samba.  I had hoped 
that I coud just stick the tdb files over and everything would just 
keep working.  But I think maybe I had multiple paswd.tbd and secret.tdb 
files and didn't realize the one actually being used because after 
doing so, pdbedit -w -L showed no users.  So I added all the users 
back in via smbpasswd -a.  I unjoined my machines from the domain and 
rejoined them.  

Everything *mostly* seems like it should be working,   I can log into an 
XP Pro or Win2K machine using domain=STELTER, but I'm immediately told 
that it can't access the profiles so it logs me in with a vanilla 
desktop, but it does mount my login drive at I:.  However, when I 
double-click on I:, I get a simple dialog saying 'Access Is Denied'.

Skip down to 38.1.7 and then come back to the rest i you find some history 
is needed.

Details Details Details follow:

WHY AM I DOING THIS??
---------------------
I had been happily running Fedora Core 3 since about 2004 (IIRC)
with samba acting as a primary domain controller.  I had 5 children, 
a wife and 3 computers.  I implemented roaming profiles (after 
considerable learning curve) and anyone in my family could log 
into any box and see the same desktop and same 'My Documents' 
(which was actually just a samba share directory).   About once a year 
I would go on a 2 wk vacation and generally uptime on the box was 
about 350 days and I'd shut it down.  It just worked.

Well, I have recently been upgrading some boxes (2.4 GHz P4 was 
the top machine on the domain) and the last one I build is going 
to replace one of the domain computers, but it is win7pro.  I found 
that the box did not join the domain and upon investigation learned 
I must have 3.3 or 3.4 and some registry tweaks.

SO WHAT HAVE I DONE?
---------------------
I really only cared about the data on my shares and the samba 
configuration so my plan was to tar up the linux disk into a 
40GB file, copy it to another machine, install FC14, copy the tar 
back and untar it.  It went mostly a designed-- I wound up with a 
40GB tar file (I had created a /z directory an from / issued 
tar cf z/backup.tar [a-x]*).  I copied that to my new win7pro 
box and installed FedoraCore 14 back on my trusty 800MHz Celeron's 
120GB drive.  I then added all the users back via useradd with their 
old gid's and uid's.  After copying the tar file back to the fedora 
box and untaring it an putting all the shares back in their correct 
locations, I installed samba 3.5.6-70 and copied my smb.conf, 
passwd.tdb, secret.tdb, and lmhosts from my tar over to /etc/samba.  
I fired up samba and tried to see what was/wasn't working.

Well, First off, boxes could see the STELTER domain, but none of the 
machines inside.  I found by doing pdbedit -w -L that my users did not 
translate over properly.  I discoverd that the secret.tdb and passwd.pdb 
file in use was under /var/... so clearly I hadn't put my files in the 
right place.  

In retrospect, I'm not really sure that the files I grabbed 
from /etc/samba were even in use on my old box.  I also saw a secret.tdb 
file in my root directory which I copied over too.  I then found that 
something must have gone wrong with my 40GB tar.  I had done a tar tvf 
on it after making it and confirmed that all the shares I cared about 
and /etc were in it but I didn't look too closely at it.  Seems somehow 
/var and /usr were omitted from the tar (got too long?  some error 
I overlooked?.  Matters not, those directories ae now gone so 
there is no hope of finding if the tdb files were under the var 
heirarchy or not-- Actually I proabaly have a backup of that from 
a couple years ago, but I just pressed on.

I did smbpasswd on each user and I unjoine/rejoined 3 computers 
to the domain.  Now if I browse to Networks on a windows box, 
I see STELTER domain and if I push into it I can see all my shares.  
But if I try to actually see any contents on any of the shares, 
I'm told 'Access Is Denied'.  

On a non-domain box I can see Fedorabox, and when I click on it I 
can Enter my DOMAIN\user login and it accepts it, but it then tells 
me the access is denied.  On a domain machine I can log in with my 
domain credentials and it logs me in, but in the proces it says it 
can't access the profiles share.  It mounts my login drive, but not a 
second drive mounted in the netlogon script, so I don't think it can 
access the netlogon either.

