samba - Jan 2003 - serious problem with W2K TS and 2.2.7 PDC

> Windows 2000 Terminal Server with SP3, with various pre SP4 updates
> too.  Various Win2K Pro, Win95 OSR2 clients.
 
> ÆhomesÅ
Can we see the Global section aswell please?  Do you have Security = DOMAIN
which is
the prefered setting for Terminal Servers?  (See previous postings about problem
with
Security = SERVER vs. Security = DOMAIN)

Some in the samba team wrote earlier that they hoped SP3 for W2K would solve
this
problem.  SP3 has not solved this problem.  Just for their information.
> The log for each TS has many of these errors (for various users):
> Æ2002/12/06 16:39:14, 0Å smbd/service.c:make_connection(597) ts5
> (10.2.3.15) Can't change directory to /md3/profiles/rstu (Permission
> denied)
This is typical for some sort of auth failure in my experience.  Try running
loglevel 2 and see
if the authentication fails (as in the problem with security = server).
> Is it likely that the %U expansion fixes broke this - some assumption
> with one pid/connection == one user?
The one pid/connection is an issue in relation to the authentication problem. 
If one of the
PIDs get problem with authing it will keep this problem until you kill the PID
(thus it might
explain why it works after you restarted).
> On another issue, we get a lot of errors regarding failed connections to
> truncated service names.  For example we have a service called
'apps'
> It only ever drops the last character and happens fairly frequently on
> different shares.  This has happened for quite a while, but hasn't had
> any noticeable effect on users.
We also saw this on a HP-UX 10.20 machine.  We didnt notice any problems either,
just that
the log would notify a connection to a share with one letter missing.

Regards
Per Kjetil Grotnes
---
IT-Seksjonen, Plan- og bygningsetaten, Oslo Kommune
Tlf: 22 66 26 61, Fax: 22 66 26 65

Hi,

My setup:

RedHat 7.3 PDC server with samba 2.2.7 rpm rebuilt with max connections
patch and ldapsam and a few other minor changes, openldap 2.0.23-4.

Windows 2000 Terminal Server with SP3, with various pre SP4 updates
too.  Various Win2K Pro, Win95 OSR2 clients.

[homes]
   comment = Home
   writable = yes
   valid users = %S
   nt acl support = no
   oplocks = no
   path = /md3/profiles/%U
   share modes = no


The log for each TS has many of these errors (for various users):

[2002/12/06 16:39:14, 0] smbd/service.c:make_connection(597) ts5
(10.2.3.15) Can't change directory to /md3/profiles/rstu (Permission
denied)

This does NOT happen everytime that the share is accessed, only
sometimes.  This did not happen with 2.2.6.  It is not an issue on
standalone W2K pro machines that I have tested.

Is it likely that the %U expansion fixes broke this - some assumption
with one pid/connection == one user?

I intend to undo the %U changes to 2.2.7 and see if that works.

On another issue, we get a lot of errors regarding failed connections to
truncated service names.  For example we have a service called 'apps'
and sometimes (I never notice when or how) we get errors similar to
this:

[2002/11/27 11:25:04, 0] smbd/service.c:make_connection(251)
  iceberg-ts1 (10.2.3.6) couldn't find service app

It only ever drops the last character and happens fairly frequently on
different shares.  This has happened for quite a while, but hasn't had
any noticeable effect on users.

Any suggestions?  I'm not subscribed to the list.

Thanks,

Robert Stuart
Systems Administrator

(samba-technical is developer-related, so I added
Reply-To: samba@lists.samba.org)

In <3DF3D032.3F349CD0@qsa.qld.edu.au>,
Robert.Stuart@qsa.qld.edu.au wrote:
>> RedHat 7.3 PDC server with samba 2.2.7 rpm rebuilt with max connections
>> patch and ldapsam and a few other minor changes, openldap 2.0.23-4.
>> 
>> Windows 2000 Terminal Server with SP3, with various pre SP4 updates
>> too.  Various Win2K Pro, Win95 OSR2 clients.
>> Is it likely that the %U expansion fixes broke this - some assumption
>> with one pid/connection == one user?
Yes. Would docs/Registry/WindowsTerminalServer.reg (in
source file. I don't know where it place in the package)
solve your problem?
----
Tomoki AONO	(aono@cc.osaka-kyoiku.ac.jp)

Robert, Tomoki,

With regards to the multipleusersonconnection Registry key value listed for
WTS, this indeed does not work under the Windows 2000 version of terminal
server.  What I did to work around all the users getting the same SMB
process was create different aliases to the samba file server for each user.
In my case, in my terminal server host file, I added an user id alias for
the samba server for each user connecting from the terminal server.  When an
user connected their samba share drives using their user id alias instead of
the server name, they receive a separate smb process.

An alternative way of doing this, that was suggested to me from the list, is
you could use the netbios aliases parameter available in the smb.conf file.
I did some tests with this and it seemed to work the same way as my local
aliases, however I do not know if there is a maximum value for this.

For example, say I have a user with the user id smitjoh and he goes to make
a connection to my samba server, called samba1, from my terminal server.
Instead of going \\samba1\myshare when he connects the share, I would have
created an alias to samba1 called smitjoh and the user would connect the
share as \\smitjoh\myshare.  The same would then be done for the user to any
other share from the samba server.

Hope this helps.

========
Message: 1
From: Robert Stuart <Robert.Stuart@qsa.qld.edu.au>
Organization: Queensland Studies Authority
To: samba@lists.samba.org
Cc: samba-technical@lists.samba.org
Date: Tue, 10 Dec 2002 15:29:34 +1000
Subject: [Samba] Re: serious problem with W2K TS and 2.2.7 PDC

Tomoki AONO wrote:
> 
> In <3DF3D032.3F349CD0@qsa.qld.edu.au>,
> Robert.Stuart@qsa.qld.edu.au wrote:
> 
> >> RedHat 7.3 PDC server with samba 2.2.7 rpm rebuilt with max
connections
> >> patch and ldapsam and a few other minor changes, openldap
2.0.23-4.
> >>
> >> Windows 2000 Terminal Server with SP3, with various pre SP4
updates
> >> too.  Various Win2K Pro, Win95 OSR2 clients.
> 
> >> Is it likely that the %U expansion fixes broke this - some
assumption
> >> with one pid/connection == one user?
> 
> Yes. Would docs/Registry/WindowsTerminalServer.reg (in
> source file. I don't know where it place in the package)
> solve your problem?
Unfortunately not.  This reg file only applies to Windows NT 4.0
Terminal Server Edition.  It has no effect on Win2K.  I think its really
silly that it doesn't, specially as TS/Citrix tuning info specifically
suggests that this get turned on for NT4.

Thanks for the suggestion.

Robert Stuart
Systems Administrator