samba - Sep 2010 - cannot access samba server from outside domain

Hello everybody --
can someone please help with this:

win 2008 AD domain controller
samba 3.2.5 on debian lenny configured as domain member

workstations joined to domain can access samba shares.
workstations outside domain cannot access shares.
anytime one tries to connect, popup shows asking for credentials. no
combination of domain\user + password, user at domain + password or
whatever will be accepted.
I have a similar situation in another site with a 2003 AD domain wich
works flawlessly, configuration files are the same so I guess it can
be a samba<->2008 AD compatibility issue?

config file follows:
-----------------------------------
[global]
        unix charset = UTF8
        display charset = UTF8

        netbios name = DEBIAN
        workgroup = ##########
        realm = ##########.LOCAL

        encrypt passwords = true
        server string = Samba Server %v
        security = ads
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 500

        ldap ssl = no
        winbind separator = +
        winbind uid = 100000-200000
        winbind gid = 100000-200000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = no
        idmap backend = idmap_rid:##########=100000-200000
        allow trusted domains = no

        passdb backend = tdbsam

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        passdb expand explicit = no
        os level = 40
        local master = no
        dns proxy = no

        template shell = /usr/sbin/nologin
        template homedir = /dev/null

        wins support = no
        disable netbios = no
#       wins server = 192.168.1.253

        map hidden = yes
#       hide files = /desktop.ini/Thumbs.db/
        nt acl support = no
        dos filemode = yes
        create mask = 0745
        directory mask = 0755

        kernel change notify = yes
        kernel oplocks = yes

        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
        panic action = /usr/share/samba/panic-action %d

Are the workstations XP, Vista or Win 7?

What happens if you log in to the non-domain workstation using a 
username and password that match a valid domain name and password

If you run "testparm -v" on the samba server do you have both ports
139
and 445 open?

Yesterday I was trouble shooting a remote access issue as well.   
Windows XP machines in the domain on the LAN have no problem with samba 
shares.

A Window 7 user over VPN  could only access shares on some samba servers 
but not others.   I tested over VPN with an XP workstation, I had 
trouble with one server until I reenabled 445 by DISABLING the following 
line in smb.conf

     smb ports = 139


Fixed it for XP, not for Win 7.  The logs on the server 
(/var/log/samba/the-win7-machine) showed that the user failed with

[2010/09/30 05:01:10,  2] auth/auth.c:320(check_ntlm_password)
   check_ntlm_password:  Authentication for user [jsmith] -> [jsmith] 
FAILED with error NT_STATUS_WRONG_PASSWORD







On 09/30/2010 01:52 PM, Lorenzo Monti wrote:
> Hello everybody --
> can someone please help with this:
>
> win 2008 AD domain controller
> samba 3.2.5 on debian lenny configured as domain member
>
> workstations joined to domain can access samba shares.
> workstations outside domain cannot access shares.
> anytime one tries to connect, popup shows asking for credentials. no
> combination of domain\user + password, user at domain + password or
> whatever will be accepted.
> I have a similar situation in another site with a 2003 AD domain wich
> works flawlessly, configuration files are the same so I guess it can
> be a samba<->2008 AD compatibility issue?
>
> config file follows:
> -----------------------------------
> [global]
>          unix charset = UTF8
>          display charset = UTF8
>
>          netbios name = DEBIAN
>          workgroup = ##########
>          realm = ##########.LOCAL
>
>          encrypt passwords = true
>          server string = Samba Server %v
>          security = ads
>          log level = 1
>          syslog = 0
>          log file = /var/log/samba/%m.log
>          max log size = 500
>
>          ldap ssl = no
>          winbind separator = +
>          winbind uid = 100000-200000
>          winbind gid = 100000-200000
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = no
>          idmap backend = idmap_rid:##########=100000-200000
>          allow trusted domains = no
>
>          passdb backend = tdbsam
>
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>
>          passdb expand explicit = no
>          os level = 40
>          local master = no
>          dns proxy = no
>
>          template shell = /usr/sbin/nologin
>          template homedir = /dev/null
>
>          wins support = no
>          disable netbios = no
> #       wins server = 192.168.1.253
>
>          map hidden = yes
> #       hide files = /desktop.ini/Thumbs.db/
>          nt acl support = no
>          dos filemode = yes
>          create mask = 0745
>          directory mask = 0755
>
>          kernel change notify = yes
>          kernel oplocks = yes
>
>          socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
> SO_RCVBUF=8192
>          panic action = /usr/share/samba/panic-action %d
>