samba - May 2010 - AD Integration drives me nuts

Hi

This has keeping me up for days now and I can't seem to find a solution
in the various wikis, howtos and whatsoevers, so here's the plot:

I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
3.0.33-3.15.el5_4.1 (rpm installation out of the box).

All I want to do is to have Samba authenticate against my DC. I've been
setting up Kerberos, Winbind and Samba according to the Wiki-Page
(http://wiki.samba.org/index.php/Samba_%26Active_Directory).

Authentication seems to work (i.e if I logon to the server via ssh using
the AD-Account, everything looks fine and even the created homedirs are
assigned to the group "domain users") however, If i try to map a
windows
share from a laptop running XPpro, Samba won't accept the user neither
for the homedirs nor for the datashare.

So the big question is: where did I screw up and/or what did i forget?

This is what my smb.conf looks like at the the moment:

[global]
        workgroup = PROTEC
        realm = BSR.PROTEC-ENTERPRISES.COM
        password server = dc01-v.bsr.protec-enterprises.com
        preferred master = no
        server string = Samba FileServer Version %v
        netbios name = SAMBA-V

        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
        max log size = 50
        log level = 3

        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
;       winbind nested groups = yes
;       winbind nss info = rfc2307

        security = ADS
        encrypt passwords = yes

        idmap uid = 10000-20000
        idmap gid = 10000-20000

        username map = /etc/samba/smbusers 
	# just to map the root account to the AD-Administrator account
	# as well as the AD-Guest account to "nobody"
        
	template shell = /bin/bash
;       template primary group = "Domain Users"

[homes]
        comment = Home Directories
        valid users = $S
        readonly = no
        browseable = yes

[Data]
        comment = New K-Drive
        valid users = @PROTEC+domain users
        path = /mnt/sambashares/filestore
        writeable = yes
        browseable = yes


And here's what's in the workstation-log (not that i understand any of
it...):

[2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151)
  store_gid_sid_cache: gid 10013 in cache ->
S-1-5-21-1238498519-1179045160-1496349262-515
[2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 10000 -> S-1-5-32-544
[2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 10001 -> S-1-5-32-545
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID
[S-1-5-21-1238498519-1179045160-1496349262-1124]
[2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID
[S-1-5-21-1238498519-1179045160-1496349262-515]
[2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 10013 ->
S-1-5-21-1238498519-1179045160-1496349262-515
[2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304)
  User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$
[2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325)
  UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101
[2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356)
  Adding homes service for user 'PROTEC+fx805-02-p$' using home
directory: '/home/PROTEC/fx805-02-p_'
[2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691)
  adding home's share [fx805-02-p$] for user 'PROTEC+fx805-02-p$' at
'/home/PROTEC/fx805-02-p_'
[2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
  Transaction 2 of length 84
[2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
  switch message SMBtconX (pid 24205) conn 0x0
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815)
  Connect path is '/tmp' for service [IPC$]
[2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
[2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is
S-1-5-21-1238498519-1179045160-1496349262-1124
  se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95)
  Initialising default vfs hooks
[2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
[2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is
S-1-5-21-1238498519-1179045160-1496349262-1124
  se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042)
  192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user
PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205)
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574)
  tconX service=IPC$
[2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
  Transaction 3 of length 102
[2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
  switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430
[2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636)
  get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root.
[2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2)
NT_STATUS_NOT_FOUND
[2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
  Transaction 4 of length 240
[2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
  switch message SMBsesssetupX (pid 24205) conn 0x0
[2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
  wct=12 flg2=0xc807
[2010/05/05 14:34:41, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
  Doing spnego session setup
[2010/05/05 14:34:41, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 40
[2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2088207
[2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
  Transaction 5 of length 338
[2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
  switch message SMBsesssetupX (pid 24205) conn 0x0
[2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
  wct=12 flg2=0xc807
[2010/05/05 14:34:41, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
  Doing spnego session setup
[2010/05/05 14:34:41, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
  Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24
len2=24

On 05/05/2010 1:38 PM, Mike wrote:
> Hi
>
> This has keeping me up for days now and I can't seem to find a solution
> in the various wikis, howtos and whatsoevers, so here's the plot:
>
> I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
> x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
> 3.0.33-3.15.el5_4.1 (rpm installation out of the box).
>
> All I want to do is to have Samba authenticate against my DC. I've been
> setting up Kerberos, Winbind and Samba according to the Wiki-Page
> (http://wiki.samba.org/index.php/Samba_%26Active_Directory).
>
> Authentication seems to work (i.e if I logon to the server via ssh using
> the AD-Account, everything looks fine and even the created homedirs are
> assigned to the group "domain users") however, If i try to map a
windows
> share from a laptop running XPpro, Samba won't accept the user neither
> for the homedirs nor for the datashare.
>
> So the big question is: where did I screw up and/or what did i forget?
>
> This is what my smb.conf looks like at the the moment:
>
> [global]
>          workgroup = PROTEC
>          realm = BSR.PROTEC-ENTERPRISES.COM
>          password server = dc01-v.bsr.protec-enterprises.com
>          preferred master = no
>          server string = Samba FileServer Version %v
>          netbios name = SAMBA-V
>
>          # logs split per machine
>          log file = /var/log/samba/%m.log
>          # max 50KB per log file, then rotate
>          max log size = 50
>          log level = 3
>
>          winbind separator = +
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = yes
> ;       winbind nested groups = yes
> ;       winbind nss info = rfc2307
>
>          security = ADS
>          encrypt passwords = yes
>
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>
>          username map = /etc/samba/smbusers
> 	# just to map the root account to the AD-Administrator account
> 	# as well as the AD-Guest account to "nobody"
>
> 	template shell = /bin/bash
> ;       template primary group = "Domain Users"
>
> [homes]
>          comment = Home Directories
>          valid users = $S
>    
Mike,

I see a couple of syntax errors.
You must prefix with the domain and separator.  Also use %, not $.
valid users = PROTEC+%S
>          readonly = no
>          browseable = yes
>
> [Data]
>          comment = New K-Drive
>          valid users = @PROTEC+domain users
>    
Domain Users has a space, so you must enclose in quotes
valid users = @"PROTEC+ Domain Users"

See if this helps.

