Samba Traffic #21 For 4 May 2000

By Peter Samuelson

Table Of Contents

Introduction

As promised last week, we have in this issue The Compleat Samba 2.0.7 Deployment Guide. Well, that may be a little premature, but 2.0.7 has now been out long enough to ferret out a lot of minor glitches such as most software has. There certainly have been no showstopper bugs discovered so far. Most of what have been reported are directly related to the new features (such as the UTMP support), so merely upgrading an existing Samba installation shouldn't trip over them. What remain are mostly bugs that already existed in previous versions and simply haven't been fixed yet.

Should you upgrade? Yes, if you need to interoperate with Windows 2000. While there are no plans to make Samba 2.0 work as a domain controller for Windows 2000 clients, Samba 2.0.7 fixes several known issues with file/print/name service for it.

If you do not immediately care about Windows 2000, the decision is a bit less obvious. Samba 2.0.7 fixes a lot of small bugs, but since they are small bugs, a particular site may not be affected anyway. (Our local site has been running 2.0.5 quite painlessly for nearly a year; we feel no pressing need to upgrade.) In any case, read the coverage below and decide for yourselves.

Mailing List Stats For This Week

We looked at 408 posts in 920K.

There were 174 different contributors. 68 posted more than once. 49 posted last week too.

The top posters of the week were:

1. Debugging and Diversions

24 Apr 2000 - 26 Apr 2000 (18 posts) Archive Link: "samba tng ignores %U"

People: Lars KneschkeMichael GlaucheLuke Leighton

Lars Kneschke kicked off a pleasant little thread on samba-ntdom by noting: "The current samba tng ignores the %U parameter in smb.conf." The ramifications? "The profile goes to \\KNECKE\profile\... and not to \\KNECKE\profile\<username>\... . This is not so optimal, because every user has the same profile! :-)" Michael Glauche reported, "Profiles were fine there, although tng occasionly wrote them as user root, so I moved them to a 2.0.7pre4 server. Then profiles worked like a charm ..." Luke Leighton was alarmed that it would write profiles as the root user and asked for more information. No reply, at least in-band.

For the original question, Luke was quick to assign credit where credit was due: "yep! :) andrew rewrote the standard_sub_xxx() functions, i haven't checked this since." Lars: "Please fix it! ;-)" Luke: "*grump* oh ok, then, just not tonight (2am). another side-interest: http://advogato/person/lkcl (http://advogato.org/person/lkcl/) ." A short diversion on Advogato followed, and Luke urged Samba developers to run out and get themselves accounts on the project. Another little tangent was about CPU speeds -- it seems Michael runs a 486 at home that takes an hour to compile Samba-TNG. "glad I have some nice dual celeron 433 at work ;)"

Continuing the original bug hunt, Luke asked Lars: "what happens when you type in an incorrect password but a correct user? only do this if you don't mind possibly having to power-cycle your m/c." Lars replied that everything seemed normal, no power-cycles required or anything.

2. One Broken Function

24 Apr 2000 - 25 Apr 2000 (9 posts) Archive Link: "Problem with sid_to_string in CVS Samba-TNG"

People: Paul CollinsLuke Leighton

Paul Collins noticed something strange about printing SID structures in Samba-TNG. He posted his findings to samba-ntdom:

my new installation is creating stringified SIDs like this: (from log.samr)

get_sam_domain_name: PDC/BDC MELOCHORD
read_sid: Domain: MELOCHORD
sid_to_string returning S--1989380350-3784617370-2315756573
read_sid_from_file /usr/local/samba-tng/private/MELOCHORD.SID: sid S--1989380350-3784617370-2315756573
get_member_domain_sid: sid_to_string returning S--1989380350-3784617370-2315756573
S--1989380350-3784617370-2315756573
sid_to_string returning S--32
Map: Domain: BUILTIN SID: S--32
sid_to_string returning S-
Map: Domain: Global Domain SID: S-
sid_to_string returning S--0
Map: Domain: Everyone SID: S--0
sid_to_string returning S--0

And so on. I checked the code for sid_to_string (CVS versus 2.4.2), and bar the change from fstring to pstring, it looks the same. The revision number is missing from somewhere...

Luke Leighton suggested, "try putting it back, let me know what happens." Paul reported success: "Done. Put in the sid_to_string from 2.4.2, and it now works. This also means that a valid SID is now being written to private/DOMAIN.SID." He continued, about his Samba domain controller: "Logged in successfully as MELOCHORD\cathy. Logged out and tried giving an incorrect password. Aargh. The "Logon in progress" appeared, and when it disappeared, I got the C0000253 error code, and further attempt to log in with valid domain accounts resulted in C0000037s. Hit ESC and then C-M-DEL; the domain list box had vanished, and I got a C0000037 upon trying to log in with the local Administrator account. This is because LSASS.EXE crashed. Dr Watson report is appended." Luke didn't want to see the Dr. Watson report: "argh. no, it's ok, i've seen those so many times it's not true :) more use to someone at microsoft, except they're already aware of how badly broken nt4's dce/rpc is, and why, so it's ok." Paul asked, "Is this a variant of that LSA DoS attack they "fixed" in SP4?" Luke sighed, "no, it's a client-side bug. no client-side bugs have been fixed in nt4. it's not considered worthwhile, by microsoft. after all, what would you be doing putting third party servers on your network?"