I thought maybe some SID credential was stored and now mismatched 
because of the way I readded all the users.  I tried a command to 
flush netbios cache or something like that but that didn't help 
(seemed to be tied to the machine sids, not user sids and the 
machines don't seem to have problems with the domains-- 
it's the users that seem to have problems with the shares.)

NITTY GRITTY DETAILS:

Following:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html

38.1.1 testparm smb.conf   --  No errors  

38.1.2 I can't ping by hostname, but I can ping by IP Address, 
and the other boxes can obviously find each other to domain register/etc, 
so I don't *think* this is cause for it.
[root at fedorabox samba]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  352 68137 ACCEPT     all  --  any    any     anywhere             anywhere    
state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    9   432 ACCEPT     tcp  --  any    any     anywhere             anywhere    
state NEW tcp dpt:ftp
  302 23556 ACCEPT     udp  --  any    any     anywhere             anywhere    
state NEW udp dpt:netbios-ns
   37  8905 ACCEPT     udp  --  any    any     anywhere             anywhere    
state NEW udp dpt:netbios-dgm
    4   192 ACCEPT     tcp  --  any    any     anywhere             anywhere    
state NEW tcp dpt:netbios-ssn
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
state NEW tcp dpt:microsoft-ds
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere    
state NEW udp dpt:netbios-ns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere    
state NEW udp dpt:netbios-dgm
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
state NEW tcp dpt:epmap
   49  4281 REJECT     all  --  any    any     anywhere             anywhere    
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere    
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 419 packets, 49081 bytes)
 pkts bytes target     prot opt in     out     source               destination
I really don't understand this output fully, but the tcp/udp items 
above seem to map to 135/tcp, 137/udp, 138/udp, 139/tcp, and 
445/tcp as prescribed in
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html.

I also disabled the firewall and the problem persisted so I don't think 
the problem is here.

38.1.3 Looks good-- 
[root at fedorabox samba]# smbclient -L fedorabox
Enter cstelter's password: 
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]    

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	Profiles        Disk      
	homedir         Disk      Commen 'system' type components
	sys             Disk      Commen 'system' type components
	IPC$            IPC       IPC Service (Samba Server)
	cstelter        Disk      Home Directories
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]    

	Server               Comment
	---------            -------
	FEDORABOX            Samba Server
	GOOFTROOP            
	GOOFTROOPTOO         Downstairs Activity
	MOMSBOX              Mom's Computer
	STELTERHUB           

	Workgroup            Master
	---------            -------
	STELTER              FEDORABOX
	WORKGROUP            HTPC

38.1.4-- here, 38.1.4 directs to do nmblookup -B fedorabox __SAMBA__, 
         but that fails for me (DNS not working in my env), but Ch12 
         in the Quick HOWTO 
        
(http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch12_:_Samba_Security_and_Troubleshooting)
         directs to use the IP.  I don't *think* this is my problem.

[root at fedorabox samba]# nmblookup -B 192.168.0.102 __SAMBA__
querying __SAMBA__ on 192.168.0.102
192.168.0.102 __SAMBA__<00> 

38.1.5  Again, I can't lookup by name, but this works by IP address
[root at fedorabox samba]# nmblookup -B 192.168.0.110 '*'
querying * on 192.168.0.110
192.168.0.110 *<00>

38.1.6  Looks good to me:
[root at fedorabox samba]# nmblookup -d 2 '*'
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
added interface eth0 ip=fe80::21b:21ff:fe0a:12c0%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.102 bcast=192.168.0.255 netmask=255.255.255.0
Got a positive name query response from 192.168.0.111 ( 192.168.0.111 )
Got a positive name query response from 192.168.0.1 ( 192.168.0.1 )
Got a positive name query response from 192.168.0.117 ( 192.168.0.117 )
Got a positive name query response from 192.168.0.110 ( 192.168.0.110 )
Got a positive name query response from 192.168.0.102 ( 192.168.0.102 )
querying * on 192.168.0.255
192.168.0.111 *<00>
192.168.0.1 *<00>
192.168.0.117 *<00>
192.168.0.110 *<00>
192.168.0.102 *<00>


