In Gentoo there's optional support for using pam_mktemp to restrict access to the per-user temporary files; this module sets TMPDIR to a private /tmp/.private/$USER directory which is not accessible by other users.
Unfortunately this seems to clash with samba since after setting it up it does not respond to connections any longer, and instead logs this:
Dec 21 23:37:03 [smbd] [2008/12/21 23:37:03, 0] smbd/service.c:set_current_service(184)_
Dec 21 23:37:03 [smbd] chdir (/tmp/.private/nobody) failed_
I'm not sure where to start to debug, but if somebody can at least give me some pointers I can try to do my best to arrive at a solution.
Seems like looking a bit further into this the problem is that the PAM session chain is not fully executed (and the environment set) when the user is switched during authentication.
Without this, TMPDIR still refers to nobody's user rather than the current logged-in user, which will fail since the private temporary directories are not accessible by other users (this is where the mitigation enters the game).