Table Of Contents
|1.||24 Apr 2000 - 26 Apr 2000||(18 posts)||Debugging and Diversions|
|2.||24 Apr 2000 - 25 Apr 2000||(9 posts)||One Broken Function|
|3.||25 Apr 2000 - 26 Apr 2000||(7 posts)||What Works in Samba-TNG|
|4.||26 Apr 2000||(3 posts)||To Change a RID|
|5.||26 Apr 2000 - 28 Apr 2000||(20 posts)||Users, Groups, Nesting, Local, Global, Mumble, Mumble, Mumble|
|6.||26 Apr 2000 - 29 Apr 2000||(16 posts)||A First Look At Samba 2.0.7|
|7.||28 Apr 2000 - 29 Apr 2000||(7 posts)||Load-Balancing Support from WINS?|
As promised last week, we have in this issue The Compleat Samba 2.0.7 Deployment Guide. Well, that may be a little premature, but 2.0.7 has now been out long enough to ferret out a lot of minor glitches such as most software has. There certainly have been no showstopper bugs discovered so far. Most of what have been reported are directly related to the new features (such as the UTMP support), so merely upgrading an existing Samba installation shouldn't trip over them. What remain are mostly bugs that already existed in previous versions and simply haven't been fixed yet.
Should you upgrade? Yes, if you need to interoperate with Windows 2000. While there are no plans to make Samba 2.0 work as a domain controller for Windows 2000 clients, Samba 2.0.7 fixes several known issues with file/print/name service for it.
If you do not immediately care about Windows 2000, the decision is a bit less obvious. Samba 2.0.7 fixes a lot of small bugs, but since they are small bugs, a particular site may not be affected anyway. (Our local site has been running 2.0.5 quite painlessly for nearly a year; we feel no pressing need to upgrade.) In any case, read the coverage below and decide for yourselves.
Mailing List Stats For This Week
We looked at 408 posts in 920K.
There were 174 different contributors. 68 posted more than once. 49 posted last week too.
The top posters of the week were:
1. Debugging and Diversions
24 Apr 2000 - 26 Apr 2000 (18 posts) Archive Link: "samba tng ignores %U"
People: Lars Kneschke, Michael Glauche, Luke Leighton,
Lars Kneschke kicked off a pleasant little thread on
samba-ntdom by noting:
current samba tng ignores the %U parameter in
"The profile goes to
\\KNECKE\profile\... and not
\\KNECKE\profile\<username>\... . This is not so
optimal, because every user has the same profile! :-)"
"Profiles were fine
there, although tng occasionly wrote them as user root, so I moved them
to a 2.0.7pre4 server. Then profiles worked like a charm ..."
Luke Leighton was alarmed that it would write profiles as the root user
and asked for more information. No reply, at least in-band.
For the original question, Luke was quick to assign credit where
credit was due:
"yep! :) andrew rewrote the
standard_sub_xxx() functions, i haven't checked this
"Please fix it!
"*grump* oh ok, then, just
not tonight (2am). another side-interest: http://advogato/person/lkcl (http://advogato.org/person/lkcl/)
A short diversion on Advogato followed, and Luke urged Samba developers
to run out and get themselves accounts on the project. Another little
tangent was about CPU speeds -- it seems Michael runs a 486 at home
that takes an hour to compile Samba-TNG.
"glad I have some nice dual celeron 433 at work ;)"
Continuing the original bug hunt, Luke asked Lars: "what happens when you type in an incorrect password but a correct user? only do this if you don't mind possibly having to power-cycle your m/c." Lars replied that everything seemed normal, no power-cycles required or anything.
