Samba Traffic #21 For 4 May 2000

By Peter Samuelson

Table Of Contents

• Printer-Friendly Format
• Text Format
• XML Source
• Introduction
• Mailing List Stats For This Week
• Threads Covered

  1.	24 Apr 2000 - 26 Apr 2000	(18 posts)	Debugging and Diversions
  2.	24 Apr 2000 - 25 Apr 2000	(9 posts)	One Broken Function
  3.	25 Apr 2000 - 26 Apr 2000	(7 posts)	What Works in Samba-TNG
  4.	26 Apr 2000	(3 posts)	To Change a RID
  5.	26 Apr 2000 - 28 Apr 2000	(20 posts)	Users, Groups, Nesting, Local, Global, Mumble, Mumble, Mumble
  6.	26 Apr 2000 - 29 Apr 2000	(16 posts)	A First Look At Samba 2.0.7
  7.	28 Apr 2000 - 29 Apr 2000	(7 posts)	Load-Balancing Support from WINS?

Introduction

As promised last week, we have in this issue The Compleat Samba 2.0.7 Deployment Guide. Well, that may be a little premature, but 2.0.7 has now been out long enough to ferret out a lot of minor glitches such as most software has. There certainly have been no showstopper bugs discovered so far. Most of what have been reported are directly related to the new features (such as the UTMP support), so merely upgrading an existing Samba installation shouldn't trip over them. What remain are mostly bugs that already existed in previous versions and simply haven't been fixed yet.

Should you upgrade? Yes, if you need to interoperate with Windows 2000. While there are no plans to make Samba 2.0 work as a domain controller for Windows 2000 clients, Samba 2.0.7 fixes several known issues with file/print/name service for it.

If you do not immediately care about Windows 2000, the decision is a bit less obvious. Samba 2.0.7 fixes a lot of small bugs, but since they are small bugs, a particular site may not be affected anyway. (Our local site has been running 2.0.5 quite painlessly for nearly a year; we feel no pressing need to upgrade.) In any case, read the coverage below and decide for yourselves.

Mailing List Stats For This Week

We looked at 408 posts in 920K.

There were 174 different contributors. 68 posted more than once. 49 posted last week too.

The top posters of the week were:

• 50 posts in 74K by Luke Kenneth Casson Leighton <lkcl@samba.org>
• 21 posts in 53K by Paul J Collins <pjdc@eircom.net>
• 18 posts in 25K by Lars Kneschke <lars@kneschke.de>
• 11 posts in 20K by Michael Glauche <mg@plum.de>
• 9 posts in 23K by =?iso-8859-2?Q?Rafa=B3=20Szcze=B6niak?= <rfs@aw.com.pl>
• Full Stats

1. Debugging and Diversions

24 Apr 2000 - 26 Apr 2000 (18 posts) Archive Link: "samba tng ignores %U"

People: Lars Kneschke, Michael Glauche, Luke Leighton, 

Lars Kneschke kicked off a pleasant little thread on samba-ntdom by noting: "The current samba tng ignores the %U parameter in smb.conf." The ramifications? "The profile goes to \\KNECKE\profile\... and not to \\KNECKE\profile\<username>\... . This is not so optimal, because every user has the same profile! :-)" Michael Glauche reported, "Profiles were fine there, although tng occasionly wrote them as user root, so I moved them to a 2.0.7pre4 server. Then profiles worked like a charm ..." Luke Leighton was alarmed that it would write profiles as the root user and asked for more information. No reply, at least in-band.

For the original question, Luke was quick to assign credit where credit was due: "yep! :) andrew rewrote the standard_sub_xxx() functions, i haven't checked this since." Lars: "Please fix it! ;-)" Luke: "*grump* oh ok, then, just not tonight (2am). another side-interest: http://advogato/person/lkcl." A short diversion on Advogato followed, and Luke urged Samba developers to run out and get themselves accounts on the project. Another little tangent was about CPU speeds -- it seems Michael runs a 486 at home that takes an hour to compile Samba-TNG. "glad I have some nice dual celeron 433 at work ;)"

Continuing the original bug hunt, Luke asked Lars: "what happens when you type in an incorrect password but a correct user? only do this if you don't mind possibly having to power-cycle your m/c." Lars replied that everything seemed normal, no power-cycles required or anything.

