We are testing a new application which uses Citrix running on Win2k servers to access a Samba share which contains some Java files. The whole thing is being launched by a batch file run by the user after logging into the Citrix server. Details of Samba are 2.2.2 running on Solaris 2.6. The only (slightly) non-standard thing is that I have patched reply.c to allow the "'" (single quote) character in user names (see my previous plea on 6/12 and Andrew Bartlett's reply the same day - thanks again Andrew!) Here are the appropriate users.map entries: apt = Taylor.Alex ccilm.test taylor.alexw2k taylor.win2kadmin Win2k.User2 cuc = Payne.David Win2k.User1 Win2k.admin Both the above users are members of the Unix group p2 (see below) Here are the global settings and the appropriate share entry: [global] wins server = act-secondary interfaces = XXX.XXX.XXX.XXX/255.255.252.0 load printers = no workgroup = COMCARE security = server password server = act-primary encrypt passwords = yes username map = /usr/local/samba/lib/users.map domain master = no local master = no preferred master = no os level = 0 server string = Samba (%v,%h) log level = 2 guest account = guest locking = yes strict locking = yes keepalive = 30 password level = 2 socket options = TCP_NODELAY map hidden = no map archive = yes preserve case = yes case sensitive = yes dead time = 15 [pracsys] comment = Production users' share valid users = @prod @p2 path = /export/home/pp2 browseable = no writeable = yes create mode = 0664 The following are some log extracts of failures and successes. Firstly a failure to log in to the share [2002/01/15 10:24:11, 1] smbd/password.c:server_validate(1227) password server ACT-PRIMARY rejected the password [2002/01/15 10:24:11, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2002/01/15 10:24:11, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2002/01/15 10:24:11, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'cuc' in passdb. [2002/01/15 10:24:11, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'cuc'! [2002/01/15 10:24:11, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for cuc [2002/01/15 10:24:11, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2002/01/15 10:24:11, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2002/01/15 10:24:11, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'cuc' in passdb. [2002/01/15 10:24:11, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'cuc': authentication failed [2002/01/15 10:31:39, 1] smbd/password.c:server_validate(1227) password server rejected the password [2002/01/15 10:31:39, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2002/01/15 10:31:39, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2002/01/15 10:31:39, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'cuc' in passdb. [2002/01/15 10:31:39, 2] smbd/reply.c:reply_sesssetup_and_X(970) NT Password did not match for user 'cuc'! [2002/01/15 10:31:39, 2] smbd/reply.c:reply_sesssetup_and_X(980) Defaulting to Lanman password for cuc [2002/01/15 10:31:39, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2002/01/15 10:31:39, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1368) unable to open passdb database. [2002/01/15 10:31:39, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'cuc' in passdb. [2002/01/15 10:31:39, 1] smbd/reply.c:reply_sesssetup_and_X(995) Rejecting user 'cuc': authentication failed Now a success: [2002/01/15 10:34:32, 2] smbd/reply.c:reply_special(93) netbios connect: name1=GRIFFIN name2=ACT-TERMSERV01 [2002/01/15 10:34:32, 2] smbd/reply.c:reply_special(112) netbios connect: local=griffin remote=act-termserv01 [2002/01/15 10:34:32, 1] smbd/service.c:make_connection(610) act-termserv01 (163.233.5.39) connect to service pracsys as user cuc (uid=60028, gid=201) (pid 25627) [2002/01/15 10:34:32, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/gp1pracsys.jar read=Yes write=No (numopen=1) [2002/01/15 10:34:32, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/symbeans.jar read=Yes write=No (numopen=2) [2002/01/15 10:34:33, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/pracsys.properties read=Yes write=No (numopen=3) [2002/01/15 10:34:33, 2] smbd/close.c:close_normal_file(208) cuc closed file classesJ131/pracsys.properties (numopen=2) [2002/01/15 10:34:33, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/pracsys.properties read=Yes write=No (numopen=3) [2002/01/15 10:34:42, 2] smbd/close.c:close_normal_file(208) cuc closed file classesJ131/gp1pracsys.jar (numopen=2) [2002/01/15 10:34:42, 2] smbd/close.c:close_normal_file(208) cuc closed file classesJ131/symbeans.jar (numopen=1) [2002/01/15 10:34:42, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/gp1pracsys.jar read=Yes write=No (numopen=2) [2002/01/15 10:34:43, 2] smbd/open.c:open_file(217) Win2k.Admin opened file classesJ131/symbeans.jar read=Yes write=No (numopen=3) [2002/01/15 10:34:43, 1] smbd/service.c:close_cnum(650) act501760 (163.233.7.179) closed connection to service letter [2002/01/15 10:34:43, 2] smbd/server.c:exit_server(458) Closing connections The only other relevant error I can find is the follwoing: [2002/01/15 10:22:14, 0] lib/util_sock.c:write_socket_data(542) write_socket_data: write failure. Error = Broken pipe [2002/01/15 10:22:14, 2] smbd/process.c:timeout_processing(1130) password server keepalive failed. and again later: [2002/01/15 10:35:49, 2] smbd/open.c:open_file(217) Win2k.Admin opened file pracsys.properties read=Yes write=No (numopen=3) [2002/01/15 10:35:49, 0] lib/util_sock.c:write_socket_data(542) write_socket_data: