Samba Traffic #17 For 22 Mar 2000

By Peter Samuelson

Table Of Contents


The story this week is alpha releases. Five of them happened within the scope of this week. Jeremy released the second pre-release of Samba 2.0.7, and Luke released four of his Samba-TNG branch. There is still no firm date for 2.0.7 (is there ever?) but it is getting ever nearer. As for Samba-TNG, it is starting to work correctly for more and more people. TNG is still not recommended as a file server; the recommended setup is to use it for domain logins only, and use a stable release for file service.

Mailing List Stats For This Week

We looked at 429 posts in 837K.

There were 207 different contributors. 76 posted more than once. posted last week too.

The top posters of the week were:

1. Unix Attributes Shell Extension

12 Mar 2000 (3 posts) Archive Link: "Unix attributes shell extension"

People: Gunnar DegnbolLuke Leighton

Gunnar Degnbol announced a rather cool new utility for Windows (still in development, of course):

After a discussion with Luke Leighton I have written a Windows shell extension for changing Unix file attributes.

The shell extension adds a property page with a lot of checkboxes for files on networked drives (tested with Samba, NT and NetWare 3.20). It does not do anything yet, but most of the shell extension technicalities are there. It can be downloaded from

I have defined two RPC functions, GetSetAttributes() and GetSMBPath(), that are needed for this to work. I am not sure what kind of RPC connection to make, or where in Samba to put it in. The IDL file is included with the program.

The GetSetUnixAttributes function is based on the NFS functions GETATTR and SETATTR, but without the NFSisms. If SetUnixAttributes() returns the old attributes, and allows attributes (permission, uid etc.) to be set individually, there is no need for a GetUnixAttributes(), so I have made a GetSetUnixAttributes() function.

In addition to the information returned by stat(), GetSetUnixAttributes() can return the user and group names, the unix path and the target of a symlink (unix filename).

It should be able to set the permissions and the user and group either as IDs or as names. The context for the IDs/names is supposed to exist in the users head. It should not be able to create symlinks, nor to move files.

I also put a GetSMBName() function in the IDL file, to convert a unix file name to a SMB share/pathname. Because of symlinks it is not possible to make this work for all shared directories, but a function that works in simple cases (directly below a shared directory) is still useful.

Win2K has some new new shell interfaces, among them IColumnProvider. It provides extra columns or replaces existing columns in Explorer's detail view.

There was no reply, except to say that he'd gotten the URL wrong. [The URL above has been emended.]

2. Disappearing Automounts

13 Mar 2000 (3 posts) Archive Link: "Samba vs Sun automounter"

People: Dave Collier-BrownMike Gerdts

Dave Collier-Brown came across a potentially useful tidbit.

A moderately-frequently asked question is "why do automounted directories in shares disappear?"

The old answers were:

  1. they timed out and auto-un-mounted, and
  2. you shouldn't re-export NFS-imported stuff anyway.

A new answer (0) was just suggested by a Sun techie: add a "browse" option to the automounter map entry, to make them appear even when they're not mounted.

Could someone with appropriate permissions add this to the FAQ?

Mike Gerdts added, "This option was added in Solaris 2.6. Please note that Solaris 2.5.1 and earlier do not support it."

3. Samba-TNG Alpha Release (1/4)

13 Mar 2000 - 14 Mar 2000 (6 posts) Archive Link: "samba-tng-0.15.tar.gz"

People: Luke LeightonKarl DenningerMichael BreuerJamie FfolliottJacob JensenJean-François Micouleau

The roadmap for how the NT domain controller functionality will eventually hit the mass market is an interesting one. The Samba Team generally agrees that the HEAD branch of code is what will eventually become Samba 3.0, and its main release goal is to be a stable domain controller. Currently, though, the MS-RPC code in HEAD is so outdated compared to that in Luke Leighton's Samba-TNG branch that merging the two would be extremely difficult. (Jean-François Micouleau tried once and gave up.)

Jeremy has long said that he would like nothing better than to copy Luke's RPC code straight into the HEAD branch, and would do so except for concerns over the stability of the code. It seems Luke is now addressing those concerns, as he has started pumping out alpha snapshots of the TNG code. The "release notes" for snapshot 0.15:

thanks to elrond for spotting an issue where groups were not being returned in a login. this is likely to fix some of the profile issues reported, plus an nt login of administrator will allow the expected privileges (right to shut down the box, etc).

we're getting there.

we've had one report sayin that printing works (but printer browsing doesn't) using an explicit connection to a known printer.