2. One Broken Function

24 Apr 2000 - 25 Apr 2000 (9 posts) Archive Link: "Problem with sid_to_string in CVS Samba-TNG"

People: Paul Collins, Luke Leighton, 

Paul Collins noticed something strange about printing SID structures in Samba-TNG. He posted his findings to samba-ntdom:

Luke Leighton suggested, "try putting it back, let me know what happens." Paul reported success: "Done. Put in the sid_to_string from 2.4.2, and it now works. This also means that a valid SID is now being written to private/DOMAIN.SID." He continued, about his Samba domain controller: "Logged in successfully as MELOCHORD\cathy. Logged out and tried giving an incorrect password. Aargh. The "Logon in progress" appeared, and when it disappeared, I got the C0000253 error code, and further attempt to log in with valid domain accounts resulted in C0000037s. Hit ESC and then C-M-DEL; the domain list box had vanished, and I got a C0000037 upon trying to log in with the local Administrator account. This is because LSASS.EXE crashed. Dr Watson report is appended." Luke didn't want to see the Dr. Watson report: "argh. no, it's ok, i've seen those so many times it's not true :) more use to someone at microsoft, except they're already aware of how badly broken nt4's dce/rpc is, and why, so it's ok." Paul asked, "Is this a variant of that LSA DoS attack they "fixed" in SP4?" Luke sighed, "no, it's a client-side bug. no client-side bugs have been fixed in nt4. it's not considered worthwhile, by microsoft. after all, what would you be doing putting third party servers on your network?"

The next day Paul reported that Luke seemed to have fixed the Samba bug in question: "not only does everything still work, but when I give an incorrect password, I get the standard error and lsass.exe does not crash."

3. What Works in Samba-TNG

25 Apr 2000 - 26 Apr 2000 (7 posts) Archive Link: "i'm very statisfied with samba tng at the moment"

People: Lars Kneschke, Alexander Davydenko, Luke Leighton, 

Lars Kneschke was trying out Samba-TNG in order to update his famous FAQ, and posted a general status report on samba-ntdom:

Alexander Davydenko was impressed, and suggested, "it seems 2.5.tar.bz2 must be tagged on CVS as working well :)" Luke took him seriously: "done. SAMBA_TNG_2_5_GOOD."

4. To Change a RID

26 Apr 2000 (3 posts) Archive Link: "Rids"

People: Inge-Haavard Hunstad, Paul Collins, 

Inge-Haavard Hunstad had some questions for the general population of samba-ntdom about RIDs, or Relative Identifiers. The RID is a 32-bit number assigned to a user or group, analogous to Unix user-ID/group-ID numbers. "I have some questions regarding the rid. I need to know how important the rid is in a Samba controlled domain. Can I assign a new rid to a user without getting any trouble. As I see it it is only the profile that contains the rid and will be corrupted if the rid of a user changes. Is this right? If so will I eliminate this problem if I use mandatory profiles and deletes the local copy when the user log out? Another problem would be the machine accounts if I change the rid of a machine account will I have to rejoin the domain?"

Paul Collins explained, "If you change a user's RID, then the permissions on any NTFS volumes that refer to that user will no longer apply; you will likely see "Account Unknown" in such permissions lists." He concluded, "If you detail why you need to change the RIDs, better solutions may be possible." Inge-Haavard obliged: partly it was curiosity, but "I also have some users that already exist in the my smbpasswd but since my smbd now uses LDAP to store the passwords I needed to know what the consequences of just giving these users a new rid(sid) where. I think I would have to stop the samba server and start the old one to extract the rid. But since this server is in a production environment I hoped that it would be possible just to give the users a new rid instead."

There were no in-band replies.

5. Users, Groups, Nesting, Local, Global, Mumble, Mumble, Mumble

26 Apr 2000 - 28 Apr 2000 (20 posts) Archive Link: "Samba TNG FAQ updated"

People: Lars Kneschke, Luke Leighton, Paul Collins, Greg Leblanc, Jamie Ffolliott, Kevin Colby, 

While soliciting feedback on samba-ntdom for the latest revision of his almost-official Samba-TNG FAQ (it now has a hyperlink from the Samba web pages), Lars Kneschke asked a rather innocent-sounding question:

Luke responded: "uh... now you're in trouble :) on NT, the local group, Administrators, is made a member of the "Domain Admins" domain group. this is not possible in unix [to make a group a member of a group]." Dominik Kubla pointed out that NIS netgroups (not to be confused with NIS groups, which are mapped directly from Unix groups) can be nested.