write failure. Error = Broken pipe [2002/01/15 10:35:49, 2] smbd/process.c:timeout_processing(1130) password server keepalive failed. Has anyone out there any idea what is happening here? We can't even see a pattern to the successes and failures. Originally it appeared that the first login would fail, but then subsequent ones succeed. I postulated a probelm "waking up" the password server. That theory disappeared in a puff off M$ fud when the opposite started to happen. Lately failures have been less predictable. We have found that restarting Samba would alleviate the problem for a short time, as would rebooting the Citrix server. Samba is working flawlessly for shares on several Solaris systems (2.6 and 8), including the system in the logs above, accessed via production users NT desktops or the new test Win2k desktops. Michael Lightfoot ISG/Host Systems ext 0680
"Lightfoot.Michael" wrote:> > We are testing a new application which uses Citrix running on Win2k servers > to access a Samba share which contains some Java files. The whole thing is > being launched by a batch file run by the user after logging into the Citrix > server. > > Details of Samba are 2.2.2 running on Solaris 2.6. The only (slightly) > non-standard thing is that I have patched reply.c to allow the "'" (single > quote) character in user names (see my previous plea on 6/12 and Andrew > Bartlett's reply the same day - thanks again Andrew!)That patch certainly shouldn't be the problem. I'm going to see about getting something like that into Samba HEAD while maintaining the appropriate level of paranoia...> Here are the appropriate users.map entries: > apt = Taylor.Alex ccilm.test taylor.alexw2k taylor.win2kadmin Win2k.User2 > cuc = Payne.David Win2k.User1 Win2k.admin > > Both the above users are members of the Unix group p2 (see below) > > Here are the global settings and the appropriate share entry: > > [global] > wins server = act-secondary > interfaces = XXX.XXX.XXX.XXX/255.255.252.0 > load printers = no > workgroup = COMCARE > security = server > password server = act-primary > encrypt passwords = yesIs there any reason you can't use 'security = domain'? This gives a much more stable connection to the DC, and acts in the same way an NT4 member server operates. Security=server uses an ugly hack in the same way Win9X does its 'user level security'. To join the domain use 'smbpasswd -j DOMAIN -U Administrator'. This will create a machine account (with the PDC's admin password) and set a password on that account. This allows Samba to pass both the challenge and response to the DC and to get back sane error codes.> username map = /usr/local/samba/lib/users.map > domain master = no > local master = no > preferred master = no > os level = 0 > server string = Samba (%v,%h) > log level = 2 > guest account = guest > locking = yes > strict locking = yes > keepalive = 30 > password level = 2You should not need this, its only used with plaintext passwords.> socket options = TCP_NODELAY > map hidden = no > map archive = yes > preserve case = yes > case sensitive = yes > dead time = 15This would have helped a bit, because by idling the connections you force a new challenge to be generated and so get a few more auths out of the PDC - but a terminal server is unlikely to be idle...> [pracsys] > comment = Production users' share > valid users = @prod @p2 > path = /export/home/pp2 > browseable = no > writeable = yes > create mode = 0664 > > The following are some log extracts of failures and successes. Firstly a > failure to log in to the share > > [2002/01/15 10:24:11, 1] smbd/password.c:server_validate(1227) > password server ACT-PRIMARY rejected the password> > Now a success: > > [2002/01/15 10:34:32, 2] smbd/reply.c:reply_special(93) > netbios connect: name1=GRIFFIN name2=ACT-TERMSERV01 > [2002/01/15 10:34:32, 2] smbd/reply.c:reply_special(112) > netbios connect: local=griffin remote=act-termserv01 > [2002/01/15 10:34:32, 1] smbd/service.c:make_connection(610) > act-termserv01 (163.233.5.39) connect to service pracsys as user cuc > (uid=60028, gid=201) (pid 25627)> The only other relevant error I can find is the follwoing: > > [2002/01/15 10:22:14, 0] lib/util_sock.c:write_socket_data(542) > write_socket_data: write failure. Error = Broken pipe > [2002/01/15 10:22:14, 2] smbd/process.c:timeout_processing(1130) > password server keepalive failed. > > and again later: > > [2002/01/15 10:35:49, 2] smbd/open.c:open_file(217) > Win2k.Admin opened file pracsys.properties read=Yes write=No (numopen=3) > [2002/01/15 10:35:49, 0] lib/util_sock.c:write_socket_data(542) > write_socket_data: write failure. Error = Broken pipe > [2002/01/15 10:35:49, 2] smbd/process.c:timeout_processing(1130) > password server keepalive failed.Ahh, now I see what's going on... Because you were using security = server, the connection (and it is exactly one connection) from Win2kTS to Samba must be mirrored exactly with a connection to the 'password server'. This second connection specifies a challenge, and Samba becomes a 'man in the middle' between it and the client. The client gets the challenge only once, and uses it until the TCP/IP connection is dropped. Samba passes all passwords straight on to the DC for checking. In the event that the second connection is broken, no further authenticaions are possible. This is what the 'password server rejected the password' is indicating. (The name is "" because the connection got shut down).