samba - Nov 2006 - 3.0.23c with LDAP: 'valid users' not working

Hi,

I'm having issues getting the 'valid users' directive to work.
I'm using
samba 3.0.23c (debian unstable package), and I'm using LDAP to do my
authentication and NSS. That's all working fine, but for some reason I
can't
access the share when I have a 'valid users' parameter set. I can access
it
fine without that parameter, and files/folders are created with the correct
owner and group, but it won't let me log on at all with the 'valid
users'
parameter, even if I put the 'michael' user in there. See as below:

------------------------------------------------------------------
(on client, without any 'valid users' parameter)
[ root @ bob : ~ ] # smbclient -U michael //castro/backup
Password:
Domain=[CASTRO] OS=[Unix] Server=[Samba 3.0.23c]
smb: \> mkdir test1
smb: \>
------------------------------------------------------------------
(on server, without any 'valid users' parameter)
[ root @ castro : /srv/backup ] # ls -la
drwxrwxrwx 3 root    root    18 Nov  7 20:05 .
drwxr-xr-x 4 root    root  4096 Nov  5 15:08 ..
drwxr-xr-x 2 michael users    6 Nov  7 20:05 test1
------------------------------------------------------------------

so it gets made with UID and GID correct. However, when I set "vaild users
michael", I get:

------------------------------------------------------------------
(on client)
[ root @ bob : ~ ] # smbclient -U michael //castro/backup
Password:
Domain=[CASTRO] OS=[Unix] Server=[Samba 3.0.23c]
tree connect failed: NT_STATUS_ACCESS_DENIED
------------------------------------------------------------------

(I've put a more verbosely debugged one below). Below is my smb.conf, and a
debug=10 log can be found at http://sallaway.org/samba/debug-10.txt. (a
debug=3 is at http://sallaway.org/samba/debug-3.txt, in case the first is
too much to wade through. ;-)  )

Does anyone have any suggestions? Thanks for any help you can give!

cheers,
Michael


------------------------------------------------------------------

[global]
   workgroup = workgroup
   server string    log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   encrypt passwords = yes
   null passwords = yes
   guest account = nobody
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   map to guest = bad user
   deadtime = 3

   security = user
   passdb backend = ldapsam:ldap://ldap.sallaway.org
   ldap suffix = dc=sallaway,dc=org
   ldap admin dn = cn=admin,dc=sallaway,dc=org
   ldap user suffix = ou=People
   ldap group suffix = ou=Group
   ldap passwd sync = yes

[backup]
   path = /srv/backup
   browseable = yes
   writable = yes
   valid users = michael