The next day Paul reported that Luke seemed to have fixed the Samba bug in question: "not only does everything still work, but when I give an incorrect password, I get the standard error and lsass.exe does not crash."

3. What Works in Samba-TNG

25 Apr 2000 - 26 Apr 2000 (7 posts) Archive Link: "i'm very statisfied with samba tng at the moment"

People: Lars KneschkeAlexander DavydenkoLuke Leighton

Lars Kneschke was trying out Samba-TNG in order to update his famous FAQ (http://www.kneschke.de/projekte/samba_tng/) , and posted a general status report on samba-ntdom:

What's working:

What works not:

Now i need to update the "samba tng faq"-webpages. I hope i can do it, before i falling a sleep.

Alexander Davydenko was impressed, and suggested, "it seems 2.5.tar.bz2 must be tagged on CVS as working well :)" Luke took him seriously: "done. SAMBA_TNG_2_5_GOOD (http://samba.org/cvsweb/samba/?only_with_tag=SAMBA_TNG_2_5_GOOD) ."

4. To Change a RID

26 Apr 2000 (3 posts) Archive Link: "Rids"

People: Inge-Haavard HunstadPaul Collins

Inge-Haavard Hunstad had some questions for the general population of samba-ntdom about RIDs, or Relative Identifiers. The RID is a 32-bit number assigned to a user or group, analogous to Unix user-ID/group-ID numbers. "I have some questions regarding the rid. I need to know how important the rid is in a Samba controlled domain. Can I assign a new rid to a user without getting any trouble. As I see it it is only the profile that contains the rid and will be corrupted if the rid of a user changes. Is this right? If so will I eliminate this problem if I use mandatory profiles and deletes the local copy when the user log out? Another problem would be the machine accounts if I change the rid of a machine account will I have to rejoin the domain?"

Paul Collins explained, "If you change a user's RID, then the permissions on any NTFS volumes that refer to that user will no longer apply; you will likely see "Account Unknown" in such permissions lists." He concluded, "If you detail why you need to change the RIDs, better solutions may be possible." Inge-Haavard obliged: partly it was curiosity, but "I also have some users that already exist in the my smbpasswd but since my smbd now uses LDAP to store the passwords I needed to know what the consequences of just giving these users a new rid(sid) where. I think I would have to stop the samba server and start the old one to extract the rid. But since this server is in a production environment I hoped that it would be possible just to give the users a new rid instead."

There were no in-band replies.

5. Users, Groups, Nesting, Local, Global, Mumble, Mumble, Mumble

26 Apr 2000 - 28 Apr 2000 (20 posts) Archive Link: "Samba TNG FAQ updated"

People: Lars KneschkeLuke LeightonPaul CollinsGreg LeblancJamie FfolliottKevin Colby

While soliciting feedback on samba-ntdom for the latest revision of his almost-official Samba-TNG FAQ (it now has a hyperlink (http://samba.org/samba/docs/ntdom_faq/samba_ntdom_faq.html) from the Samba web pages), Lars Kneschke asked a rather innocent-sounding question:

Luke, do you know how to become a local administrator? i have used "local group map", whit this content:

test1 = "Adminstrators"

"Administrators" gets also shown as local group in the Usermanager, but i can't change the clock. So i think, that i'm not a admin user. What do you think?

Luke responded: "uh... now you're in trouble :) on NT, the local group, Administrators, is made a member of the "Domain Admins" domain group. this is not possible in unix [to make a group a member of a group]." Dominik Kubla pointed out that NIS netgroups (not to be confused with NIS groups, which are mapped directly from Unix groups) can be nested.

This sparked a lively discourse on the Windows NT paradigm for groups and users. Paul Collins did his best to shed light on the subject: "Global groups exist in domains only, and can contain users only. Local groups exist in domains and local SAMs and can contain users and/or global groups. Domain local groups are only visible to the domain controllers." Greg Leblanc mostly agreed, except for the last bit: "Incorrect. Domain Local Groups are visible via any computer running the User Manager for Domains (usrmgr.exe). The will not be visible on workstations by default, as they install the User Manager (musrmgr.exe)."

Luke asked, "in the local administrator group, the domain admins global group is added? if this is a requirement, it cannot be done on unix." Paul Collins summarized: "When you join the domain, DOMAIN\Domain Admins is added to MACHINE\Administrators, DOMAIN\Domain Guests is added to MACHINE\Guests and DOMAIN\Domain Users is added to MACHINE\Users. By default, the user right "Log on locally" is granted to all local users via the groups, and members of the domain groups that were added get those rights too." Elsewhere: "The local Administrators group on workstations and standalone servers, yes; it does not concern the domain controllers at all, since their SAM (the domain SAM) contains the users directly. The effect of adding a user to the DOMAIN\Administrators group is that they would be local admins of the domain controllers only. It's not necessary for normal operation, and I don't think it's done much, unless you trust people with your DCs but not your SQL servers."

