Samba Traffic #22 For 11 May 2000

This week saw, perhaps more than anything else, a lot of reports of compile failures for Samba-TNG. Many of these were duplicates and most were uninteresting, so we shall give them light coverage. Along the same lines, this is the week Microsoft finally published (well, sort of) their long-awaited Windows 2000 Kerberos trade secret; that didn't rate a lot of discussion here either, so ye had best look to Slashdot for the gory details. On the Samba lists, a bit uncharacteristically, we have stayed mostly on-topic, so this issue is mostly about actual technical discussions.

There were 183 different contributors. 73 posted more than once. 55 posted last week too.

Manish Agarwal raised some points on samba-technical concerning opportunistic locks, or oplocks. Oplocks are a speed optimization in the SMB protocol: when a client obtains an oplock on a file, it is allowed to cache the file contents for long periods of time, resting assured that the server will let it know if and when the file is modified by a third party. The client can release an oplock, or the server can forcibly break it if another client needs to write to the file.

Level2 oplocks should be broken on a LOCKING_ANDX request which contains record lock request. I don't think the SMB draft mentions this, but I see the NT server doing this. To me it makes sense to do it.
If the client, on being sent an oplock break message (break to LEVEL2), flushes a write or a lock(i.e. does a write or a lock before it acknowledges the oplock break), then the server should further break the oplock to NONE by sending another oplock break message (break to NONE). Not doing this can lead to some problems which become evident when you have mandatory locking.
The server should not break the client's level2 oplock on a write, if that client is the only one holding an oplock on the file.

I have confirmed that the NT server does this and if anyone is interested I can post some traces for Samba and NT server for the above cases.

Jeremy Allison was interested. "I know it's been a while, but could you send me those traces please ? This fix was too big to make it into 2.0.7 at the late stage we got it, but I'd like to address this for 2.0.8, HEAD & TNG."

Manish replied to himself a bit later, correcting the third issue he had originally posted: "NT server does not do this (it breaks the levelII oplocks irrespective of the number of clients holding the lock) but I don't understand why this should be the case. Any thoughts ?" No, or at least not on-list.

Denis Ustimenko reported a bug to samba-technical pertaining to Samba 2.0.6 and 2.0.7: "When print to samba printer from Lotus Notes (for Windows 9x/NT) no document will be printed. At the same time file named "-" appears in the /tmp directory. That file contains my print job, I checkd. There no wonder that it cann't be printed because of its name. Please help me I have a lot of Notes users!" This was on two Solaris servers.

Michael Osborne couldn't reproduce the problem with Red Hat Linux. Jerry Carter asked for more configuration details. Guilio Orsero tracked down the cause of at least the symptom of the problem: "AFAIK, In samba 2.0.6 a change was made in the printing interface for win9x (don't know if it affects winnt too), consisting in samba using (as a filename and job name) the print name that win9x uses (with special chars stripped off) instead of something like username.randomid that was used in samba <= 2.0.5. This is in order for samba to report a meaningful print name in win9x printer status window." Jean-François Micouleau thought that Lotus Notes was sending an empty string for the print job.

The problem turned out to be the Russian character set Denis was using. Somehow Samba felt the obligation to strip off all the characters before and after a hyphen in the middle. That explained why so many non-Russians couldn't reproduce it....

David Lee, who has worked long and hard to make the experimental UTMP support in Samba 2.0.7 the best it could be, hasn't quit yet. The fairly simple patch he worked up half a year ago to allow Samba to update the Unix user login databases (UTMP and WTMP) has developed in the last few months into a labyrinth of compatibility code to support every conceivable variation of how UTMP files are to be manipulated -- matching, as far as possible, the reality of the Unix implementations.

After 2.0.7 shipped, many people have reported various bugs still present in the UTMP code, as expected. David posted to samba-technical the following update:

I have developed a patch for 2.0.7 which should address most of the known issues. In particular:

it should compile on all systems for which folk earlier tested it;
it stands a better chance of compiling on systems not yet tested;
it should function well on tested and untested systems (but see below);
it should find the system's default files, including for utmp and wtmp being in different directories;
the "utmp consolidate" idea should now work much better.

The functionality currently requires the OS to have a programmatic interface to the utmp/wtmp family of files. This should be automatically detected. (Being able to use non-programmatic interfaces would be a major exercise, and probably only of benefit to old OSes, such as SunOS 4.x . So I have no plans to write it, although your contributed version would be considered.)