Karl Denninger elaborated about the printing issue: "That's me, and it definitely does work. I've printed a couple thousand pages from Microsoft Office and other applications (Quicken, etc) since cutting over to TNG. This is from Win2k; Win98 also works." Jacob Jensen asked how he did it. Karl was nonchalant: "Just put in \\SERVER\printer-name when it asks you for the name of the network printer. Attempting to browse for it does NOT work; you get "printers" as a folder, which doesn't have anything in it (and that is VERY different behavior then you get under 2.0.6, which also works)"

Meanwhile, Jamie Ffolliott and Michael Breuer reported continuing problems with profiles.

4. More Samba-TNG 0.15 Problems

13 Mar 2000 - 17 Mar 2000 (21 posts) Archive Link: "NT 4 login problems"

People: Luke LeightonLars KneschkeJohn Weber

Sean Millichamp posted several log snippets showing problems he was having with Samba-TNG and a standalone NT server. He had just updated to the 0.15 alpha release. Luke didn't think the information was specific enough: "follow standard procedure, see TNG faq debug instructions. first thing, send smb.conf. second thing prepare to recompile with ./configure.developer. third thing,, prepare debug logs level 100." He also had several theories on what might be wrong, and asked for more information.

Lars Kneschke asked, "Could this be a potential problem? I have installed nt server standalone at home." Later he said that as far as he could tell, NT Server and NT Workstation had the same problems with Samba-TNG.

Sean posted back with his smb.conf file and sent some log files directly to Luke, who replied: "ok, i think i've got it. two out of two people who have login problems are using "netbios name = somethingotherthanthednsname". try removing "netbios name = " from the smb.conf, and let me know if it works." John Weber burst the bubble, though: "I have this problem (and I've posted it recently) and I've always commented out the netbios name line. So 2 out of 3 who have login problems are using "netbios name = somethingotherthanthednsname"."

Luke then spotted another problem with Sean's smbpasswd file: "also, it doesn't help hthat your root user ntry has no uaccount control bits (it should be marked as [U     ] like the others, to indicate that it's a user. i don't know how this occurred. manually edit the smbpasswd file to corret this, ok?" No reply.

5. Samba-TNG Alpha Release (2/4)

15 Mar 2000 - 17 Mar 2000 (11 posts) Archive Link: "samba-tng-alpha-0.16.tar.gz"

People: Luke LeightonTom CrummeyElrondMichael HuletJohn Weber

Luke's release notes for Samba-TNG Alpha 0.16: "ok, i noticed some word-order issues in join-to-domain for the smbpasswd sam database option (i normally use --with-sam-pwdb=tdb so did not notice this). when you have a workstation join to a tng domain with smbpasswd file as the sam database, it should now set the trust account password correctly, and this will have been noticeably failing before on any non-intel-word-order machines such as sun ultras and dec alphas etc."

Tom Crummey reported failure joining a domain. He posted various details, but the interesting part was: "The fact that I can continue to log in from another Win 2000 system which joined the domain before Tuesday 7th March with no trouble indicates to me that the workstation account password is being written incorrectly into the smbpasswd file. I was encouraged to see that Luke had found some more word order problems in relation to the smbpasswd file, but unfortunately, there must still be some more."

Elrond suggested that Tom try a particular rpcclient command, and Tom posted the output, where the command failed. Elrond said: "Okay... That looks like more byte-order fun... since I realy don't know much in that area... You have to wait for Luke to look at your log."

John Weber and Clair Roberts, meanwhile, reported success in this area. Michael Hulet tried running on a Compaq Alpha: "I joined the new domain with no problems. I received the "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect" I had a netbios name = in my smb.conf but removed it and still the same problem." Luke repeated his standard how-to-report-bugs schtick, finishing with: "examine log.samr for a "samr_set_userinfo2" call that shows the password being set for the workstation trust account, it will be a big chunk (516 bytes of trash) of data, followed by the tash being decoded, and the password should be the-workstation-name-in-lower-case-unicode. DAMMIT i need nt, this is intolerable." No reply.

6. Samba 2.0.6 Problems & Solutions

15 Mar 2000 - 16 Mar 2000 (5 posts) Archive Link: "Samba 2.0.6"

People: Joachim BackesJeremy AllisonGlen GibbHerb Lewis

Joachim Backes had two problems with Samba 2.0.6 running on an SGI Origin 2000 server:

  1. making it with the IRIX C compiler, all is made fine and runs fine. But if I use gcc for making, then after installation, only nmbd runs, but smbd dies without any error msg. My gcc version is 2.95.2. Known?
  2. Logging of smbd: In my smb.conf if have an entry as
             log file = /usr/local/samba/var/log.smb-origin
    Then, after samba is started, this log file is created. So far so good. But an additional log file is created called "log.smb" whose name cannot be controlled in the smb.conf file. Any workaround?

