samba - Aug 2004 - Someone with "Access Denied" from Windows pls try this test to compare notes with me

Long day yesterday for us here, first production implementation of Samba has to
be rolled out and the client's old network reinstalled... cause: this
"access deneied" issue which seems to be randomly
affecting Samba implementations and from what I can see folks say Samba 3.0.2
was the last good build. If that describes you, please test this as I have come
up with a way to turn the problem on/off
like a light switch. (Samba team... have I got your attention????)

Again, you may review how I have configured Samba PDC from my KLUG presentation.

ftp://ftp.lueckdatasystems.com/pub/presentations/klugsamba3pdc-bookreview.pdf

Specifically jump to pages 7 through 9, that is the critical part. I have
configured the security environment to allow for independant assignment of
permissions to three different areas of security:

1) The user in the Linux workd (SSH to the server, X logon, etc...)
2) The Samba domain user / PDC
3) The local permissions on the Win2K (WinXP) desktop.

This error ONLY happens... (ah, the error affects either command prompt use or
Windows explorer use of NET USE'ed network drives, but does NOT affect UNC
access to the same) when the configuration
being tested includes the user having Administrator permissions to the
workstation. If I make the user a member of the Linux group ntadmins, bang
"Access Denied". If I move the user to ntpwrusr and
relogin, the mapped drives work fine.

Further, I have logged in workstation only to the local Administrator account
and then used ANY ID known to smbpasswd to NET USE to the server, 100%
"Access Denied" so the account allowing local
access to the Windows computer need not be a domain account. I have not tested
(yet) from a workstation which has not joined the Samba PDC to see if those are
affected as well.

This has only happened for us with the Samba 3.0.5 Debian package. We banged the
Samba 3.0.4 Debian package hard in the process of coming up with our standard
configuration and the demo to KLUG,
"access denied" was never an issue. Unfortunately 3.0.2 and 3.0.4
Debian packages seem to have been purged from both debian.org and samba.org, so
not at all sure how we would be able to roll back that
far... I will be testing the Debian package of 3.0.6 soon.

Could someone with the "Access Denied" errors happening consistently
test the configuration of local administrator permissions turning the problem
on/off please?

TIA!

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

I quickly tested the 3.0.6 Debian packages from samba.org on a test box and
local admin causing Access Denied to server drives seems not to happen. So the
production server has now had the 3.0.5
packages purged, 3.0.6 packages installed, reconfigured, and thus far no Access
Denied error while testing.

I don't see that "Access Denied" issues were specifically
addressed with 3.0.6.

However since we had purged and reinstalled the 3.0.5 packages and the problem
had persisted through that operation, I must give some credit that it probably
was not a corrupted tdb file or something
and might indeed be a code related cause.

Not sure I will have more to report on this, unless of course the error comes
back. I did manage to find 3.0.4 and 3.0.2 deb's via a couple of mirrors
with old code, so we do have those to fall back
to should the error come back with 3.0.6.

I would be interested to hear if others with this error can turn it on/off via
workstation admin permissions.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.