samba - Aug 2003 - Samba PDC + WinXP = problems fetching remote profiles

Hi, everybody!

I have 20 WinXP client machines and a sever running
Samba (first try was with 2.2.8, now it's 3.0.0rc1).
If it matters to someone (for statistics, fun or for 
understanding the problem), i use Slackware 9.0 Linux,
kernel 2.4.20 on server (and clients are XPpro/SP1,
buld 2600 as far as i remember). I almost had no
problems configuring samba for browsing and fortunately
i don't need to worry about printing. And it also
was not difficult to set up a Samba PDC. And even
the first time i logged in with a test user account,
everything went fine. But when i tried to log in
with that very account from another machine, i
got Win hanging up for about two minutes and
blaming approximately the following way:
  "Windows can't log you on with local profile,
  using temporary profile. Changes done to this
  profile will be lost after you log off"
(phrase `local profile` seemed strange to me, but
Win really does what it should do, except not
down/up loading the profiles). After the message
disappears or i hit OK, Win loggs in normally,
downloads logon.bat and seems to behave fine, but
the profile is really removed after log off.

Recently (a few hours ago, thanks to decreasing
log level from 3 to 2) i noticed the following
text in samba log corresponding to this behaviour:

  [2003/08/20 17:51:54, 2] smbd/open.c:open_file(248)
    botan opened file botan/NTUSER.DAT read=Yes
write=No (numopen=1)
  [2003/08/20 17:51:54, 2]
smbd/close.c:close_normal_file(228)
    botan closed file botan/NTUSER.DAT (numopen=0) 
  [2003/08/20 17:51:54, 2] smbd/open.c:open_file(248)
    botan opened file botan/NTUSER.DAT read=Yes
write=No (numopen=1)
  [2003/08/20 17:53:17, 2]
smbd/process.c:timeout_processing(1133)
    Closing idle connection
  [2003/08/20 17:53:17, 2] smbd/server.c:exit_server(558)
    Closing connections

The following is (probably not complete) list of what i
tried to do:
  *. Patch the registry. Definitely. I would not be able
    to join Domain without it.
  *. Patch group policies (on two test machines)
  *. Turn off EAP in network properties (there was such
    advice in some message here). Caused win to blame
    immediately after i try to log in and with other
    message. I don't remember it right now, but i will
    try it again, if you ask.
  *. Switch samba to LDAP authentication (i remembered
    a message on the mailing list, reporing success with
    Samba+XP using LDAP), but i did not make it far enough
    for Samba to authenticate users with LDAP, and i would
    anyway gladly appreciate help with LDAP, yet it's not
    my real trouble right now and i will hopefully cope
with
    it using heaps of doc on the net.
  *. Play with Samba's socket settings.

Grateful beforehand for any help.
Dendik.

PS. Excuse my poor english. Me not anglisch talk :).

PPS. I mailed this problem to the list a few weeks ago, but
the only ansewr i received was a suggestion about registry
patch (which was by that moment long time done) and i had
for some administrative reason postpone the work until now.

Hi!

Thanks for anserwing so fast.

I agree with your idea that it is the
oplock problem, i.e. that was one
of my first ideas after finding
out the following log lines:
> [2003/08/21 12:41:30, 0]
smbd/oplock.c:request_oplock_break(1023)
>   request_oplock_break: no response received to
oplock break request to pid 1850 on port 32771 for dev
= 305, inode = 8137, file_id = 21
> [2003/08/21 12:41:30, 0] smbd/open.c:open_mode_check(689)
>   open_mode_check: exlusive oplock left by process
1850 after break ! For file botan/NTUSER.DAT, dev 305, inode = 8137. Deleting it
to continue...
> [2003/08/21 12:41:30, 0] smbd/open.c:open_mode_check(693)
>   open_mode_check: Existent process 1850 left active
oplock.
So i turned off oplocks and level2 oplocks globally
(because otherwise testparm blamed me for
conflicting parameters). Then i restarted
smbd to be sure that parameters are read,
but after i tried to log in again, i faced
the same problem and the same log lines.

Any ideas how can this happen?

Dendik.

Hi!