Jeremy Allison explained the first problem: "Known issue when compiling with gcc on IRIX (system call structure passing problem). This should be fixed in 2.0.7." Herb Lewis offered an explanation for the second question, and Glen Gibb offered an actual solution: "However, you can change the name of the log file by specify the "-l log_file" option when you start smbd to use another name other than log.smb (or I think you can specify the default name when compiling)."

7. ACL Support Coming Soon

17 Mar 2000 (2 posts) Archive Link: "Not a bug, but a short wish-list..."

People: Jeremy AllisonBill Jojo

Frank Rodolf had sent Jeremy Allison private mail asking about support for ACLs, especially on HP-UX, Solaris and Red Hat Linux. Jeremy replied to the samba list: "Yes, this is being added (probably for 2.0.8) specifically for HPUX (and maybe also IRIX and Solaris). Linux & FreeBSD don't have filesystem ACL support yet so this will have to wait on Linux and FreeBSD. HP & SGI engineers are specifically working on this (thanks people !)." Jeremy has hinted at this several times in the past, but never (to our knowledge) given these specifics.

Bill Jojo put in, "FYI: AIX also has ACL support..."

8. Samba-TNG Alpha Release (3/4)

17 Mar 2000 (6 posts) Archive Link: "samba-tng-alpha-1.0.tar.gz"

People: Luke LeightonMichael HuletSeth VidalAaron Brooks

Yet another TNG alpha release, this one labeled "1.0". The difference between 0.x and 1.x alphas has not been revealed; one suspects it is arbitrary. Anyway, Luke's release notes this time:

using nt5 beta1 (desperate measures, i know), i confirmed that there was a problem with joining-to-domain, which may not be a problem with nt4 because nt5beta1 may use different password-set mechanisms from nt4.

i still have not been able to confirm that non-intel-byte-order password sets will work, although i have added the code to do this.

if anyone is having difficulty with TNG, still, i recommend that you delete the entire var/ directory and if you are using smbpasswd as your SAM back-end, delete the entire private/ directory, recreate var/, var/locks/, private/, do a touch private/smbpasswd and start again.

Michael Hulet posted a partial-success report. "I was able to join my NT Workstation Service Pack 3 to the new domain using the create a Computer Account in the Domain checkbox. The smbpasswd looked correct. Only the root user was able to create a computer account, however. After rebooting, I still received the computer account is invalid. I stripped almost everything out /etc/group and all of a sudden root can log in. I logged in as myself and it took about 12 minutes to log in. I also lost my administrator priviledges." Luke spotted a possible problem right away:

ok, this is a known issue with the domain_namemap.c code.

you cannot have the same username as a groupname or vice-versa on the unix side.

if you do, the lookups from unix names to nt names will fail, because nt namespace is expected to be unique, therefore login and access will also fail.

nt namespace uses unique names amongst users, groups, aliases and domains. a name is resolved to a SID and a type, therefore must be unique in order to do this.

check your /etc/group and /etc/passwd: make sure that all non-unique names are mapped to unique nt names, using the domain user/group/alias/builtin map options.

This wasn't something Seth Vidal wanted to hear. "This is going to hit A LOT of people - especially debian and redhat users. Redhat and debian setup usergroups by default (user and group name are the same and is the default group for the user) - this will mean A LOT of munging passwd and group files. is there anyway around this? ugh."

The estimable Aaron Brooks (see Issue #11, Section #5 (sm20000210_11.html#5) ) was alarmed:

IEEEE!!!! I hope there is a way around this... I just finished a very involved (and pretty sweet) system of NETBIOS aliased virtual servers that use heavy macro expansion on their name to do stuff like:

[public_html] copy = root

comment = %L %S directory

force user = %L
force group = %L

path = %H/%S
force create mode = 0755
force directory mode = 0755

read list = @users
write list = root, @%L-prof, @%L-web
valid users = root, @users

Actually this is slightly modified... some of the above lines actually appear in the "root" share. (about half of them) but just so you can see what's happening. This allows me to be pretty flexible. All I do to give someone access to a share is add them to a UNIX group. We do a lot of projects where people work both on the UNIX (mostly Linux) and the NT side of things pretty evenly and having one point of maintenance is really important. Please say that this can be worked around, please....... (stupid NT monolithic namespace!!!!)

Luke had two possible solutions to this problem:

option 1 - use -DSMBPASSFILE

abandon the domain_namemap.c code and use the smbpassgroup code i started writing as a replacement option for this.

what that does is it doesn't use the /etc/group entries at all.

the expected usage is to have scripts that take /etc/group and create private/smbpassgroup and private/smbpassalias files.

only when a user is added to an nt group or an nt alias will the /etc/group file be checked, and names validated to ensure that they are unique.

it's a lot of work: about three weeks full-time, at a guess.

option 2 - add checking into domain_namemap.c

verify that a name that maps to both a unix name and a unix group, the unix name takes precedence.

this is nasty as hell, because let's say someone tries to create a file with a unix group root, are you going to reject the file create because there is also a username root????

answer: YES! with a damn big warning in the log files saying hey, stupid, map the unix group "root" to something that doesn't clash with the username "root", because i said so, don't argue, just do it.

it increases the complexity of the already-over-complex domain_namemap.c code.

how many times have i said i hate domain_namemap.c, alreeady?

