[Samba] File Locking on Samba & Terminal Server 2008R2

Nick Couchman Nick.Couchman at seakr.com
Mon Jan 13 15:11:21 MST 2014 

>>> On 2014/01/09 at 20:38, "erpo41 at gmail.com" <erpo41 at gmail.com> wrote: 
> Here is a document recommending the MultiUserEnabled trick on windows
> server 2008 R2 and explaining how to set it up:
> http://support.citrix.com/article/CTX131577
> 
> It may solve your problem, but I'm not convinced I really understand the
> underlying issue yet. The documentation for Microsoft KB 913835 kind of
> makes it sound like the redirector on the terminal server maintains a
> single connection to the server for multiple users, but IIRC the samba
> documentation says that authentication is done one time at the beginning of
> the connection. If that's the case, it's not clear to me how Microsoft
> intends that ACLs be enforced. Suppose the server has a file at
> \\FileServer\sharename\file.dat that User_A should be able to read, but
> User_B shouldn't. If User_A logs into TerminalServer first and opens a
> connection to \\FileServer\sharename, what is to prevent User_B from
> logging into TerminalServer and reading \\FileServer\sharename\file.dat
> through User_A's connection? What if User_B had logged in first and opened
> the connection, and then User_A tried to read file.dat? Would FileServer
> refuse the read request because the connection had been opened using
> User_B's credentials?
> 
> Anyway, good luck!
> 
> Eric
> 

Thanks, Eric.  I have made this change on a couple of servers, and, interestingly, seem to be getting some different results based on different Samba platforms/versions.  I haven't spent any time tracking down whether it's a config or a version issue, but on my Linux system running Samba 3.6.3, each session on the terminal server uses a different PID.  On my Solaris system running Samba 3.6.18, all of the sessions from the terminal server use the same PID.  Weird.  Guessing there is some config difference - maybe the protocol version or something like that - affecting this, but not sure at this point.

-Nick



--------
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information.  If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way.  If you have received this message in error, please delete the message from your mailbox.  This e-mail may contain export-controlled material and should be handled accordingly.

More information about the samba mailing list