Fear, Uncertainty, Doubt and Citrix on Win2k

Lightfoot.Michael Lightfoot.Michael at comcare.gov.au
Tue Jan 15 16:26:15 GMT 2002 

> >    security = server
> >    password server = act-primary
> >    encrypt passwords = yes
> 
> Is there any reason you can't use 'security = domain'?
> 
History, basically.  I haven't tried to change anything substantive - just
the things necessary when upgrading from 1.9.18 to 2.2.2.  I'm also still
learning (relearning) this stuff as I haven't had to do samba for ages
(several years.)

> To join the domain use 'smbpasswd -j DOMAIN -U Administrator'.  This
> will create a machine account (with the PDC's admin password) 
> and set a
> password on that account.  This allows Samba to pass both the 
> challenge
> and response to the DC and to get back sane error codes.
>
I think I must be a little thick as I can't get this to work.  I tried:

smbpasswd -j COMCARE -u Administrator

It came back with a password prompt which I asked the M$ man to enter (for
the PDC admin account) and it failed authentication.  The server exists at
the PDC and everything (according to the M$ bloke) is OK there.

> >    password level = 2
> 
> You should not need this, its only used with plaintext passwords.
> 
Removed it - again just history.

> >    dead time = 15
> 
> This would have helped a bit, because by idling the connections you
> force a new challenge to be generated and so get a few more 
> auths out of
> the PDC - but a terminal server is unlikely to be idle...
> 
Changed this to 120 seconds until I get the security = domain stuff working.
BTW, this TS is not real busy as it is the one we are doing testing on.
There is only one or two people using it at any one time.
 
> Ahh, now I see what's going on...
> 
The security = domain will definitely fix this?
 
> If either end is rebooted then the connection must be 
> reestablished, and
> you get a fresh chance at authenticating users until the connection is
> dropped again.
> 
Makes sense - we have tested for this this morning and that's exactly the
behaviour.

> This is because you only get one login, and nobody notices that the
> password server dissapered in the meantime because the session is
> already active.
> 
We are getting browsing problems from Win2k TSE on another system (a
development machine) which is exhibiting symptoms of the server appearing in
the browse list, but no shares visible under that (the user is asked for a
password.)

> The final thing I will say is also the most annoying.  Unlike NT
> Terminal Server, it is not possible to make Win2k TSE make 
> more than one
> TCP/IP connection to the server.  This means that samba will have to
> deal with all the traffic via one smbd.  This not only removes that
> ability to use multiple CPUs, it also makes samba constantly have to
> change userid - a rather expensive system call.  This can kill
> performance.
> 
Are you saying here that Win2k TSE behaves like a simple client PC?  I
assume that M$ will fix that soonest as that's an appalling bug (but not
surprising when one considers that Citrix technology is really an awful
kludge on top of Windoze.)

One of the changes made in the last 24 hours is to move all the java stuff
onto the TS and only use Samba to provide document templates and stuff
sucked out of an Oracle database.

> Hope this helps,
> 
Close, but no cigar.  :-)




Michael Lightfoot
SysIX Unix Systems Consulting
02 6258 8185
michael.lightfoot at canb.auug.org.au

More information about the samba mailing list