samba - Mar 2004 - simple migration 2.8 -> 3.02; simple test cases fail

I've been going back and forth over the HOWTO on bringing up a new samba 
3.0 server in place of
an old 2.8.

I only have about 2-3 users, so even recreating them isn't a major pain 
-- but what does seem to be
a pain is password authentication.  I was using smbpasswd before, and am 
using it in my 3.0 setup
as well.  I'm running a version for Suse90 pointed to off of their 
support pages so shadow passwords are
enabled by default -- so I don't think they'd build a suse release w/o 
support for shadow pw's.  I've
tried domain and user security and neither work from either an XP 
workstation nor on the
samba server using smbclient --  i.e. I can't connect to a share on the 
client from the client due to
"NT_STATUS_LOGON_FAILURE". 

I've reset the user passwords via smbpasswd -a username, I also tried 
wiping out my smbpasswd
file and adding a user with pdbpasswd (no luck), restoring file and 
forcing re-initialization of account passwords
with the "--force-initizlied-passwords", then resetting passwords...no
luck -- still can't connect to a share
(though they are anonymously listable) without getting the FAILURE message.

looking over the chat between the XP client, I see a message 
STATUS_MORE_PROCESSING_REQUIRED,
 then it retrying with another password which then fails.

I'm a bit at my wits end -- I thought this would be a reasonably simple 
upgrade for a small network but it
taking hours going down deadends.

I've checked settings in the local security policy including limiting 
password talk to lower levels (below ntlmv2),
I've also tried explicitly allowing various security options in my 
smb.conf file. 

Testparm says all sections 'ok', server role is
"Role_domain_pdc" --
which was it's role under 2.8.  I had been
using domain security, so a login as user 'workstation/linda' could 
access anything owned by user 'linda' on
the server, though I got a message from testparm telling me I should try 
security=user ...tried it both
ways...no go.

Do I need to deleted the machine lines from the old smbusers file's and 
"re-add" the machines to get them
recognized properly?  But I don't see what that would have to do with a 
user being able to mount a share
on the same samba-linux machine and still getting login failures....

Do any of these symptoms sound familiar to some fundamental booboo I'm 
making?  If not, any ideas on what directions to go for debugging other 
than going back to 2.8 where I'm obviously safer?  (sigh)....

thanks,
-linda

On Sat, 2004-03-13 at 16:10, Linda W wrote:
> I've been going back and forth over the HOWTO on bringing up a new
samba
> 3.0 server in place of
> an old 2.8.
> 
> I only have about 2-3 users, so even recreating them isn't a major pain
> -- but what does seem to be
> a pain is password authentication.  I was using smbpasswd before, and am 
> using it in my 3.0 setup
> as well.  I'm running a version for Suse90 pointed to off of their 
> support pages so shadow passwords are
> enabled by default -- so I don't think they'd build a suse release
w/o
> support for shadow pw's.  I've
> tried domain and user security and neither work from either an XP 
> workstation nor on the
> samba server using smbclient --  i.e. I can't connect to a share on the
> client from the client due to
> "NT_STATUS_LOGON_FAILURE". 
> 
> I've reset the user passwords via smbpasswd -a username, I also tried 
> wiping out my smbpasswd
> file and adding a user with pdbpasswd (no luck), restoring file and 
> forcing re-initialization of account passwords
> with the "--force-initizlied-passwords", then resetting
passwords...no
> luck -- still can't connect to a share
> (though they are anonymously listable) without getting the FAILURE message.
> 
> looking over the chat between the XP client, I see a message 
> STATUS_MORE_PROCESSING_REQUIRED,
>  then it retrying with another password which then fails.
> 
> I'm a bit at my wits end -- I thought this would be a reasonably simple
> upgrade for a small network but it
> taking hours going down deadends.
> 
> I've checked settings in the local security policy including limiting 
> password talk to lower levels (below ntlmv2),
> I've also tried explicitly allowing various security options in my 
> smb.conf file. 
> 
> Testparm says all sections 'ok', server role is
"Role_domain_pdc" --
> which was it's role under 2.8.  I had been
> using domain security, so a login as user 'workstation/linda' could
> access anything owned by user 'linda' on
> the server, though I got a message from testparm telling me I should try 
> security=user ...tried it both
> ways...no go.
> 
> Do I need to deleted the machine lines from the old smbusers file's and
> "re-add" the machines to get them
> recognized properly?  But I don't see what that would have to do with a
> user being able to mount a share
> on the same samba-linux machine and still getting login failures....
> 
> Do any of these symptoms sound familiar to some fundamental booboo I'm 
> making?  If not, any ideas on what directions to go for debugging other 
> than going back to 2.8 where I'm obviously safer?  (sigh)....
----
assuming that we are talking about WindowsXP Professional clients...

security = user (makes sense - actually the only proper setting for a
PDC in my book)
wins support = yes (makes sense)
domain master = yes
preferred master = yes
domain logons = yes
encrypt passwords = yes

clients should point the wins server to the ip address of the samba
server.

I cannot tell if this is the same computer or a different computer that
was running 2.2.8 - If it is a different computer, then the user
accounts and the computer accounts need to exist on the new system, just
copying over the smbpasswd file from the previous computer isn't enough.
Check the log files - typically /var/log/samba and you are likely going
to get a clue what the problem is

Craig

Quoting "Linda W":

---snip---
> I'm running a version for Suse90 pointed to off of
> their 
> support pages so shadow passwords are
> enabled by default -- so I don't think they'd build a suse
> release w/o support for shadow pw's.
I am running SuSE 9.0 Pro (2.4.21-192-default) with
samba-2.2.8a-107, and shadow passwords work just fine for me.

My Samba install was a new install, not any type of upgrade.

So, I'm GUESSING the migration process needs to be checked???

HTH

Mike