samba - Sep 2006 - smbd/service.c:make_connection_snum - Access denied

Hi,

Two days ago, I tried to turned my samba server, which worked perfectly 
into a PDC but despite of all my efforts, skimming thru the docs, 
mailing lists, hanging on #samba, I've never been able to logon to the 
new domain from the WinXP clients.
Authentication is OK, but then access to the share is denied. Here's 
part of the log:

[2006/09/28 19:03:36, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [root] -> [root] -> 
[root] suc
ceeded
[2006/09/28 19:03:36, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/09/28 19:03:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60088215
[2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(222)
  User name: root       Real name: root
[2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(241)
  UNIX uid 0 is UNIX user root, and will be vuid 100
[2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(270)
  Adding homes service for user 'root' using home directory:
'/root'
[2006/09/28 19:03:36, 3] param/loadparm.c:lp_add_home(2368)
  adding home's share [root] for user 'root' at '/root'
[2006/09/28 19:03:36, 3] smbd/process.c:process_smb(1091)
  Transaction 4 of length 80
[2006/09/28 19:03:36, 3] smbd/process.c:switch_message(886)
  switch message SMBtconX (pid 23977) conn 0x0
[2006/09/28 19:03:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/28 19:03:36, 2] smbd/service.c:make_connection_snum(321)
  user 'root' (from session setup) not permitted to access this share
(IPC$)
[2006/09/28 19:03:36, 3] smbd/error.c:error_packet(129)
  error packet at smbd/reply.c(415) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

Anyone, please give me a hint, I'm totally puzzled.
Attached is our smb.conf

-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic 
# errors. 
#

#======================= Global Settings ======================
[global]
	log file = /var/log/samba/log.%m
	log level = 3
	max log size = 100
	load printers = yes
	socket options = TCP_NODELAY
	obey pam restrictions = yes
	domain master = yes
	preferred master = yes
	local master = yes
	domain logons = yes
	#domain admin users = root eric lmozo
	admin users = @admins
	#domain admin group = root eric lmozo
	passdb backend = tdbsam guest
	passwd program = /usr/bin/passwd %u
	encrypt passwords = true
	#valid users = %S
	security = user
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n
	# Automatedly add a Linux / Unix and Samba machine account when joining a
machine to the domain
	add user script = /usr/sbin/useradd -m %u
	delete user script = /usr/sbin/userdel -r %u
	add group script = /usr/sbin/groupadd %g
	delete group script = /usr/sbin/groupdel %g
	add user to group script = /usr/sbin/groupmod -A %u %g
	delete user from group script = /usr/sbin/groupmod -R %u %g
	add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false
%u
	wins support = true
	dns proxy = no
	netbios name = mekas
	server string = %h (Samba %v)
	#Parece que necesitamos el usuario root para poder loguearse a un dominio desde
WinXP (Eric-28/9/06)
	#invalid users = root
	unix password sync = yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n
*passwd:*all*authentication*tokens*updated*successfully*
	#PAM password change = yes
	username map = /etc/samba/smbusers
	workgroup = MADRID
	os level = 65
	printing = cups
	printcap name = cups
	syslog = 0
	panic action = /usr/share/samba/panic-action %d
	max log size = 1000
	unix charset = ISO8859-15
	interfaces = eth0 lo
	time server = yes
	#Parece que el siguiente parametro no existe (Eric-28/9/06) lo comentamos
	#domain admin group = @admins
	# User profiles and home directory.
	# the local path to which the home ([HOMES]) directory will be connected
	logon drive = H:
	# Where 'profiles' = [profiles] further on
	logon path = \\%L\profiles\%U
	logon script = netlogon.bat 

	# Keep the case in file/directory names; when looking for a file
	# matching is done without regard to case, as expected by Windows
	preserve case = yes
	short preserve case = yes
	case sensitive = no
	hide dot files = yes

[profiles]
comment = Windows user profile directories
path = /home/admin/profiles
read only = no
browseable = no
create mode = 0600 ; rwx-xxx-xxx - only the user can read/write files
directory mode = 0700 ; rwx-xxx-xxx - directories must be executable if they are
to be navigated

[homes]
   volume = HOME
   comment = Home Directories
   browseable = no
   read only = no
   public = no


