samba - May 2004 - problem connecting as a user. (fwd)

I have

samba-3.0.4
openldap-2.1.29
smbldap-tools-0.8.4-1

When connecting with an XP client, which I have logged in as
administrator, and browsing the network neighbourhood I cannot connect as
administrator and it allows me to connect as 'nobody'

What can I do to fix this, or does anyone have any helpful hints.

<snip>
[2004/05/15 14:20:54, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [Administrator] -> [root]
FAILED with error NT_STATUS_NO_SUCH_USER
[2004/05/15 14:20:54, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.0.130)
[2004/05/15 14:21:01, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.0.130)
[2004/05/15 14:21:01, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.0.130)
[2004/05/15 14:21:01, 1] smbd/service.c:make_connection_snum(619)
  depot (192.168.0.130) connect to service HOMEDIRS initially as user
nobody (uid=99, gid=99) (pid 6935)
</snip>

Over the past couple of months, as time permits, I?ve been looking into
messages similar to:

[2004/05/11 14:00:20.129507, 0] lib/util_sock.c:get_peer_addr(952)
  getpeername failed. Error was Transport endpoint is not connected
[2004/05/11 14:00:20.130067, 0] lib/util_sock.c:write_socket_data(388)
  write_socket_data: write failure. Error = Connection reset by peer
[2004/05/11 14:00:20.130131, 0] lib/util_sock.c:write_socket(413)
  write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection
reset by peer
[2004/05/11 14:00:20.130188, 0] lib/util_sock.c:send_smb(605)
  Error writing 4 bytes to client. -1. (Connection reset by peer)

in /var/log/log.smbd and /var/log/samba/log.xxxxxxx for many of our PC?s.

Many people have reported these errors to the list and the suggested cure
has always been looking at network hardware problems.

In developing an approach to circumvent these messages, I believe that I
have also circumvented intermittent roaming profile failures (Microsoft
Knowledge Base Article ? 831651) that have also been written about in this
list.

Our configuration is Fedora 1 with samba3.0.2a as a PDC with WINS.  We
still use smbpasswd as our authentication method.   We have about 60 XP
Pro PC?s and about 100 W98 2nd edition PC?s in this network.  We have no
PC?s running W2000.  There is only one server (the PDC) in this network.
>From looking at /var/log/samba, I quickly determined that only XP Pro PC?s
logged the above error message.  After looking at some Ethernet traces, I
believed that the error messages were caused by a particular sequence
during the decision making between XP Pro and samba for using port 139 or
port 445 for smb traffic.  See
https://bugzilla.samba.org/show_bug.cgi?id=1257 for more detail.

As the first attempt at a circumvention, I added an iptable INPUT rule to
the server to block port 445.  It appeared to work, so I removed the
iptable rule and added an "smb ports = 139" statement to smb.conf to
block
port 445 and put it into production.

It worked.  The getpeername messages disappeared from the log.  However,
for the next couple of days, I received reports of frequent, but
intermittent roaming profile error messages at logon.  This solution of
forcing all PC?s to use Netbios over TCP greatly increased the number of
complaints of roaming profile error messages.  So I commented out the smb
ports statement and the getpeername error messages resumed (which appear
to do no harm) and the roaming profile error messages reduced to sporadic.

As a second approach, I isolated all the XP Pro PC?s via DHCP to the
192.168.1.0/24 address range while the W98 PC?s remained in the
192.168.0.0/24 range.  The allowed me to add the following iptables rule
to the server:

iptables -I INPUT 1 -p tcp -s 192.168.1.0/24 --dport 139 -j DROP

With this rule, and the address separation, XP Pro PC?s use port 445 for
smb traffic while W98 PC?s use port 139.

The second approach has now been working for a week in production with no
getpeername errors and, I believe, that there have been no roaming profile
errors for the XP Pro PC?s.

Again, we have a fairly simple samba configuration, so if you want to try
this, test it first in your configuration.

Mark