38.1.7.  This seems to exactly mirror my problem-- I can connect 
         to a share, but I can't look at it.
[root at fedorabox ~]# smbclient //fedorabox/sys
Enter cstelter's password: 
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
        60475 blocks of size 262144. 38485 blocks available
smb: \> quit
[root at fedorabox ~]# ls -al /share/system
total 56
drwxr-xr-x.  8 cstelter stelters 4096 Oct 21 10:52 .
drwxr-xr-x.  3 root     root     4096 Dec 11 03:56 ..
drwxr-xr-x.  2 cstelter stelters 4096 Sep 17  2008 bitmaps
drwxr-xr-x.  4 cstelter stelters 4096 Feb  4  2007 Dad
-rw-r--r--.  1 cstelter stelters 5478 May  1  2010 flight1.mid
-rw-r--r--.  1 cstelter stelters 5478 May  1  2010 flight2.mid
-rw-r--r--.  1 cstelter stelters 5478 May  1  2010 flight3.mid
drwxr-xr-x. 38 cstelter stelters 4096 Oct  4  2005 infocom
drwxr-xr-x.  2 cstelter stelters 4096 Oct  4  2005 Infocom Games
drwxr-xr-x.  7 cstelter stelters 4096 Feb 12  2008 Program Files
drwxr-xr-x. 51 cstelter stelters 4096 Nov 17 16:33 Utilities    

And of course if I do this as user cstelter instead of user root, 
I have no problems looking at the unix dir:

[cstelter at fedorabox system]$ ls
bitmaps  flight1.mid  flight3.mid  Infocom Games  Utilities
Dad      flight2.mid  infocom      Program Files

38.1.8 This one looks good
C:\tmp>net view \\fedorabox
Shared resources at \\fedorabox

Samba Server

Share name   Type         Used as  Comment

-------------------------------------------------------------------------------
cstelter     Disk                  Home Directories
homedir      Disk                  Commen 'system' type components
netlogon     Disk
Profiles     Disk
sys          Disk                  Commen 'system' type components
The command completed successfully.

38.1.9  This one looks good
C:\tmp>net use x: \\fedorabox\sys
The command completed successfully.

but then when I check, again not able to view files on the share:
C:\tmp>x:

X:\>dir
 Volume in drive X is sys
 Volume Serial Number is 5E44-014D

 Directory of X:\

File Not Found

X:\>

38.1.10  Looks good:

[cstelter at fedorabox system]$ nmblookup -M STELTER
querying STELTER on 192.168.0.255
192.168.0.102 STELTER<1d>


38.1.11 This works until I actually try to browse *into* the shares.  
        I can get a list of shares, just can't access them.  I've 
        played with encrypt passwords-- currently I don't set it 
        in smb.conf, but I've tried setting it to yes and it still fails.

Hi,

I solved the "stelter" problem concerning to
"NT_STATUS_ACCESS_DENIED" when
listing a share (Samba 3.5 - Fedora 14) fresh install.

The issue (that happens also to me) is described by "stelter" here:

http://www.mail-archive.com/samba at lists.samba.org/msg111828.html

This is caused by default SELinux policies. You must disable it on
/etc/sysconfig/selinux or change the SELinux policy permission on the share
using the command "chcon":

Read this for more information:

http://fedoraproject.org/wiki/SELinux/samba

Regards.-

-- 
   "You don't know where your shadow will fall",
        Somebody.-
----------------------------------------------------------------
  Olaf Reitmaier Veracierta <olafrv at gmail.com>
----------------------------------------------------------------
            http://www.olafrv.com
----------------------------------------------------------------