[programs]
# Map P: to this; use it to install programs to
# and to point programs to that don't like using UNC
comment = installed programs
path = /opt/windows
read only = yes
write list = @admins
browseable = yes

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
#   writable = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0750

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
   comment = Network Logon Service
   path = /home/admin/netlogon
   guest ok = yes
   write list = @admins
   #share modes = no

[printers]
   comment = All Printers
   browseable = yes
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700
   use client driver = yes

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
;   write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.
;[cdrom]
;   comment = Samba server's CD-ROM
;   writable = no
;   locking = no
;   path = /cdrom
;   public = yes

# The next two parameters show how to auto-mount a CD-ROM when the
#	cdrom share is accesed. For this to work /etc/fstab must contain
#	an entry like this:
#
#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
#	is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom


[Compartida]
	comment = Repositorio de Ficheros Compartidos
	path = /home/admin/repositorio
	public = no
	only guest = no
	writable = yes
	printable = no
	browseable = yes
	create mask = 0777
	directory mask = 0777
	force user = nobody
	force group = nogroup
	force create mode = 777
	force directory mode = 777

[Disco_Backup]
	writable = yes
	printable = no
	only guest = no
	path = /mnt/disco2
	comment = Disco Copias Seguridad
	valid users = lmozo
	public = no

[Publicacion]
	comment = Repositorio de Documentos para Envios
	browseable = yes
	path = /home/admin/docenvios
	printable = no
	writable = yes
	guest ok = yes
	public = yes
	
[Resultados]
	comment = Resultados de las tareas automaticas
	path = /home/admin/apt/config/resultados
	public = yes
	only guest = yes
	writable = yes
	printable = no
	browseable = yes

#[IPC$]
#	hosts allow = 0.0.0.0/0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/29/2006 07:15 AM, Eric Van Buggenhaut escreveu:
> Hi,
> 
> Two days ago, I tried to turned my samba server, which worked perfectly
> into a PDC but despite of all my efforts, skimming thru the docs,
> mailing lists, hanging on #samba, I've never been able to logon to the
> new domain from the WinXP clients.
> Authentication is OK, but then access to the share is denied. Here's
> part of the log:
> 
> [2006/09/28 19:03:36, 2] auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [root] -> [root] ->
> [root] suc
> ceeded
> [2006/09/28 19:03:36, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>  NTLMSSP Sign/Seal - Initialising with flags:
> [2006/09/28 19:03:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60088215
> [2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(222)
>  User name: root       Real name: root
> [2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(241)
>  UNIX uid 0 is UNIX user root, and will be vuid 100
> [2006/09/28 19:03:36, 3] smbd/password.c:register_vuid(270)
>  Adding homes service for user 'root' using home directory:
'/root'
> [2006/09/28 19:03:36, 3] param/loadparm.c:lp_add_home(2368)
>  adding home's share [root] for user 'root' at '/root'
> [2006/09/28 19:03:36, 3] smbd/process.c:process_smb(1091)
>  Transaction 4 of length 80
> [2006/09/28 19:03:36, 3] smbd/process.c:switch_message(886)
>  switch message SMBtconX (pid 23977) conn 0x0
> [2006/09/28 19:03:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/09/28 19:03:36, 2] smbd/service.c:make_connection_snum(321)
>  user 'root' (from session setup) not permitted to access this
share (IPC$)
> [2006/09/28 19:03:36, 3] smbd/error.c:error_packet(129)
>  error packet at smbd/reply.c(415) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> Anyone, please give me a hint, I'm totally puzzled.
	Ok, a few things are not clear (at least to me).

a) What share are you trying to connect? Which is the user?

	From the logs, looks like you are using root to
	connect to a share that is commented on the
	smb.conf that you sent.

b) Did you join the client machines to the domain? (And of course, did
   you create the machine accounts?)


c) Are you able to access other shares? Using other users?

> Attached is our smb.conf
> ------------------------------------------------------------------------
[... smb.conf ...]


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFIphECj65ZxU4gPQRAjYGAJ9ZqxCvialjcYO6s8syRGCZkNcp/wCeOmZv
cnDCNUksRhkhXA/jyQzZPt8=Yt0K
-----END PGP SIGNATURE-----