Dale
>          path = /mnt/sambashares/filestore
>          writeable = yes
>          browseable = yes
>
>
> And here's what's in the workstation-log (not that i understand any
of
> it...):
>
> [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151)
>    store_gid_sid_cache: gid 10013 in cache ->
> S-1-5-21-1238498519-1179045160-1496349262-515
> [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
>    fetch gid from cache 10000 ->  S-1-5-32-544
> [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
>    fetch gid from cache 10001 ->  S-1-5-32-545
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
>    get_privileges: No privileges assigned to SID
> [S-1-5-21-1238498519-1179045160-1496349262-1124]
> [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
>    get_privileges: No privileges assigned to SID
> [S-1-5-21-1238498519-1179045160-1496349262-515]
> [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
>    get_privileges: No privileges assigned to SID [S-1-5-2]
> [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
>    get_privileges: No privileges assigned to SID [S-1-5-11]
> [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
>    fetch gid from cache 10013 ->
> S-1-5-21-1238498519-1179045160-1496349262-515
> [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304)
>    User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$
> [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325)
>    UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101
> [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356)
>    Adding homes service for user 'PROTEC+fx805-02-p$' using home
> directory: '/home/PROTEC/fx805-02-p_'
> [2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691)
>    adding home's share [fx805-02-p$] for user
'PROTEC+fx805-02-p$' at
> '/home/PROTEC/fx805-02-p_'
> [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
>    Transaction 2 of length 84
> [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
>    switch message SMBtconX (pid 24205) conn 0x0
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815)
>    Connect path is '/tmp' for service [IPC$]
> [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
> [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
>    se_access_check: user sid is
> S-1-5-21-1238498519-1179045160-1496349262-1124
>    se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
>    se_access_check: also S-1-1-0
>    se_access_check: also S-1-5-2
>    se_access_check: also S-1-5-11
> [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95)
>    Initialising default vfs hooks
> [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128)
>    Initialising custom vfs hooks from [/[Default VFS]/]
> [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
> [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
>    se_access_check: user sid is
> S-1-5-21-1238498519-1179045160-1496349262-1124
>    se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
>    se_access_check: also S-1-1-0
>    se_access_check: also S-1-5-2
>    se_access_check: also S-1-5-11
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042)
>    192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user
> PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205)
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574)
>    tconX service=IPC$
> [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
>    Transaction 3 of length 102
> [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
>    switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430
> [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636)
>    get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root.
> [2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106)
>    error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2)
> NT_STATUS_NOT_FOUND
> [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
>    Transaction 4 of length 240
> [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
>    switch message SMBsesssetupX (pid 24205) conn 0x0
> [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
>    wct=12 flg2=0xc807
> [2010/05/05 14:34:41, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
>    Doing spnego session setup
> [2010/05/05 14:34:41, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
>    NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
> 5.1] PrimaryDomain=[]
> [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
>    reply_spnego_negotiate: Got secblob of size 40
> [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>    Got NTLMSSP neg_flags=0xa2088207
> [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
>    Transaction 5 of length 338
> [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
>    switch message SMBsesssetupX (pid 24205) conn 0x0
> [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
>    wct=12 flg2=0xc807
> [2010/05/05 14:34:41, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
>    Doing spnego session setup
> [2010/05/05 14:34:41, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
>    NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
> 5.1] PrimaryDomain=[]
> [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
>    Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24
> len2=24
>
>
>

Mike put forth on 5/5/2010 1:38 PM:
> Hi
> 
> This has keeping me up for days now and I can't seem to find a solution
> in the various wikis, howtos and whatsoevers, so here's the plot:
> 
> I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
> x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
> 3.0.33-3.15.el5_4.1 (rpm installation out of the box).
Make sure your system time is accurate on your VM guests.  Virtual machines
on VMWare ESX are notorious for not keeping time correctly, sometimes
drifting by hours in a single day.  Read, thoroughly, and implement the
recommendations in this guide:

http://www.vmware.com/pdf/vmware_timekeeping.pdf

Kerberos requires client and server clocks to be no more than 5 minutes
apart.  From:
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html

"6.2 Clock Skew

In order to prevent intruders from resetting their system clocks in order to
continue to use expired tickets, Kerberos V5 is set up to reject ticket
requests from any host whose clock is not within the specified maximum clock
skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are
configured to reject responses from any KDC whose clock is not within the
specified maximum clock skew of the host (as specified in the krb5.conf
file). The default value for maximum clock skew is 300 seconds, or five minutes.

MIT suggests that you add a line to client machines' /etc/rc files to
synchronize the machine's clock to your KDC at boot time. On UNIX hosts,
assuming you had a kdc called kerberos in your realm, this would be:

     gettime -s kerberos

If the host is not likely to be rebooted frequently, you may also want to
set up a cron job that adjusts the time on a regular basis."


Clock may not be the cause of your current problems, but over 80% of the
time it is the cause of kerberos problems with VMWare guests.

-- 
Stan