Correction to my previous message.
If oplocks are turned off, Win does
really not notice any difference, but
Samba writes other error messages in log:
> [2003/08/21 13:04:42, 0]
lib/util_sock.c:write_socket_data(388)
>   write_socket_data: write failure. Error Connection timed out
> [2003/08/21 13:04:42, 0]
lib/util_sock.c:write_socket(413)
>   write_socket: Error writing 61503 bytes to socket
16: ERRNO = Connection timed out
> [2003/08/21 13:04:42, 0] lib/util_sock.c:send_smb(585)
>   Error writing 61503 bytes to client. -1.
(Connection timed out)

Also it prints lines
> [2003/08/21 18:29:30, 0]
smbd/oplock_linux.c:linux_init_kernel_oplocks(289)
>  Failed to setup RT_SIGNAL_LEASE handler
not depending on oplocks being turned off or on

Dendik.

> But when i tried to log in with that very account 
> from another machine, i got Win hanging up for about 
> two minutes and blaming approximately the following 
> way: "Windows can't log you on with local profile,
> using temporary profile. Changes done to this 
> profile will be lost after you log off" (phrase 
> `local profile` seemed strange to me, but Win really 
> does what it should do, except not down/up loading 
> the profiles). After the message disappears or i hit 
> OK, Win loggs in normally, downloads logon.bat and 
> seems to behave fine, but the profile is really 
> removed after log off.
Many problems result in this message. One is you need
a [profiles] share with a subdir named after each 
user. That user needs to have full access to it,
for example 0700, belongs to user:users. You also need
a [netlogon] share even if you don't use it. Try
this scheme:

   [global]
      ....
      logon path = \\samba-srv\profiles\%U
      ....
   [netlogon]
      path = /some-existing-path/netlogon
      write list = ntadmin
      browseable = No

   [profiles]
      path = /some-existing-path/profiles
      valid users = %U
      read only = No
      browseable = No
      inherit permissions = No

Sometimes an already existing profile is the problem.
Try removing it (save it first for reference) and 
logging in afresh.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

Hi!

Thanks for answering, but unfortunately, this seems to
be of no help. I already had [netlogon] service in my
config (to avoid further confusion, i add my smb.conf
at the end of this file), the only option i did not
have was "inherit permissions = No", which does not seem
to be useful for solving the problem (and did not help
also).

I have recently recogized that the problem of domain
logons is at least closely connected to the problem of
downloading "big" files (i.e. files larger than
something about 4k or even 2k). The symptoms are the
following:
  1. There are two differently behaving groups of
  programs: network neighbourhood (or something
  like that) and windows explorer, FAR, (i suppose
  that Window Commander -- for those who don't know
  what FAR is) and so on.
  2. Network Neighbourhood almost refuses to do
  anything on Samba shares -- it has long stall
  upon entering directories with names longer
  than 8 chars, and i don't remember it to
  be able to perform any file download/upload
  operations at all.
  3. WinExplorer can browse shares freely, unless
  it encounters directory containing more than
  25 entries (very strange limit -- but i checked,
  the limit is 25), where it stalls for 2 minutes.
  Also downloading files larger than something
  about 2 or 4 K always stalls for two minutes,
  and (under some unclear circumstances) sometimes
  fail completely.

I seem to be really stuck with these errors, and
i feel like i just "look in wrong direction", so
any genious ideas will be gratefully accepted :).
(Even any ideas that will help me to fix the thing :).

On Thu, Aug 22, Dragan Krnic <dkrnic@lycos.com> wrote:
> Many problems result in this message. One is you need
> a [profiles] share with a subdir named after each 
> user. That user needs to have full access to it,
> for example 0700, belongs to user:users. You also need
> a [netlogon] share even if you don't use it.
> Sometimes an already existing profile is the problem.
> Try removing it (save it first for reference) and 
> logging in afresh.
#####################################################
### Here go the most important parts from my smb.conf

[global]
; Network names and alike
workgroup = COMPUTER_CLASS
netbios name = kodomo
server string = Kodomo Samba %v
comment = BoiInformatic Computer Class

; Charset convertion
dos charset = CP866
display charset = KOI8-R
unix charset = KOI8-R

; Security
security = user
encrypt passwords = Yes
min passwd length = 6
null passwords = Yes
wide links = No
passdb backend = smbpasswd

log level = 1
log file = /var/log/samba/log.smbd.%m
max log size = 10000

; Netlogon
domain logons = Yes
logon script = logon.bat
logon path = \\kodomo\profiles\%U
logon drive = H:
logon home = \\kodomo\%u

; Browse master
; preferred master = No
; local master = Yes
domain master = Yes
os level = 64
[netlogon]
path = /home/export/samba/netlogon
write list = root
read only = Yes
; browseable = No
public = No
veto oplock files = /NTUSER.DAT /ntuser.ini

[profiles]
path = /home/export/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
; browsable = No

[homes]
comment = Home directory for %u
invalid users = root
browseable = No
read only = No
#####################################################

Dendik.