This sparked a lively discourse on the Windows NT paradigm for groups and users. Paul Collins did his best to shed light on the subject: "Global groups exist in domains only, and can contain users only. Local groups exist in domains and local SAMs and can contain users and/or global groups. Domain local groups are only visible to the domain controllers." Greg Leblanc mostly agreed, except for the last bit: "Incorrect. Domain Local Groups are visible via any computer running the User Manager for Domains (usrmgr.exe). The will not be visible on workstations by default, as they install the User Manager (musrmgr.exe)."

Luke asked, "in the local administrator group, the domain admins global group is added? if this is a requirement, it cannot be done on unix." Paul Collins summarized: "When you join the domain, DOMAIN\Domain Admins is added to MACHINE\Administrators, DOMAIN\Domain Guests is added to MACHINE\Guests and DOMAIN\Domain Users is added to MACHINE\Users. By default, the user right "Log on locally" is granted to all local users via the groups, and members of the domain groups that were added get those rights too." Elsewhere: "The local Administrators group on workstations and standalone servers, yes; it does not concern the domain controllers at all, since their SAM (the domain SAM) contains the users directly. The effect of adding a user to the DOMAIN\Administrators group is that they would be local admins of the domain controllers only. It's not necessary for normal operation, and I don't think it's done much, unless you trust people with your DCs but not your SQL servers."

Jamie Ffolliott tried to untangle it a little: "Hmm? Adding a user to DOMAIN\Administrators group means that user will be a local admin of all the PDC and it's BDC's, as well as a local admin on the workstations joined to this domain (by default). It's done very often because it's Microsoft's default when the workstation joins the domain. If you trust people with your DC's then you inherently trust them with your SQL servers if you don't remove the Domain\Administrators group from the Workstation\Administrators group on the server SQLServ runs on, but why would you bother since the domain admins are already trusted to administer your domain?"

Paul pointed out that Jamie was confusing DOMAIN\Administrators, a group local to the domain controllers, with DOMAIN\Domain Admins, a global group.

Lars pondered, "At least it should be able to add a user to the Administrators group, without the need to modify the groups at the workstation. Am i right? Correct me if i'm wrong." Paul summarized once again, in table form this time:

Kevin Colby admitted, "Maybe it's just me, but you lost me here. Your statements seem to contradict each other." Paul explained, "It's not needed on Samba domain controllers. Since Unix can't nest groups, it would be tricky anyway. It is needed on domain members, but only NT ones, because it is how the user rights get granted to the domain users, etc. Samba does not have to do anything for it to work. All it has to do is provide the global groups, which it does." He added, "The real problem occurs with the names they chose for the two types of group; they don't really describe their behaviour in any sensible fashion. All you can do, like learning irregular verbs, is bash it into your head repeatedly."

Finally, in case we all thought it really was that simple, Paul had a parting shot: "Windows 2000, by the way, adds a new kind of group: the Universal group, which can contain users from any domain (as long as it is trusted by the domain the group is in) and can be nested arbitrarily. Universal groups are only applicable in "native mode", though. As usual, there are different restrictions on the names allowed for the three types of group." Oh.

6. A First Look At Samba 2.0.7

26 Apr 2000 - 29 Apr 2000 (16 posts) Archive Link: "Samba 2.0.7 released"

People: , Jeremy Allison, Using Samba, David Lee

Jeremy Allison announced Samba 2.0.7, which has been months in the making and contains dozens of bug fixes and a few feature enhancements. The announcement itself is worth reading, but here is the Reader's Digest^TM version:

• The complete text of the O'Reilly book Using Samba is now shipped, in HTML format, in the Samba distribution.
• An experimental iteration of David Lee's UTMP support is now included. This allows Samba to record SMB connections in the Unix logged-in-users database, much as some FTP daemons do. This allows one to see current Samba connections using the Unix `who' command, and historical data with `last'. Several parameters control details of this.
• Speaking of David Lee, his patch for inheriting permission masks for newly-created files and directories is included as well. This helps in managing file permissions and can be used to overcome a common problem: many Windows applications do not successfully set permissions of a file they are saving to match what the file originally had -- which quickly wreaks havoc with files shared between multiple users.
• It is now possible to read in a file of environment variables into the smb.conf file at runtime. This is intended to simplify setup of high-availability configurations, among other things.
• The Samba password file utility, smbpasswd, has been extended with an option for removing users (previously it could only add and change them).
• Some sixty bugs are listed as having been fixed. Notably, five of these were Windows-2000-specific issues -- mostly Windows bugs, not Samba bugs, now properly worked around. Another noteworthy workaround is for compiling Samba on IRIX 6.5 with GNU gcc. Previously this would produce buggy binaries because gcc does not correctly pass structures on the stack. In a similar vein, Samba now works around a strange bug in Solaris 2.5.x (fixed in 2.6) where the recv() system call malfunctions. (Samba now uses read() instead.)