Jamie Ffolliott tried to untangle it a little: "Hmm? Adding a user to DOMAIN\Administrators group means that user will be a local admin of all the PDC and it's BDC's, as well as a local admin on the workstations joined to this domain (by default). It's done very often because it's Microsoft's default when the workstation joins the domain. If you trust people with your DC's then you inherently trust them with your SQL servers if you don't remove the Domain\Administrators group from the Workstation\Administrators group on the server SQLServ runs on, but why would you bother since the domain admins are already trusted to administer your domain?"

Paul pointed out that Jamie was confusing DOMAIN\Administrators, a group local to the domain controllers, with DOMAIN\Domain Admins, a global group.

Lars pondered, "At least it should be able to add a user to the Administrators group, without the need to modify the groups at the workstation. Am i right? Correct me if i'm wrong." Paul summarized once again, in table form this time:

I don't think Samba needs to support nesting of global groups in local groups in its own SAM. The nesting support on the workstations and servers is all you need for the domain to operate correctly.

Whenever you join a machine to a domain, the global groups "Domain Admins", "Domain Guests" and "Domain Users" get added to the workstations corresponding local groups (in fact, WSes can only have local groups). That is:

Global group inserted into local group
DOMAIN\Domain Admins WS\Administrators
DOMAIN\Domain Guests WS\Guests
DOMAIN\Domain Users WS\Users

Since a workstation grants the right "Log on locally" to WS\Users by default, the insertion of DOMAIN\Domain Admins into WS\Users enables all domain users to log into that workstation.

Global groups:

Local groups:

Kevin Colby admitted, "Maybe it's just me, but you lost me here. Your statements seem to contradict each other." Paul explained, "It's not needed on Samba domain controllers. Since Unix can't nest groups, it would be tricky anyway. It is needed on domain members, but only NT ones, because it is how the user rights get granted to the domain users, etc. Samba does not have to do anything for it to work. All it has to do is provide the global groups, which it does." He added, "The real problem occurs with the names they chose for the two types of group; they don't really describe their behaviour in any sensible fashion. All you can do, like learning irregular verbs, is bash it into your head repeatedly."

Finally, in case we all thought it really was that simple, Paul had a parting shot: "Windows 2000, by the way, adds a new kind of group: the Universal group, which can contain users from any domain (as long as it is trusted by the domain the group is in) and can be nested arbitrarily. Universal groups are only applicable in "native mode", though. As usual, there are different restrictions on the names allowed for the three types of group." Oh.

6. A First Look At Samba 2.0.7

26 Apr 2000 - 29 Apr 2000 (16 posts) Archive Link: "Samba 2.0.7 released"

People: Jeremy AllisonUsing SambaDavid Lee

Jeremy Allison announced Samba 2.0.7 (http://us1.samba.org/samba/whatsnew/samba-2.0.7.html) , which has been months in the making and contains dozens of bug fixes and a few feature enhancements. The announcement itself is worth reading, but here is the Reader's DigestTM version:

No sooner did Jeremy get the announcement out but the bug reports started trickling in. Here are some user experiences to date:

That's the initial run of glitches. Not surprisingly, all but one of them is either

7. Load-Balancing Support from WINS?

28 Apr 2000 - 29 Apr 2000 (7 posts) Archive Link: "WINS support"

People: Kevin RowlandJerry CarterChris HertelJames SutherlandJean-François Micouleau

Kevin Rowland asked the samba-technical crowd: "Has anyone tried or thought about making nmbd support a 'round-robin' type of NetBIOS name resolution analogous to what is available in BIND v8? I've got a project that would make this VERY handy..." Jerry Carter assumed he meant load-balancing the WINS servers themselves: "How would you propose handling name registration? Anyways... I could see where if you had several WINS servers that used some type of synchronization/replication protocol this would work, but not if you just had multiple, separate WINS servers. I'm guessing you meant the former situation."

That wasn't what Kevin meant, though. He explained further: "I'm using samba servers as translators to a distributed file space (AFS) where people's home dirs are stored. I want to be able to make everybody's home path to be '\\trans\joeuser' instead of using '\\transX\joeuser' where X is 1 thru 5. The latter requires me to decide which is best at the time."

Jean-François Micouleau suggested Microsoft's own distributed filesystem, MS-DFS (which, by wild twists of pedigree, is actually a distant cousin to AFS). Kevin replied, "I would like that (even proposed it)... but AFS is not going away anytime soon. So I suppose, to rephrase my question. Is there a better way to load balance the access to my translators?"

James Sutherland suggested just using round-robin DNS to resolve NetBIOS names. Chris Hertel disagreed: "Ick. DNS and NetBIOS names really, really are different things. It is convenient if the two match, but it's like using a phone book to look up a web site. If anyone is interested, there is a Java-based NBNS server that could probably be tuned to do what you want. jcifs.samba.org (http://jcifs.samba.org) "

 

 

 

 

 

 

Sharon And Joy
 

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.