Fear, Uncertainty, Doubt and Citrix on Win2k

[Andrew Bartlett]

"Lightfoot.Michael" wrote:
> 
> > >    security = server
> > >    password server = act-primary
> > >    encrypt passwords = yes
> >
> > Is there any reason you can't use 'security = domain'?
> >
> History, basically.  I haven't tried to change anything substantive - just
> the things necessary when upgrading from 1.9.18 to 2.2.2.  I'm also still
> learning (relearning) this stuff as I haven't had to do samba for ages
> (several years.)
> 
> > To join the domain use 'smbpasswd -j DOMAIN -U Administrator'.  This
> > will create a machine account (with the PDC's admin password)
> > and set a
> > password on that account.  This allows Samba to pass both the
> > challenge
> > and response to the DC and to get back sane error codes.
> >
> I think I must be a little thick as I can't get this to work.  I tried:
> 
> smbpasswd -j COMCARE -u Administrator
> 
> It came back with a password prompt which I asked the M$ man to enter (for
> the PDC admin account) and it failed authentication.  The server exists at
> the PDC and everything (according to the M$ bloke) is OK there.

I forgot to mention to add ' -r PDCname', otherwise the darn thing
defaults to localhost... (and yes, the new 'net rpc join' util in HEAD
does this properly....).

> > >    password level = 2
> >
> > You should not need this, its only used with plaintext passwords.
> >
> Removed it - again just history.
> 
> > >    dead time = 15
> >
> > This would have helped a bit, because by idling the connections you
> > force a new challenge to be generated and so get a few more
> > auths out of
> > the PDC - but a terminal server is unlikely to be idle...
> >
> Changed this to 120 seconds until I get the security = domain stuff working.
> BTW, this TS is not real busy as it is the one we are doing testing on.
> There is only one or two people using it at any one time.

Watch out, you do lose all file locks when you do this...

> > Ahh, now I see what's going on...
> >
> The security = domain will definitely fix this?

Certainly.

> > If either end is rebooted then the connection must be
> > reestablished, and
> > you get a fresh chance at authenticating users until the connection is
> > dropped again.
> >
> Makes sense - we have tested for this this morning and that's exactly the
> behaviour.
> 
> > This is because you only get one login, and nobody notices that the
> > password server dissapered in the meantime because the session is
> > already active.
> >
> We are getting browsing problems from Win2k TSE on another system (a
> development machine) which is exhibiting symptoms of the server appearing in
> the browse list, but no shares visible under that (the user is asked for a
> password.)
> 
> > The final thing I will say is also the most annoying.  Unlike NT
> > Terminal Server, it is not possible to make Win2k TSE make
> > more than one
> > TCP/IP connection to the server.  This means that samba will have to
> > deal with all the traffic via one smbd.  This not only removes that
> > ability to use multiple CPUs, it also makes samba constantly have to
> > change userid - a rather expensive system call.  This can kill
> > performance.
> >
> Are you saying here that Win2k TSE behaves like a simple client PC?  I
> assume that M$ will fix that soonest as that's an appalling bug (but not
> surprising when one considers that Citrix technology is really an awful
> kludge on top of Windoze.)

The multiplexing behaviour only affects samba becouse all the other
server implementaions use kernel threads, and so don't pay the penalty.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net