For wtmp{,x} support, it requires the "updwtmp{,x}()" routine, similarly automatically detected. I suspect HP-UX 10.x might suffer here. If such functionality is required, could an enthusiast write, test and contribute the necessary code, please?

Giulio Orsero tested it, with positive results, on Red Hat Linux, but did report a transient bug nobody ever did get to the bottom of. David had a bit of implementation discussion with him, and concluded, "I think the overriding priority at present is to get the current patch tested, stable and rolled into the 2.0.8 development tree. (Indeed, though unlikely, if, for some reason, there had to be a 2.0.7a, it would be good to get this in there.)"

Michel Jouvin reported, in another thread: "As AIX, Tru64 has utmpx.h but 'x functions' are not implemented. I had to undefined HAVE_UTMPX_H for Tru64 to be able to link smbd."

There is now a new version (.3) of the patch which should fix the known problems. In particular it should be a better base for:

BSD-like systems (e.g. FreeBSD, SunOS 4) which have to access files directly;
OSF (is AIX similar?) whose optimistic claims about utmpx belie the reality of an impoverished implementation.

Doubtless there are still bugs (possibly even new ones). The direct-file implementation (typically BSD) is incomplete, and needs an enthusiastic volunteer or two with access to such a system.

Lars Kneschke reported a Samba-TNG bug on (where else) samba-ntdom: "I'm not able to login from windows nt anymore. Windows NT tells me only, that it can't load my server side profile, and that it takes the local one. It say's nothing about that it cant found the domain controller. But when i browse the network neighb... i need to enter a password(which also don't work). But i'm able to login with smbclient!" He posted some debug logs.

Oliver Malang suggested, "look if your nmbd is running. I had exactly the same problem and I saw that my nmbd was not running any more. the logfile said something about panic...I think nmbd just crashed somehow. however, after restarting nmbd, the logon was working again...." Lars did not answer, but Luke Leighton was concerned: "that's a fairly serious problem, nmbd crashing: it's a critical single process (multi-purpose). can you get more details, please follow jens' reporting template." Oliver gave details about OS, compiler, Samba version, and his complete smb.conf, and described the failure: "my workstation is a win2k pro and samba is acting as a pdc. domain logons work fine so far with the single exception described above. the strange thing is, that before the domain logon failed, I recognized, that my IE was getting VERY slow!?!? I restarted my machine(as this often helps for MS problems...) and then after logging on the domain, win2k said it could not load the server profile and will use a temporary local profile. so I took a look at my linux box and saw that nmbd was not running any more. I started it again and wow, the domain logon succeded as before. besides the IE was working at normal speed again(I've no idea if this problem was in cunjunction with the nmbd...)." He could not reproduce the problem.

Luke made a few guesses as to what he might have done to trigger the bug, but nothing conclusive came out. Oliver promised to keep a sharp eye out for it happening again, though.

Greg Roberts, posting to samba-ntdom, posted that he was not able to change his Samba password from an NT client. Michael Glauche explained, "Its not working as of TNG 2.5, but Luke promised to fix it ;)" Greg was not happy to hear this, and asked what he should do: "I don't have a lot of time and if I can't get this feature working, then I'm going to scrap Samba all together. There's not much point in using it as a logon mechanism if users can't change their password from one point and have it updated for both smbpasswd and NIS (it would cause too much confusion)." To this, Paul Lussier replied, "One of the things we're doing, rather than try to get this working is provide a central web site on our intranet which uses SSL to allow the person to change their password. This will allow users to change both smbpasswd and /etc/passwd or yp passwords. Additionally, when we add services in the future which may require new passwords, it will be trivial to add password changing capabilities for these services to this one location."

At this point, Luke broke in about password changing: "i sorted it." It came out that Samba-TNG Alpha-2.5.2 seemed to work in this regard.

Jens Skripczynski reported a simple compile failure of a recent vintage of Samba-TNG. He also wondered, "how can i get cvs to tell me the date and time of my last update ?" For the latter, I suggested "

find {source-dir} -name CVS | xargs ls -ldt |
head -1

" ; for the former, Luke Leighton replied, "argh. this is because your compiler is running out of memory: include/unicode_map_table.h is 3mb in size. i'll be dealing with this one, soon."

Jens said he had 128MB of memory, and there followed a short discussion of how much memory or swap was actually required to compile things like Samba.