Nobody seemed to have any better ideas, unfortunately.

9. Samba 2.0.7-pre2 Released

17 Mar 2000 - 18 Mar 2000 (4 posts) Archive Link: "Samba 2.0.7pre2 snapshot released."

People: Jeremy AllisonGiulio Orsero

Jeremy Allison announced the second prerelease for Samba 2.0.7, which is expected Real Soon Now:

This is the second snapshot of the code that should become the official Samba 2.0.7 and is feature complete (ie. I'm only going to accept bug fixes, not more features).

This is not production code, but should work well as a file and print server, and contains fixes for all known Windows 2000 bugs.

Please download and test this code and report back any problems to ( . Your help in this will make the official Samba 2.0.7 release better for everyone.

The RPM packaging for this release is not yet complete, so only a source code tarball is being made available.

To everyone who contributed patches, many thinks, and please download and test this code to ensure that the functionality you wanted has been correctly implemented in the code.

Giulio Orsero had a long list of remaining problems. It was basically an update of the list he gave in Issue #11, Section #3 (sm20000210_11.html#3) . Rick Lake submitted two patches for QNX.

10. Samba-TNG Alpha Release (4/4)

18 Mar 2000 (1 post) Archive Link: "samba-tng-alpha-1.1.tar.gz"

People: Luke Leighton

One more Samba-TNG alpha. Luke has really been pushing these out the door. Release notes:

  1. i fixed a problem with nmbd's GETDC response, it is responding better but still not perfectly (and 2.0.x and cvs main need to be fixed, as well) as there exists no explanation for the correct response to locate a Domain Controller using GETDC.

    the upshot of fixing this is that joining an nt workstation to a TNG domain is now _extremely_ fast: a couple of seconds, if that, and USRMGR.EXE comes up very rapidly, too.

  2. i concluded that there is a lot of confusion being caused by using smbpasswd to add users to a domain. the default behaviour on creating a user is to create the user with no password and account "disabled", followed by changing the password. this results in, with smbpasswd, the account being created with the correct password, but the account disabled.

    please use samedit. samedit's "createuser username -p userpassword" command goes through a series of instructions that include creating the account (which is automatically disabled when created), followed by setting the password, followed by enabling the account.

    i have already disabled smbpasswd -m and -j options: i am considering just disabling smbpasswd altogether, however i know that people are _not_ going to like that, so really should implement smbpasswd in terms of samedit commands.

    time, time...

  3. elrond continues to send in daily patches that ultimately will help merge TNG with cvs main, by getting TNG more cvs-main-like.

    if anyone else wishes to assist with this, please notify everyone of your interest by responding to, and we can take it from there.

  4. various others, such as greg dickie, michael breuer, continue to send in mini-updates which help to compile and run TNG, please keep 'em coming!
  5. profiles are still not operating correctly, i do not know why, it is beginning to irritate me enough that i am probably going to do something about it.

    i now have, from various sources, legitimate versions of NT 5 and NT 4 installed in vmware 2.0 sessions. i am not entirely happy with this: i can only run one vmware session (i am using just xinit not X, i don't like graphical OSes) at a time. my thanks to darryl for his assistance, suggestions, and for providing the entire samba team with vmware licenses: i would be unable to do any work, right now, without vmware, as i only have the one computer.

    [btw does anyone, other than me, want to run vmware without having to run X-windows, for example, running linux in console-mode and switching between multiple vmware sessions on alt-f1 to alt-f12?]

  6. password changing. oops! i made a mistake in the Great Convert in january, resulting in passing the wrong parameters over in the samr user password change.

    as i modified smbd to call the samr user password change functions instead of accessing smbpasswd directly, this will have affected all user-initiated password changes including win95, dos and wfwg and nt password changes.

    so, if you have win95, please try changing a user password and report to the list if it works or not.

    i also fixed samedit's "ntpass" command to operate correctly at the same time, because it too was minorly broken.

  7. the use of "netbios name" was a red herring and a false alarm. it's perfectly ok to use different netbios names for your server, although not generally considered to be good "network policy", although it does actually work.
  8. elrond spotted that some of the user profile information was not correctly aligned. please report any operational issues and domain user logon problems, as usual, to ( , with a full report.







Sharon And Joy

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.