[Samba] serious problem with W2K TS and 2.2.7 PDC

Robert Stuart Robert.Stuart at qsa.qld.edu.au
Tue Dec 10 01:34:00 GMT 2002


Per Kjetil Grotnes wrote:
> > Windows 2000 Terminal Server with SP3, with various pre SP4 updates
> > too.  Various Win2K Pro, Win95 OSR2 clients.
> > ÆhomesÅ
> Can we see the Global section aswell please?  Do you have Security = DOMAIN which is
> the prefered setting for Terminal Servers?  (See previous postings about problem with
> Security = SERVER vs. Security = DOMAIN)

The RedHat samba server is the PDC, so security = user with ldap as the
repositry for account info; bits of the smb.conf at the bottom of the
email.  We don't experience authentication problems.  We don't use

The Win2k clients that have problems are ONLY Terminal Server machines. 
Workstations do NOT have the problem.  Win2k Terminal Server shares
multiple users over the one connection.  One connection = one pid. 
After applying the 2.2.6-2.2.7 patch minus bits regarding the %U, we
have had no further problems with the home share issue that I
described.  Yesterday, I happened to be watching the log file (tail -f)
of one of the TSs as someone else logged on.  I was on the same Terminal
server.  Just after they connected, I tried to access my H: drive
(mapped to the home share) and got errors accessing both on the W2k
screen and in the log file.

> Some in the samba team wrote earlier that they hoped SP3 for W2K would solve this
> problem.  SP3 has not solved this problem.  Just for their information.
> > The log for each TS has many of these errors (for various users):
> > Æ2002/12/06 16:39:14, 0Å smbd/service.c:make_connection(597) ts5
> > ( Can't change directory to /md3/profiles/rstu (Permission
> > denied)
> This is typical for some sort of auth failure in my experience.  Try running loglevel 2 and see
> if the authentication fails (as in the problem with security = server).

I had the log at 3 for a while and we had no authentication problems,
but I think you are talking about a different problem.

> > On another issue, we get a lot of errors regarding failed connections to
> > truncated service names.  For example we have a service called 'apps'
> > It only ever drops the last character and happens fairly frequently on
> > different shares.  This has happened for quite a while, but hasn't had
> > any noticeable effect on users.
> We also saw this on a HP-UX 10.20 machine.  We didnt notice any problems either, just that
> the log would notify a connection to a share with one letter missing.

I've seen it for a while - at least 2.2.5 onwards probably 2.2.[34] too.

some relevant bits from smb.conf:

   workgroup = ANTARCTICA
   NETBIOS name = fsx
   NETBIOS aliases = Elephant PrintServer
   server string = Samba Server
   guest account = smbnobody
   log file = /var/log/samba/log.%m
   debug level = 1
   max log size = 5000
   security = user
   password level = 3
   encrypt passwords = yes
   domain admin group = @domadm
   unix password sync = Yes
   ldap server =
   ldap port = 389
   ldap ssl = off
   ldap admin dn = "uid=something,dc=us,dc=au"
   ldap suffix = "dc=us,dc=au"
   local master = yes
   os level = 64
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon script = login.bat
   logon drive = h:
   name resolve order = wins bcast host
   wins support = yes
   browseable = yes
   nt acl support = no
# I snipped some printing, locking and other similar junk out.
   comment = Home
   writable = yes
   valid users = %S
   nt acl support = no
   oplocks = no
   path = /md3/profiles/%U
   share modes = no
   path = /md1/netlogon
   read only  = yes
   locking = no
   comment = Apps
   path = /md3/Apps
   valid users = @lots,administrator
   public = no
   readonly = no


Robert Stuart
Systems Administrator

More information about the samba mailing list