2. One Broken Function
24 Apr 2000 - 25 Apr 2000 (9 posts) Archive Link: "Problem with sid_to_string in CVS Samba-TNG"
People: Paul Collins, Luke Leighton,
Paul Collins noticed something strange about printing SID structures
in Samba-TNG. He posted his findings to
my new installation is creating stringified
SIDs like this: (from
get_sam_domain_name: PDC/BDC MELOCHORD
read_sid: Domain: MELOCHORD
sid_to_string returning S--1989380350-3784617370-2315756573
read_sid_from_file /usr/local/samba-tng/private/MELOCHORD.SID: sid S--1989380350-3784617370-2315756573
get_member_domain_sid: sid_to_string returning S--1989380350-3784617370-2315756573
sid_to_string returning S--32
Map: Domain: BUILTIN SID: S--32
sid_to_string returning S-
Map: Domain: Global Domain SID: S-
sid_to_string returning S--0
Map: Domain: Everyone SID: S--0
sid_to_string returning S--0
And so on. I checked the code for sid_to_string (CVS versus 2.4.2), and bar the change from fstring to pstring, it looks the same. The revision number is missing from somewhere...
Luke Leighton suggested,
"try putting it
back, let me know what happens."
Paul reported success:
"Done. Put in the
2.4.2, and it now works. This also means that a valid SID is now being
He continued, about
his Samba domain controller:
MELOCHORD\cathy. Logged out and tried
giving an incorrect password. Aargh. The "Logon in progress"
appeared, and when it disappeared, I got the C0000253 error code, and
further attempt to log in with valid domain accounts resulted in
C0000037s. Hit ESC and then C-M-DEL; the domain list box had vanished,
and I got a C0000037 upon trying to log in with the local Administrator
account. This is because
LSASS.EXE crashed. Dr Watson
report is appended."
Luke didn't want to see the Dr. Watson
"argh. no, it's ok, i've seen those
so many times it's not true :) more use to someone at microsoft, except
they're already aware of how badly broken nt4's dce/rpc is, and why, so
"Is this a
variant of that LSA DoS attack they "fixed" in SP4?"
"no, it's a client-side bug. no
client-side bugs have been fixed in nt4. it's not considered
worthwhile, by microsoft. after all, what would you be doing putting
third party servers on your network?"
The next day Paul reported that Luke seemed to have fixed the Samba
bug in question:
"not only does everything
still work, but when I give an incorrect password, I get the standard
lsass.exe does not crash."
3. What Works in Samba-TNG
25 Apr 2000 - 26 Apr 2000 (7 posts) Archive Link: "i'm very statisfied with samba tng at the moment"
People: Lars Kneschke, Alexander Davydenko, Luke Leighton,
Lars Kneschke was trying out Samba-TNG in order to update his famous FAQ (http://www.kneschke.de/projekte/samba_tng/)
and posted a general status report on
What works not:
Now i need to update the "samba tng faq"-webpages. I hope i can do it, before i falling a sleep.
Alexander Davydenko was impressed, and suggested,
2.5.tar.bz2 must be
tagged on CVS as working well :)"
Luke took him seriously:
"done. SAMBA_TNG_2_5_GOOD (http://samba.org/cvsweb/samba/?only_with_tag=SAMBA_TNG_2_5_GOOD)
4. To Change a RID
26 Apr 2000 (3 posts) Archive Link: "Rids"
People: Inge-Haavard Hunstad, Paul Collins,
Inge-Haavard Hunstad had some questions for the general population
samba-ntdom about RIDs, or Relative Identifiers. The
RID is a 32-bit number assigned to a user or group, analogous to Unix
some questions regarding the rid. I need to know how important the rid
is in a Samba controlled domain. Can I assign a new rid to a user
without getting any trouble. As I see it it is only the profile that
contains the rid and will be corrupted if the rid of a user changes.
Is this right? If so will I eliminate this problem if I use mandatory
profiles and deletes the local copy when the user log out? Another
problem would be the machine accounts if I change the rid of a machine
account will I have to rejoin the domain?"