> I have recently recogized that the problem of domain
> logons is at least closely connected to the problem 
> of downloading "big" files (i.e. files larger than
> something about 4k or even 2k). The symptoms are the
> following:
>  1. There are two differently behaving groups of
>  programs: network neighbourhood (or something
>  like that) and windows explorer, FAR, (i suppose
>  that Window Commander -- for those who don't know
>  what FAR is) and so on.
>  2. Network Neighbourhood almost refuses to do
>  anything on Samba shares -- it has long stall
>  upon entering directories with names longer
>  than 8 chars, and i don't remember it to
>  be able to perform any file download/upload
>  operations at all.
>  3. WinExplorer can browse shares freely, unless
>  it encounters directory containing more than
>  25 entries (very strange limit -- but i checked,
>  the limit is 25), where it stalls for 2 minutes.
>  Also downloading files larger than something
>  about 2 or 4 K always stalls for two minutes,
>  and (under some unclear circumstances) sometimes
>  fail completely.
>
Sounds like symptoms of activated Web Client service. 
If you have missed it a few days ago, it appears that
the new, XP-specific service called Web Client, 
automatically enabled by default, creates all kinds
of performance and access problems. I only have 1 XP 
client in my network but it suddenly started acting 
normally, just like any other Win2K clients, after 
I disabled this service.

By the way, I still can't figure out what FAR is.

> [global]
...................
> dos charset = CP866
> display charset = KOI8-R
> unix charset = KOI8-R
Probably just a matter of taste.
> ; preferred master = No
> ; local master = Yes
My smb.conf has both set to Yes. In addition to that
I set this registry on all clients:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\
       \Services\Browser\Parameters\
       \MaintainServerList="No"

instead of default "Auto".


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

>>> [global]
>>...................
>>> dos charset = CP866
>>> display charset = KOI8-R
>>> unix charset = KOI8-R
>>Probably just a matter of taste.
>Actually, not a taste, but a language -- russian.
Yes, of course. How silly of me. You're domain is .ru
>>> ; preferred master = No
>>> ; local master = Yes
>>My smb.conf has both set to Yes. In addition to that
>My also had some time ago. It's the result of
>me experimenting in hope to make it work.
>
>>I set this registry on all clients:
>>   HKEY_LOCAL_MACHINE\System\CurrentControlSet\
>>       \Services\Browser\Parameters\
>>       \MaintainServerList="No"
>>instead of default "Auto".
>Never seen a link to this patch. Thanx.
It's not a panacea but it keeps the clients from 
initiating browser elections, if you know they'll lose
it every time. It's an old trick. It probably only
makes a significant impact with large number of 
clients.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

Hi!
> Sounds like symptoms of activated Web Client service.
Probably, i even found the message you were talking about,
and the symptoms really look the same, but strangely,
disabling WebClient did not help -- maybe there is some
result, but the one i do not notice :). There HAVE to be
something Damian Gerow have done, that he did not tell...

Maybe the point is about EAP -- i did not quite understand
it. If anyone knows, what are symptoms of EAP being turned
on/off (and where to turn it on/off -- is it in properties
of network connection and called $(regexp
'IEEE [0-9]{3}.[0-9]') ), please tell me.
> Yes, of course. How silly of me. You're domain is .ru
Hmm. It was twice as strange for me because by your name
i thought that you are from either one of post-USSR
republics, or from one of their neighbour republics, where
cyrillic is also ofen used.

Dendik.