No sooner did Jeremy get the announcement out but the bug reports started trickling in. Here are some user experiences to date:

• Denis Sbragion reported a compile failure with Slackware Linux 3.4. It seems the linker cannot find the __inet_ntoa() function. This is apparently an old, known bug.
• Denis also reported a strange error log message ("out of policy handles") which, however, didn't seem to be doing any harm. Jeremy suggested something to try and debug the problem, if problem there actually be.
• Lanny Baron reported that the experimental UTMP support does not compile on FreeBSD, version unspecified. (Did we mention that this code is still experimental?) David Lee by now has a patch out to correct this and other UTMP issues; at the rate the UTMP code is shaping up, it should be in pretty solid shape by 2.0.8.
• Bartlomiej Solarz-Niesluchowski reported that SWAT could not change the parameter "utmp hostname".
• Gert-Jan Vons reported that smbclient was not resolving names, given only a hosts file.
• Janne Johansson reported a very minor build glitch when building Samba outside the source tree. (Solution: "mkdir bin".)
• Eloy Paris (maintainer of Samba packages for Debian Linux) confirmed that Debian Bug #47493 hasn't been fixed in 2.0.7. This one is about filename-mangling of short filenames with illegal (in Windows) characters in them. Of course, this didn't stop him from packaging 2.0.7 for Debian (already available; check your friendly neighborhood Debian mirror, in both the frozen and unstable trees).
• Andrew Williams reported, on SuSE Linux 6.4, the inability to unmount a busy smbfs filesystem on shutdown. Apparently the problem was in 2.0.5, disappeared in 2.0.6 and regressed in 2.0.7.
• Dirk de Wachter reported a bug made manifest by the "source environment" support, where something only allocated 100 extra bytes for a variable substitution. In his situation, he needed a lot more space than that.
• Ralf Wierzbicki reported periods of very slow Samba service to Windows 2000 clients, possibly attributable to some errors in his logs that seem to point to an oplock mixup.
• Ray Frush reported that 2.0.7, like previous versions, was not correctly authenticating users through a Windows 2000 domain controller in NT4 emulation mode.

That's the initial run of glitches. Not surprisingly, all but one of them is either

• not new to 2.0.7,
• related to UTMP support (which, in case we forgot to mention, is still considered experimental), or
• specific to fairly unusual configurations.

7. Load-Balancing Support from WINS?

28 Apr 2000 - 29 Apr 2000 (7 posts) Archive Link: "WINS support"

People: Kevin Rowland, Jerry Carter, Chris Hertel, , James Sutherland, Jean-François Micouleau

Kevin Rowland asked the samba-technical crowd: "Has anyone tried or thought about making nmbd support a 'round-robin' type of NetBIOS name resolution analogous to what is available in BIND v8? I've got a project that would make this VERY handy..." Jerry Carter assumed he meant load-balancing the WINS servers themselves: "How would you propose handling name registration? Anyways... I could see where if you had several WINS servers that used some type of synchronization/replication protocol this would work, but not if you just had multiple, separate WINS servers. I'm guessing you meant the former situation."

That wasn't what Kevin meant, though. He explained further: "I'm using samba servers as translators to a distributed file space (AFS) where people's home dirs are stored. I want to be able to make everybody's home path to be '\\trans\joeuser' instead of using '\\transX\joeuser' where X is 1 thru 5. The latter requires me to decide which is best at the time."

Jean-François Micouleau suggested Microsoft's own distributed filesystem, MS-DFS (which, by wild twists of pedigree, is actually a distant cousin to AFS). Kevin replied, "I would like that (even proposed it)... but AFS is not going away anytime soon. So I suppose, to rephrase my question. Is there a better way to load balance the access to my translators?"

James Sutherland suggested just using round-robin DNS to resolve NetBIOS names. Chris Hertel disagreed: "Ick. DNS and NetBIOS names really, really are different things. It is convenient if the two match, but it's like using a phone book to look up a web site. If anyone is interested, there is a Java-based NBNS server that could probably be tuned to do what you want. jcifs.samba.org"

Sharon And Joy