Luke Leighton has taken to releasing Samba-TNG alpha snapshots without posting release notes. He released 2.5.1 and 2.5.2 this last week, but only announced 2.5.2:

smbd, whilst up-to-date with cvs main, is slightly broken - locking is under development. recommend "posix locking = no" and "stat cache = no", and don't use it with other remote fileserver systems (e.g nfs) to simultaneously access the same filesystem, if you expect locking to work ('cos it won't).

please let me know if this version works for you (i fixed nt pwd changing, for example).

if so, i will go to the next version-number (2.6).

Elsewhere, Tridge has announced that the two options Luke mentioned do seem to work fine in the HEAD branch.

Ron Alexander announced on samba-technical this week: "I am porting Samba 2.0.6 to a new platform. The platform is Stratus, the OS is VOS. VOS is not only not Unix, but it is being modified at the same time to be POSIX.1 compliant as well as implementing STCP from Spider. I do not have a shell. I can not use configure etc. I don't even have a makefile at this time. As you can see, I am having lots of fun." He then asked what browser settings made sense, in general, in smb.conf, and also asked for help in debugging an nmbd looping problem.

Dave Collier-Brown threw out some theories on the problems Ron was having, and posted his own browse-related settings. John Malmberg also replied:

Maybe we should compare notes. I have some similar problems with OpenVMS. I am totally ignorant of VOS, so I do not know how many problems we will have in common.

No compatible shell, so no configure. The makefile was generated by hand by editing makefile.in. The config.h file was also created by hand for the same reason. Several other issues.

I also have to deal with a C run time library that is missing several functions used by SAMBA.

The big issue with hand editing the config.h file is learning what options do what in the code. Then I needed to decide which way to set them. I made a few interesting wrong turns that did not show up until the testing phase. I still need to make some reviews of this.

By using macro defines in the compiler invocation of the type MOD_'base_file_name', and some #ifdef statements in the config.h file, I have developed a way of patching the SAMBA source for use with OpenVMS and avoiding having many of the #ifdef __VMS of the previous ports.

Ron spent the rest of the week posting other miscellaneous questions about the workings of various Samba details. He appears to be making progress on the port.

Various people were noticing errors while saving files with Microsoft Notepad to a Samba share on VMS. Mike Ober posted this analysis of what was probably going wrong: "Wordpad works fine. Edit and Notepad both use the DOS 1.0 and unix method of truncating a file. Basically, on a save, they open the file for write, seek to the beginning, and write their data. Then they write a "zero" byte long record to the file before closing. This is the documented method to truncate a file in DOS 1.0 (it still works in Win2000) and in many variants of unix. Unfortunately, VMS doesn't truncate the file under these circumstances. Wordpad forces a create on the file, effectively zeroing the length, before writing to the file. VMS does appear to handle this."

From stepping through SMBD 2.0.6 running in debug mode, you will observe the following.

Notepad reads the entire file into memory. On a save operation it does the following:

Creates a new file in the root directory with temporary name. The first character of the new file name seems to always be a tilde "~" and the extension with ".tmp" in the tests I have done. If there is an error creating the temporary file, the save is cancelled.
It then writes a the data into the new file. If I am interpreting Eckart's port of 2.0.3 properly, the new file is created as fixed 512 byte blocks. Not a text file format.
The old file, if it exists is then deleted. If it can not be deleted for any reason, the temporary file is deleted, and the save operation is cancelled.
The new file is renamed into the old file's place. If the rename fails, the temporary file is deleted.

At no time does NOTEPAD write into or over the existing file. Since the new file is in a format that is not suitable for a text file, it is possible that many utilities can not deal with it and may display it incorrectly. No truncate is done.

Mike replied, "Now I'm confused. Why is it that when Notepad is used to shorten a file, the old data still exists in the file on VMS. I thought the procedure you describe below would trigger the VMS versioning mechanism and create a completely new version of the file. Your answer does explain why Notepad can't handle more than 32K on Win9x - 9x is still basically a 16-bit OS when it deals with the user interface." John explained: "Since a delete and then a rename are used, the VMS versioning mechanism does not get involved."

Elsewhere, John cautioned: "The problems with NOTEPAD and UNIX versions of SAMBA are due to the difference in formats of the text files. Wordpad and even DOS EDIT are more tolerant of the UNIX format." Eckart Meyer, the man behind the Samba-VMS 2.0.3 port, agreed: "Yes. I recommend not using Notepad."

John, who has been working for the past few months on a new Samba-VMS port, based partly on Eckart's work but different in some important ways, ended the thread with a status report on his port. John's approach is to emulate Unix functionality wherever it is missing, while touching core code as little as possible. This should make it quite easy to move his code from 2.0.6 forward to future releases.

