samba - Dec 2012 - Cannot get user level access to shares

I'm setting up a new samba server under CentOS6.3,
samba-3.5.10-125.el6.x86_64,
 and am running into a strange problem I am unable to solve. There's
actually
 a bunch of problems, but I think they can be solved once this particular issue
 is fixed.

 Samba is set up as a PDC for WinXP clients. The old samba server bit the
 dust and I had many problems trying to migrate. So I started from scratch
 with a very basic configuration, straight from the RHEL6 documentation
 ("Primary Domain Controller (PDC) using tdbsam"), but even with this
setup,
 I keep running into the same issue. The logs (log level 2) are littered with
 lines like these:

[2012/12/18 12:39:35.740861,  2]
smbd/service.c:587(create_connection_server_info)
  guest user (from session setup) not permitted to access this share (MYID)
[2012/12/18 12:39:35.740893,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED

 So, despite success login as MYID, samba only grants guest-level access to
 this share. One consequence is that software like Office cannot save to
 the share because it's "in use by another user". I can fix this
bit with
 various locking related options.

 In order to discount issues with other network services, I have created
 MYID and the corresponding home directory locally on the samba server.
Yet, the issue persists.

 testparm output:

Server role: ROLE_DOMAIN_PDC
[global]
        workgroup = MYGROUP
        netbios name = SAMBA
        server string = Samba Server Version %v
        interfaces = lo, eth0, 10.20.11.131/24, 127.0.0.1
        bind interfaces only = Yes
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 50
        add user script = /usr/sbin/useradd "%u" -n
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g" -n
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u"
"%g"
        add machine script = /usr/sbin/useradd -n -g machines -c
"Machines (%M)" -M -d /nohome -s /bin/false "%u"
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        hosts allow = 127., 10.20.11.
        cups options = raw
        posix locking = No

[homes]
        comment = Home Directories
        read only = No
        veto oplock files = /*.msf/Inbox/*.xls/*.csv/
        browseable = No