samba - Jan 2012 - Error with winbind following Windows updates

Hi. We've just installed Windows updates on our Windows 2003 Domain
Controllers, and have the following issues on our storage server, which
is running Debian stable 2:3.5.6~dfsg-3squeeze5

    Jan 17 10:27:51 xxx smbd[2426]: [2012/01/17 10:27:51.286853,  0]
lib/util_sock.c:680(write_data)
    Jan 17 10:27:51 xxx smbd[2426]: [2012/01/17 10:27:51.286915,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
    Jan 17 10:27:51 xxx smbd[2426]:   getpeername failed. Error was Transport
endpoint is not connected
    Jan 17 10:27:51 xxx smbd[2426]:   write_data: write failure in writing to
client 0.0.0.0. Error Connection reset by peer

We consequently cannot authenticate from the Domain Controllers.

We have the following settings in the header of our smb file:

    security = ads
    workgroup = XXXredactedXXX
    realm = XXXredactedXXX.LOCAL
    password server = XXX-dc1.haluk.local, XXX-dc2.haluk.local
    encrypt passwords = yes
    update encrypted = yes
    server string = XXXstorage
    netbios name = XXXstorage
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind offline logon = yes
    enhanced browsing = no
    template shell = /bin/false
    veto files = /TheVolumeSettingsFolder/, /Temporary Items/, /*DS_Store*/,
/*AppleDB/, /*AppleDesktop/, /*AppleDouble/, /Network Trash Folder/, /*Trashes/,
/*TemporaryItems/, /*FBCLockFolder/, /*FBCIndex/
    delete veto files = yes
    create mask = 0775
    directory mask = 2775
    invalid users = root
    panic action = /usr/share/samba/panic-action %d
    log file = /var/log/samba/log.%m
    socket options = TCP_NODELAY
    printing = cups
    inherit acls = yes
    inherit permissions = yes
    map acl inherit = yes
    nt acl support = yes
    ea support = yes
    smb ports = 139 445

Assistance gratefully received.

-- 
Rory Campbell-Lange
rory at campbell-lange.net

Campbell-Lange Workshop
www.campbell-lange.net
0207 6311 555
3 Tottenham Street London W1T 2AF
Registered in England No. 04551928

The issue appears to be in relation to Windows security update MS11-095
http://support.microsoft.com/kb/2621146 which has affected Active
Directory. More information about the update is available here:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28500

On 17/01/12, Rory Campbell-Lange (rory at campbell-lange.net)
wrote:
> Hi. We've just installed Windows updates on our Windows 2003 Domain
> Controllers, and have the following issues on our storage server, which
> is running Debian stable 2:3.5.6~dfsg-3squeeze5
> 
>     Jan 17 10:27:51 xxx smbd[2426]: [2012/01/17 10:27:51.286853,  0]
lib/util_sock.c:680(write_data)
>     Jan 17 10:27:51 xxx smbd[2426]: [2012/01/17 10:27:51.286915,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
>     Jan 17 10:27:51 xxx smbd[2426]:   getpeername failed. Error was
Transport endpoint is not connected
>     Jan 17 10:27:51 xxx smbd[2426]:   write_data: write failure in writing
to client 0.0.0.0. Error Connection reset by peer
> 
> We consequently cannot authenticate from the Domain Controllers.
> 
> We have the following settings in the header of our smb file:
> 
>     security = ads
>     workgroup = XXXredactedXXX
>     realm = XXXredactedXXX.LOCAL
>     password server = XXX-dc1.haluk.local, XXX-dc2.haluk.local
>     encrypt passwords = yes
>     update encrypted = yes
>     server string = XXXstorage
>     netbios name = XXXstorage
>     idmap uid = 10000-20000
>     idmap gid = 10000-20000
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>     winbind offline logon = yes
>     enhanced browsing = no
>     template shell = /bin/false
>     veto files = /TheVolumeSettingsFolder/, /Temporary Items/,
/*DS_Store*/, /*AppleDB/, /*AppleDesktop/, /*AppleDouble/, /Network Trash
Folder/, /*Trashes/, /*TemporaryItems/, /*FBCLockFolder/, /*FBCIndex/
>     delete veto files = yes
>     create mask = 0775
>     directory mask = 2775
>     invalid users = root
>     panic action = /usr/share/samba/panic-action %d
>     log file = /var/log/samba/log.%m
>     socket options = TCP_NODELAY
>     printing = cups
>     inherit acls = yes
>     inherit permissions = yes
>     map acl inherit = yes
>     nt acl support = yes
>     ea support = yes
>     smb ports = 139 445
> 
> Assistance gratefully received.
> 
> -- 
> Rory Campbell-Lange
> rory at campbell-lange.net
> 
> Campbell-Lange Workshop
> www.campbell-lange.net
> 0207 6311 555
> 3 Tottenham Street London W1T 2AF
> Registered in England No. 04551928
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
Rory Campbell-Lange
rory at campbell-lange.net

Campbell-Lange Workshop
www.campbell-lange.net
0207 6311 555
3 Tottenham Street London W1T 2AF
Registered in England No. 04551928