Michael Glauche brought up the interesting point on samba-ntdom: "there's a problem adding users to samba with usrmgr when using a non-root login:" He posted logs of a failure case, and added:

The user is in the Domain Admin group, but smbpasswd is only readable by user root, noone else. Could something like:

    if (user is in group "domain admin")
       suid 0

work ?

Luke pondered this for a bit, and came up with: "smbpasswd should be group 0, rw-rw---." Michael said that, on the contrary, smbpasswd is mode rw-------, and Samba enforces this. Luke thought this situation should change, which Jeremy took strong exception to. This is something they have argued about before.

Yes, it's (currently) essential that John Q. Public not be able to read smbpasswd (the file), but this could be just as well accomplished with smbpasswd (the utility) being setgid to a specialized group that has no power other than reading and writing smbpasswd (the file). smbpasswd (the utility) has no business being able to bind to low ports, change the system time, or read /var/spool/mail/*. Maybe we need:

  smbpasswd group = smbpass

(default "smbpasswd group = 0")

Michael Glauche liked the idea: "So you simply could put that group into the "Domain Admin" group ..." Paul corrected him: "Nope. Global groups cannot contain other groups. However, there is nothing to stop you granting user-management privileges by adding users to smbpass, unless there are also other controls that also need to be relaxed for said users."

I suggested that one go the other way: "Put "Domain Admins" into your smbpasswd group, which I guess could be considered local for this purpose.... ?" But Paul reminded me, "The thing is, Unix has no way of representing this in its own password and group databases, whereas adding users directly to smbpass is a snap."

In a related thread about NT User Manager functionality, Tony Brock asked whether it was possible to automatically create Unix users on demand. "I am thinking of something like an optional script that is run BEFORE samba checks for an existing /etc/passwd account when trying to add a new user." Michael Glauche informed him, "for BDC this works with "add user script". Don't know if it is possible with PDC ... But I think it's not needed anymore if the "winbind" project succeeds .. ;)" Lars Kneschke and Kevin Colby were curious about what Winbind was supposed to do, and Michael answered, "Something like NIS+ but with SMB as server, have a look at: http://advogato.org/proj/winbind/" Luke added, "it's in tng source/nsswitch, it's compiled by doing make bin/winbindd and make bin/ntdom.so. if you work them out, great. we're a bit busy getting them sorted out, so please work it out yourselves, for now."

It seems someone has been reading samba-ntdom with Microsoft Outlook. Ergo, the famous ILOVEYOU worm hit the list -- though, surprisingly, only once. This would have been horribly off-topic, except that it gave Samba-TNG a chance to show off a little. In between a lot of users asking "What is this?", other users answering, others forwarding various dire warnings about it and still others posting their analyses of what the worm does and how, came a shell script (and a small bugfix), using rpcclient from Samba-TNG, that could log into a list of NT machines, one after another, and disinfect their registries. (It also used smbclient and Linux smbfs to attempt to clean up the worm's files, but that is peripheral; the registry hacks were what would keep the worm alive.) In contrast, most of the published "disinfectant" procedures to date seem to have concentrated on visiting every Windows client machine in turn, which does not really scale.


Kernel Traffic Latest \| Archives \| People \| Topics	Wine Latest \| Archives \| People \| Topics	GNUe Latest \| Archives \| People \| Topics
Czech

1.	18 Apr 2000 - 6 May 2000	(3 posts)	Oplock Implementation Details
2.	29 Apr 2000 - 4 May 2000	(7 posts)	Lotus Notes Can't Print
3.	30 Apr 2000 - 6 May 2000	(8 posts)	UTMP: The Issue That Won't Go Away
4.	1 May 2000	(9 posts)	Elusive NMBD Crash
5.	1 May 2000 - 4 May 2000	(13 posts)	Password Changing From Samba Clients
6.	1 May 2000 - 2 May 2000	(7 posts)	GCC Running Out of Memory?
7.	2 May 2000	(1 post)	Alpha Releases
8.	2 May 2000 - 4 May 2000	(3 posts)	Samba Port to VOS
9.	3 May 2000 - 4 May 2000	(7 posts)	How NOTEPAD.EXE Truncates
10.	4 May 2000 - 6 May 2000	(12 posts)	Who Can Add a Unix User?
11.	5 May 2000	(42 posts)	Samba-TNG vs. ILOVEYOU

Samba Traffic #22 For 11 May 2000

By Peter Samuelson