samba - Sep 2003 - connection to netlogon denied due to security descriptor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After having upgraded my W2K clients with SP4, i'm unable to access the 
[netlogon] share.

A look at the <machinename>.log file says:

[2003/09/01 16:44:59, 0] smbd/service.c:make_connection(528)
  make_connection: connection to netlogon denied due to security descriptor.

The netlogon share (if set browseable) is visible from clients, in Network 
Neighborhood, but unaccessible: W2k asks for a username/password couple.

Here is the minimal smb.conf I am using for testing.
Note that with this setup you can have profiles working smoothly.



[global]
  ; basic server settings
  workgroup = uagb
  netbios name = malaussene
  server string = %L (Samba %v PDC for UAGB domain)
  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  ; PDC and master browser settings
  os level = 64
  preferred master = yes
  local master = yes
  domain master = yes
  wins support = yes
  name resolve order = wins bcast

  ; security and logging settings
  security = user
  encrypt passwords = yes
  domain logons = yes
  log file = /var/log/samba/%m.log
  log level = 2
  max log size = 50
  hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0

  ; roaming profiles support
  logon home = \\%L\%U\.profile
  logon drive = G:
  logon path = \\%L\profiles\%U
  logon script = logon.bat

  ; automated machine accounts creation
  add user script = /usr/sbin/useradd -d /dev/null -g workstations -s 
/bin/false -M %u

  ; UNIX password synchronization
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated
*successfully*

# =============================================================[homes]
  comment = %u home directory
  browseable = no
  writeable = yes


[profiles]
  comment = UAGB Profile directory (Samba %v PDC)
  path = /home/profiles
  writeable = yes
  browseable = no
  create mask = 0600
  directory mask = 0700


[netlogon]
    comment = UAGB Domain Logon Service (Samba %v PDC)
    path = /home/netlogon
    read only = yes
    browseable = no
    write list = root

[printers]
    browseable = no
    comment = Printers on %L
    path = /var/spool/samba
    printable = yes
    public = no
    writable = no


[SCAMBIO]
    browseable = yes
    comment = UAGB shared directory
    only user = no
    path = /home/share
    public = no
    valid users = @users, @uagb, @udc
    writable = yes
    write list = @users, @uagb, @udc


any hints?

The wall in front of my desk is starting to dreak, due to heavy head banging! 

:(


- -- 
"Our attitude with TCP/IP is, `Hey, we'll do it, but don't make a
big
system, because we can't fix it if it breaks -- nobody can.'"

"TCP/IP is OK if you've got a little informal club, and it doesn't
make
any difference if it takes a while to fix it."
		-- Ken Olson, in Digital News, 1988
- -----------------------------------------------------------
Damiano G. Preatoni, PhD

Unit?  di Analisi e Gestione delle Biocenosi
Dipartimento di Biologia Strutturale e Funzionale
Universit?  degli Studi dell'Insubria
Via J.H. Dunant, 3 - 21100 Varese (ITALY)

http://biocenosi.dipbsf.uninsubria.it/
ICQ: 78690321
Odigo: 2645129
- -----------------------------------------------------------

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (GNU/Linux)

mQGiBD40aw8RBADACOJXSNuMPg9XhNeJxaMHZVHgCFhQkIP8bQf7ySIwjy8mpIrD
MDK7lyN1tClHp863aiFsNSMLe7lQUcAfBvTsB0xenwBu2U3MkOFaSDtoLprNAbHq
M3V5fMYo2hVRdiKYiIFcoR51d3XC/TA/2LjL61oDpUKkVdEJ13t3/pai3wCg41P2
e9pAXBNZPj9dZKcck+GCVIsD/RU/bEsR94df7fvDMn7HCuxtc6PoL+Gr2ADda2Yh
cLlEgFObcxSutQFH82VHG03ynaQ4x8QKf3NhPeMmcT5D/cwdSt9uT+DvzwCE4EMt
B0W39gGllRS/KP1ByLpLR66BKwvH+TRIzfPAf41kZSEx2uLP6vDJO0MgfVupkMgv
17ZxA/wMY7Fgco5T6VMp2O7y8WozXpsgauCqodlpryhj2h1v4PA/mGnnPhZeuAve
wUkZqFrhGWUJqn4bto3fgeKIKcNjmZADLDeyCd1EkzAkEfNM1qi8QiFG4WRwwkS0
4mutKG2mV39Z1CB/3EOK6Rs41DC2MyW0gwgpP69ocdT1nhIqnLQoRGFtaWFubyBH
LiBQcmVhdG9uaSA8cHJlYUB1bmluc3VicmlhLml0PohZBBMRAgAZBQI+NGsPBAsH
AwIDFQIDAxYCAQIeAQIXgAAKCRBmFqXVbV6HRrtGAJ0SbS6+kPfexAVv0FPBTJhg
O1AzUgCeIfTup9PskKkzxm7oDCBA7R4fd3G5AQ0EPjRrEhAEAPBhd6KNwUavukYs
rKAg4Psf8XxS9PwPnqiCusGKHDsIRe9eRH4ts/e6olr8vccHBbpTtj191gQ42GYS
fZhmPUDeZC/H58bL5Rfwpv3zH8nZnu5zBwbFyC6fA1InOW/K0JUfN1gLphGk+wVW
yECOMoAgGTzc+FVPInnFtLWWVGWXAAMFA/9gatgWAk0mAYnRqBg1V0qxicks17/O
GQzFrkiICROfihhjiQd0c37VziUup7tLGl3QQw54Ah2xkbqwIz70lmoeK1Ur7y05
5kqYx2YFGe2JNyLzi3jYZG5j9SKOhXwpEii4mEyUFHm1qUIllm36Hk6233FSyFcw
XU/PCqZXXa583IhGBBgRAgAGBQI+NGsSAAoJEGYWpdVtXodGRrMAn0ydvZjO+uKt
NeE2431kFSchaxUGAKDEfNuuzBiVutwAX/huqYNuaxdiNQ==CwKl
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/U14pZhal1W1eh0YRApluAKCPB9EjqlXRkm2HTzeGFSDZr4eY1wCgioV8
5AtR7JlMYcOi4sOAg4siLl0=AjtT
-----END PGP SIGNATURE-----