Paul Collins explained, "If you change a user's RID, then the permissions on any NTFS volumes that refer to that user will no longer apply; you will likely see "Account Unknown" in such permissions lists." He concluded, "If you detail why you need to change the RIDs, better solutions may be possible." Inge-Haavard obliged: partly it was curiosity, but "I also have some users that already exist in the my smbpasswd but since my smbd now uses LDAP to store the passwords I needed to know what the consequences of just giving these users a new rid(sid) where. I think I would have to stop the samba server and start the old one to extract the rid. But since this server is in a production environment I hoped that it would be possible just to give the users a new rid instead."
There were no in-band replies.
5. Users, Groups, Nesting, Local, Global, Mumble, Mumble, Mumble
26 Apr 2000 - 28 Apr 2000 (20 posts) Archive Link: "Samba TNG FAQ updated"
People: Lars Kneschke, Luke Leighton, Paul Collins, Greg Leblanc, Jamie Ffolliott, Kevin Colby,
While soliciting feedback on
samba-ntdom for the latest
revision of his almost-official Samba-TNG FAQ (it now has a
from the Samba web pages), Lars Kneschke asked a rather
Luke, do you know how to become a local administrator? i have used "local group map", whit this content:
test1 = "Adminstrators"
"Administrators" gets also shown as local group in the Usermanager, but i can't change the clock. So i think, that i'm not a admin user. What do you think?
"uh... now you're in
trouble :) on NT, the local group,
Administrators, is made a member of the
Domain Admins" domain group. this is not possible
in unix [to make a group a member of a group]."
pointed out that NIS netgroups (not to be confused with NIS groups,
which are mapped directly from Unix groups) can be nested.
This sparked a lively discourse on the Windows NT paradigm for
groups and users. Paul Collins did his best to shed light on the
"Global groups exist in domains only,
and can contain users only. Local groups exist in domains and local
SAMs and can contain users and/or global groups. Domain local groups
are only visible to the domain controllers."
Greg Leblanc mostly
agreed, except for the last bit:
Domain Local Groups are visible via any computer running the User
Manager for Domains (
usrmgr.exe). The will not be visible
on workstations by default, as they install the User Manager
"in the local administrator
group, the domain admins global group is added? if this is a
requirement, it cannot be done on unix."
"When you join the domain,
DOMAIN\Domain Admins is added to
DOMAIN\Domain Guests is added to
is added to
MACHINE\Users. By default, the user right
"Log on locally" is granted to all local users via the groups, and
members of the domain groups that were added get those rights
Administrators group on workstations and standalone
servers, yes; it does not concern the domain controllers at all, since
their SAM (the domain SAM) contains the users directly. The effect of
adding a user to the
DOMAIN\Administrators group is that
they would be local admins of the domain controllers only. It's not
necessary for normal operation, and I don't think it's done much,
unless you trust people with your DCs but not your SQL servers."
Jamie Ffolliott tried to untangle it a little:
"Hmm? Adding a user to
group means that user will be a local admin of all the PDC and it's
BDC's, as well as a local admin on the workstations joined to
this domain (by default). It's done very often because it's
Microsoft's default when the workstation joins the domain. If you
trust people with your DC's then you inherently trust them with your
SQL servers if you don't remove the
group from the
Workstation\Administrators group on the
server SQLServ runs on, but why would you bother since the domain
admins are already trusted to administer your domain?"
Paul pointed out that Jamie was confusing
DOMAIN\Administrators, a group local to the domain
DOMAIN\Domain Admins, a global
Lars pondered, "At least it should be able to add a user to the Administrators group, without the need to modify the groups at the workstation. Am i right? Correct me if i'm wrong." Paul summarized once again, in table form this time:
I don't think Samba needs to support nesting of global groups in local groups in its own SAM. The nesting support on the workstations and servers is all you need for the domain to operate correctly.
Whenever you join a machine to a domain, the global groups "Domain Admins", "Domain Guests" and "Domain Users" get added to the workstations corresponding local groups (in fact, WSes can only have local groups). That is:
|Global group||inserted into||local group|
Since a workstation grants the right "Log on locally" to
WS\Users by default, the insertion of
DOMAIN\Domain Admins into
enables all domain users to log into that workstation.
