samba - May 2011 - Access denied to samba server from win7 64bit behind a VPN

Hi,

I have a problem of Access denied to samba server from win7 64bit behind 
a VPN.
the samba server is 3.2.5-4 release on a debian lenny (I will upgrade it 
soon), member of a win2K AD domain.
the win7 PCs are on the same AD domain, they can access to an other 
samba server witch is very similar (same release, same smb.conf, same 
VPN config).
If I do on a win7 PC: net view \\srvlinux
I see:
L'erreur syst?me 5 s'est produite.
Acc?s refus?.
on srvlinux, in /var/log/samba/log.PCname, I see:
[2011/05/13 11:26:34,  0] lib/util_sock.c:read_socket_with_timeout(939)
[2011/05/13 11:26:34,  0] lib/util_sock.c:get_peer_addr_internal(1683)
   getpeername failed. Error was Noeud final de transport n'est pas connect?
   read_socket_with_timeout: client 0.0.0.0 read error = Connexion 
r?-initialis?e par le correspondant.
I think this timeout is because of  the VPN link, but it's the same log 
on the other samba server witch I can access.
I tried to un-join & join server & PC to the domain, but it didn't 
solved.  I also tried with several windows user who can access srvlinux 
from other PCs on the two sides of the VPN.
Any help is welcome .
Vincent MALIEN

this is my smb.conf:
[global]
    workgroup = SOCOFER
    server string = %h server web interne et FTP (Samba %v)
;   wins server = w.x.y.z
    dns proxy = no
;   name resolve order = lmhosts host wins bcast
;   interfaces = 127.0.0.0/8 eth0
;   bind interfaces only = yes
    dos charset = cp850
    unix charset = ISO-8859-1
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = ADS
    realm = SOCOFER.DOM
    password server = 192.168.5.44
    client use spnego = yes
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
;   domain logons = yes
;   logon path = \\%N\profiles\%U
;   logon drive = H:
;   logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password 
--gecos "" %u
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine 
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
;   printing = bsd
;   printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups
;   include = /home/samba/etc/smb.conf.%m
;   message command = /bin/sh -c '/usr/bin/linpopup "%f"
"%m" %s; rm %s' &
    winbind separator = +
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind enum groups = yes
    winbind enum users = yes
    usershare max shares = 100
    winbind use default domain = yes
# emp?che le client de devenir maitre explorateur
    domain master = no
    local master = no
    preferred master = no
    os level = 0
[homes]
    comment = Home Directories
    browseable = yes
    writable = yes
    create mask = 0777
    directory mask = 0777
    valid users = %S

Is this a client-to-site or site-to-site VPN?

Does "new view \\IP_ADDRESS_OF_SERVER" work?

I have one samba server (compiled from source) where Windows VPN clients 
can't access it by name UNLESS using either WINS ior an lmhosts file is 
configured.   packet sniffing showed the client connecting and an 
initial response, but then the nothing else.   Clearly not a problem 
with the clients which could  access every other samba or windows server 
over the VPN.     Some Win machines were domain members, some weren't.



On 05/13/2011 10:00 AM, Vincent Malien wrote:
>  Hi,
>
> I have a problem of Access denied to samba server from win7 64bit 
> behind a VPN.
> the samba server is 3.2.5-4 release on a debian lenny (I will upgrade 
> it soon), member of a win2K AD domain.
> the win7 PCs are on the same AD domain, they can access to an other 
> samba server witch is very similar (same release, same smb.conf, same 
> VPN config).
> If I do on a win7 PC: net view \\srvlinux
> I see:
> L'erreur syst?me 5 s'est produite.
> Acc?s refus?.
> on srvlinux, in /var/log/samba/log.PCname, I see:
> [2011/05/13 11:26:34,  0] lib/util_sock.c:read_socket_with_timeout(939)
> [2011/05/13 11:26:34,  0] lib/util_sock.c:get_peer_addr_internal(1683)
>   getpeername failed. Error was Noeud final de transport n'est pas 
> connect?
>   read_socket_with_timeout: client 0.0.0.0 read error = Connexion 
> r?-initialis?e par le correspondant.
> I think this timeout is because of  the VPN link, but it's the same 
> log on the other samba server witch I can access.
> I tried to un-join & join server & PC to the domain, but it
didn't
> solved.  I also tried with several windows user who can access 
> srvlinux from other PCs on the two sides of the VPN.
> Any help is welcome .
> Vincent MALIEN
>
> this is my smb.conf:
> [global]
>    workgroup = SOCOFER
>    server string = %h server web interne et FTP (Samba %v)
> ;   wins server = w.x.y.z
>    dns proxy = no
> ;   name resolve order = lmhosts host wins bcast
> ;   interfaces = 127.0.0.0/8 eth0
> ;   bind interfaces only = yes
>    dos charset = cp850
>    unix charset = ISO-8859-1
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    security = ADS
>    realm = SOCOFER.DOM
>    password server = 192.168.5.44
>    client use spnego = yes
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
> ;   domain logons = yes
> ;   logon path = \\%N\profiles\%U
> ;   logon drive = H:
> ;   logon script = logon.cmd
> ; add user script = /usr/sbin/adduser --quiet --disabled-password 
> --gecos "" %u
> ; add machine script  = /usr/sbin/useradd -g machines -c "%u machine 
> account" -d /var/lib/samba -s /bin/false %u
> ; add group script = /usr/sbin/addgroup --force-badname %g
> ;   printing = bsd
> ;   printcap name = /etc/printcap
> ;   printing = cups
> ;   printcap name = cups
> ;   include = /home/samba/etc/smb.conf.%m
> ;   message command = /bin/sh -c '/usr/bin/linpopup "%f"
"%m" %s; rm
> %s' &
>    winbind separator = +
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    winbind enum groups = yes
>    winbind enum users = yes
>    usershare max shares = 100
>    winbind use default domain = yes
> # emp?che le client de devenir maitre explorateur
>    domain master = no
>    local master = no
>    preferred master = no
>    os level = 0
> [homes]
>    comment = Home Directories
>    browseable = yes
>    writable = yes
>    create mask = 0777
>    directory mask = 0777
>    valid users = %S