samba - Apr 2006 - smbclient can't write to windows share with domain account

Samba version: 3.0.22
netbios for my PC: abolingbox
netbios for my colinux sandbox, running on the same PC: fileserver2
domain: USWA2

I have a colinux sandbox on my PC (Win XP Professional) which I'm using as a
domain controller.  This lets me test my PDC configuration without putting it
live in our production environment.  I've successfully ported our old
smbpasswd database to pdbsam and created group mappings for Domain Admins,
Domain Users, and Domain Guests.

I've created a share on abolingbox called "stuff".  On this share,
I've assigned full control to the user "USWA2\llarue".  This user
can only access the share if the proper domain password is provided, which tells
me that the domain authentication is working to some extent.  However, if I
attempt to upload a file, I receive a "NT_STATUS_ACCESS_DENIED"
message.

Does anyone have a suggestion as to what is going on?  The
"USWA2\llarue" user has been granted "Allow" for every
single privilege in the Security tab of the shared folder, Windows-side.  It
would be helpful if I knew a registry setting to make the
"NT_STATUS_ACCESS_DENIED" event generate an error in my event log that
provided a more detailed explanation of what is going on.



Sample session from "fileserver" to "abolingbox":

colinux samba # bin/smbclient //abolingbox/stuff -U llarue -W USWA2
Password:
Domain=[USWA2] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> ls
  .                                   D        0  Thu Apr  6 16:05:04 2006
  ..                                  D        0  Thu Apr  6 16:05:04 2006
  test1.txt                           A        0  Thu Apr  6 14:59:16 2006

                47692 blocks of size 2097152. 41547 blocks available
smb: \> put test2.txt
NT_STATUS_ACCESS_DENIED opening remote file \test2.txt
smb: \>


Sample showing what happens if I provide an invalid password:

colinux samba # bin/smbclient //abolingbox/stuff -U llarue -W USWA2
Password:
session setup failed: NT_STATUS_LOGON_FAILURE


Proof that llarue is a valid user:
colinux samba # grep llarue /etc/passwd
llarue:x:568:585:USWA User:/home/llarue:/dev/null
colinux samba # bin/pdbedit llarue
llarue:568:USWA User

global config:

[global]
   netbios name = FILESERVER2
   workgroup = USWA2

   os level = 64
   preferred master = yes
   domain master = yes
   local master = yes
   time server = yes

   security = user
   encrypt passwords = yes

   server string = Samba %v on %L %h
   admin users = @ntadmin
   #domain admin group = @ntadmin

   add user script = /usr/sbin/useradd -m '%u' -g 502 -s /bin/false
   delete user script = /usr/sbin/userdel -r '%u'
   add group script = /usr/sbin/groupadd '%g'
   delete group script = /usr/sbin/groupdel '%g'
   add user to group script = /usr/sbin/usermod -A '%g' '%u'
   delete user from group script = /usr/sbin/usermod -R '%g'
   set primary group script = /usr/sbin/usermod -g '%g' '%u'
   add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
'%u'
   logon script = login.bat
   logon path = \\%L\profiles\%a\%U
   logon drive = z:
   logon home = \\%L\%U
   domain logons = yes

   unix password sync = yes
   passdb backend = tdbsam
   #username map = /usr/local/samba/etc/smbusers
   enable privileges = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*Unix*password*
%n\n*Retype*New*Unix*password*%n\n*passwd:*all*authentication*tokens*updated*successfully*

   hide dot files = yes

   hosts allow = 192.168.135. 192.168.142. 127.

   log level = 2
   log file = /var/log/samba/%m.log
   max log size = 2000
   debug timestamp = yes
   syslog = 1

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   time server = yes

   wins support = yes



Thanks,

Andrew