> Has anyone out there any idea what is happening here? We can't even see a > pattern to the successes and failures. Originally it appeared that the > first login would fail, but then subsequent ones succeed. I postulated a > probelm "waking up" the password server. That theory disappeared in a puff > off M$ fud when the opposite started to happen. Lately failures have been > less predictable. We have found that restarting Samba would alleviate the > problem for a short time, as would rebooting the Citrix server.If either end is rebooted then the connection must be reestablished, and you get a fresh chance at authenticating users until the connection is dropped again.> Samba is working flawlessly for shares on several Solaris systems (2.6 and > 8), including the system in the logs above, accessed via production users NT > desktops or the new test Win2k desktops.This is because you only get one login, and nobody notices that the password server dissapered in the meantime because the session is already active. The final thing I will say is also the most annoying. Unlike NT Terminal Server, it is not possible to make Win2k TSE make more than one TCP/IP connection to the server. This means that samba will have to deal with all the traffic via one smbd. This not only removes that ability to use multiple CPUs, it also makes samba constantly have to change userid - a rather expensive system call. This can kill performance. Hope this helps, Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
On Tuesday 15 January 2002 05:08, Andrew Bartlett wrote:> "Lightfoot.Michael" wrote: > > We are testing a new application which uses Citrix running on Win2k > > servers to access a Samba share which contains some Java files. The > > whole thing is being launched by a batch file run by the user after > > logging into the Citrix server. > > > > Details of Samba are 2.2.2 running on Solaris 2.6. The only (slightly)FWIW We are running samba from Citrix too, only issue I had was running out of file descriptors, this was possiby solved (two days without errors, knock on wood) by patching MAX_CONNECTIONS in source/smbd/conn.c to 512 and compiled again and it seems to have worked... (which is per deamon I think, and they are shared from Citrix servers, as many people work on 1 machine) More info on samba-technical I think, where the issue was taken. Gr Richard
> > security = server > > password server = act-primary > > encrypt passwords = yes > > Is there any reason you can't use 'security = domain'? >History, basically. I haven't tried to change anything substantive - just the things necessary when upgrading from 1.9.18 to 2.2.2. I'm also still learning (relearning) this stuff as I haven't had to do samba for ages (several years.)> To join the domain use 'smbpasswd -j DOMAIN -U Administrator'. This > will create a machine account (with the PDC's admin password) > and set a > password on that account. This allows Samba to pass both the > challenge > and response to the DC and to get back sane error codes. >I think I must be a little thick as I can't get this to work. I tried: smbpasswd -j COMCARE -u Administrator It came back with a password prompt which I asked the M$ man to enter (for the PDC admin account) and it failed authentication. The server exists at the PDC and everything (according to the M$ bloke) is OK there.> > password level = 2 > > You should not need this, its only used with plaintext passwords. >Removed it - again just history.> > dead time = 15 > > This would have helped a bit, because by idling the connections you > force a new challenge to be generated and so get a few more > auths out of > the PDC - but a terminal server is unlikely to be idle... >Changed this to 120 seconds until I get the security = domain stuff working. BTW, this TS is not real busy as it is the one we are doing testing on. There is only one or two people using it at any one time.> Ahh, now I see what's going on... >The security = domain will definitely fix this?> If either end is rebooted then the connection must be > reestablished, and > you get a fresh chance at authenticating users until the connection is > dropped again. >Makes sense - we have tested for this this morning and that's exactly the behaviour.> This is because you only get one login, and nobody notices that the > password server dissapered in the meantime because the session is > already active. >We are getting browsing problems from Win2k TSE on another system (a development machine) which is exhibiting symptoms of the server appearing in the browse list, but no shares visible under that (the user is asked for a password.)> The final thing I will say is also the most annoying. Unlike NT > Terminal Server, it is not possible to make Win2k TSE make > more than one > TCP/IP connection to the server. This means that samba will have to > deal with all the traffic via one smbd. This not only removes that > ability to use multiple CPUs, it also makes samba constantly have to > change userid - a rather expensive system call. This can kill > performance. >Are you saying here that Win2k TSE behaves like a simple client PC? I assume that M$ will fix that soonest as that's an appalling bug (but not surprising when one considers that Citrix technology is really an awful kludge on top of Windoze.) One of the changes made in the last 24 hours is to move all the java stuff onto the TS and only use Samba to provide document templates and stuff sucked out of an Oracle database.> Hope this helps, >Close, but no cigar. :-) Michael Lightfoot SysIX Unix Systems Consulting 02 6258 8185 michael.lightfoot@canb.auug.org.au