>> Sounds like symptoms of activated Web Client 
>> service.
> Probably, i even found the message you were talking 
> about, and the symptoms really look the same, but 
> strangely, disabling WebClient did not help -- 
> maybe there is some result, but the one i do not 
> notice :). There HAVE to be something Damian Gerow 
> have done, that he did not tell...
>
> Maybe the point is about EAP -- i did not quite 
> understand it. If anyone knows, what are symptoms 
> of EAP being turned on/off (and where to turn it 
> on/off -- is it in properties of network connection 
> and called $(regexp 'IEEE [0-9]{3}.[0-9]') ), 
> please tell me.
You can choose between 3 EAPs: PEAP, MD5 challenge
and SmartCard or other certificate in LAN Link 
properties under the tab Authentication if you
enable IEEE 802.1X Authentication. I switched it off
altogether when I killed Web client service. 
>> Yes, of course. How silly of me. 
>> You're domain is .ru
> Hmm. It was twice as strange for me because by your 
> name i thought that you are from either one of post-
> USSR republics, or from one of their neighbour 
> republics, where cyrillic is also ofen used.
Close. We used to use both before we started fighting
about it. Very few typewriters had cyrillic and in IT 
the standard is not to use cyrillic.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

Hi.

More than one week of fighting -- and still no result.
I'm stuck at the very same point. Right now i had to
make the system work just any way -- at least like
file server for window$ clients. But the problem with
file downloading still persists. And i really have
no idea of what i do wrong.
>>> Sounds like symptoms of activated Web Client service.
>> Maybe the point is about EAP -- i did not quite 
Still no help. I even tried to select each prorocol,
deselect each of their checkboxes and then deselect IEEE
802.1x, as someone reported this may help -- no result.

Dendik.

> More than one week of fighting -- and still no 
> result. I'm stuck at the very same point. Right 
> now i had to make the system work just any way 
> -- at least like file server for window$ clients.
> But the problem with file downloading still 
> persists. And i really have no idea of what i do 
> wrong.
You still have the problem! So sorry.

I installed an XP yesterday. All I had to do was set
network properties and register the SignOrSeal 
patch (WinXP_SignOrSeal.reg). I left the default
IEEE 802.1X EAP setting ("Smartcard or other...") and
didn't disable the Web client service either, just 
to see what kind of problems other people have. 
Well, I had no problem whatsoever. I can login in
and out in a couple of seconds. I can transfer the
Win2K-SP4 (137 MB) in both directions under 15 sec.

I don't know what your problem is but in your shoes
I would try from scratch, with a very uncomplicated
setup - just the server and a freshly installed client 
connected via a crossed cable and build from there. 
Chances are that something completely different is 
your problem, but you need to find it out slowly
and systematically.
>>> Sounds like symptoms of activated Web Client 
>>> service.
>> Maybe the point is about EAP -- i did not quite 
> Still no help. I even tried to select each prorocol,
> deselect each of their checkboxes and then deselect 
> IEEE 802.1x, as someone reported this may help -- no 
> result.
I wonder what other problem in client network 
configuration can be masked by switching EAP and 
Web client off. I've seen the problem only on an
XP client, a laptop. It wasn't severe. Opening a
share or a shared subdirectory would stall for several
seconds although it takes no time on other clients.
When I disabled Web client and EAP those symptoms
were gone.

With my new XP box I also tried and disabled both
EAP and Web client. No difference. Same login and
transfer speed.

EAP and Web client obviously do not need to be a 
problem on an otherwise correctly set up server
and clients communicating through decent wires and
switches.

I'm afraid no one can help you but you yourself.
Go slowly from simple to more complex. Be sure what
works and you'll find out what the problem was.
Perhaps you should first test how fast ftp client
works.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005

Hi.

Finally!!! I got it working!!!
The only thing i did was to replace
server's builtin 3Com Gigabit network
card with SMC1255(100Mb. I tried to force
settings of 3Com -- to half duplex mode,
or to other speed -- but it did not let me
exceed autodetection, and autodetection
was half duplex/100Mb. I still can not
figure out, why such low-level hardware
replacement cured such high-level software
problems -- but this makes no matter for
me right now, since it works, and it works
fine.

Special thanks to Dragan Krnic, who was
almost the only one trying to help me on
this list.

Dendik.

PS. I confirm: recent WinXP's do not require
either RequireSignOrSeal, or mmc, or WebClient
service, or EAP patches. (Though some of these
patches -- e.g. group policies in mmc and one
of registry patches, which Dragan sent me --
are useful for making things smoother)

Hi.
>Hi Dendik congrats on solving your problem.
Thanks.
>are you using samba3 ?i
Yes, i am.
> How did you go with group policies on Xp?
Hmm... The most correct answer would be
"i don't know". After i fixed the hardware
problem, the only thing i did on client
machines was to enter the domain -- and
there were no problems with roaming profiles.
Could you describe your problem better --
i digged a lot of info and can be of some
help, probably.

Dendik.