Kevin Colby admitted, "Maybe it's just me, but you lost me here. Your statements seem to contradict each other." Paul explained, "It's not needed on Samba domain controllers. Since Unix can't nest groups, it would be tricky anyway. It is needed on domain members, but only NT ones, because it is how the user rights get granted to the domain users, etc. Samba does not have to do anything for it to work. All it has to do is provide the global groups, which it does." He added, "The real problem occurs with the names they chose for the two types of group; they don't really describe their behaviour in any sensible fashion. All you can do, like learning irregular verbs, is bash it into your head repeatedly."
Finally, in case we all thought it really was that simple, Paul had a parting shot: "Windows 2000, by the way, adds a new kind of group: the Universal group, which can contain users from any domain (as long as it is trusted by the domain the group is in) and can be nested arbitrarily. Universal groups are only applicable in "native mode", though. As usual, there are different restrictions on the names allowed for the three types of group." Oh.
6. A First Look At Samba 2.0.7
26 Apr 2000 - 29 Apr 2000 (16 posts) Archive Link: "Samba 2.0.7 released"
People: , Jeremy Allison, Using Samba, David Lee
Jeremy Allison announced Samba 2.0.7 (http://us1.samba.org/samba/whatsnew/samba-2.0.7.html) , which has been months in the making and contains dozens of bug fixes and a few feature enhancements. The announcement itself is worth reading, but here is the Reader's DigestTM version:
who' command, and historical data with `
last'. Several parameters control details of this.
smb.conffile at runtime. This is intended to simplify setup of high-availability configurations, among other things.
smbpasswd, has been extended with an option for removing users (previously it could only add and change them).
recv()system call malfunctions. (Samba now uses
No sooner did Jeremy get the announcement out but the bug reports started trickling in. Here are some user experiences to date:
__inet_ntoa()function. This is apparently an old, known bug.
smbclientwas not resolving names, given only a hosts file.
smbfsfilesystem on shutdown. Apparently the problem was in 2.0.5, disappeared in 2.0.6 and regressed in 2.0.7.
source environment" support, where something only allocated 100 extra bytes for a variable substitution. In his situation, he needed a lot more space than that.
That's the initial run of glitches. Not surprisingly, all but one of them is either
7. Load-Balancing Support from WINS?
28 Apr 2000 - 29 Apr 2000 (7 posts) Archive Link: "WINS support"
People: Kevin Rowland, Jerry Carter, Chris Hertel, , James Sutherland, Jean-François Micouleau
Kevin Rowland asked the
"Has anyone tried or thought about making
nmbd support a 'round-robin' type of NetBIOS name
resolution analogous to what is available in BIND v8? I've got a
project that would make this VERY handy..."
Jerry Carter assumed
he meant load-balancing the WINS servers themselves:
"How would you propose handling name registration? Anyways...
I could see where if you had several WINS servers that used some type
of synchronization/replication protocol this would work, but not if you
just had multiple, separate WINS servers. I'm guessing you meant the
That wasn't what Kevin meant, though. He explained
"I'm using samba servers as
translators to a distributed file space (AFS) where people's home dirs
are stored. I want to be able to make everybody's home path to be
\\trans\joeuser' instead of using
\\transX\joeuser' where X is 1 thru 5. The latter
requires me to decide which is best at the time."
Jean-François Micouleau suggested Microsoft's own distributed filesystem, MS-DFS (which, by wild twists of pedigree, is actually a distant cousin to AFS). Kevin replied, "I would like that (even proposed it)... but AFS is not going away anytime soon. So I suppose, to rephrase my question. Is there a better way to load balance the access to my translators?"
James Sutherland suggested just using round-robin DNS to resolve NetBIOS names. Chris Hertel disagreed: "Ick. DNS and NetBIOS names really, really are different things. It is convenient if the two match, but it's like using a phone book to look up a web site. If anyone is interested, there is a Java-based NBNS server that could probably be tuned to do what you want. jcifs.samba.org (http://jcifs.samba.org) "
Sharon And Joy
Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.