[Samba] File Locking on Samba & Terminal Server 2008R2

Nick Couchman Nick.Couchman at seakr.com
Mon Jan 13 15:16:20 MST 2014


>>> On 2014/01/09 at 20:38, "erpo41 at gmail.com" <erpo41 at gmail.com> wrote: 
> Here is a document recommending the MultiUserEnabled trick on windows
> server 2008 R2 and explaining how to set it up:
> http://support.citrix.com/article/CTX131577
> 
> It may solve your problem, but I'm not convinced I really understand the
> underlying issue yet. The documentation for Microsoft KB 913835 kind of
> makes it sound like the redirector on the terminal server maintains a
> single connection to the server for multiple users, but IIRC the samba
> documentation says that authentication is done one time at the beginning of
> the connection. If that's the case, it's not clear to me how Microsoft
> intends that ACLs be enforced. Suppose the server has a file at
> \\FileServer\sharename\file.dat that User_A should be able to read, but
> User_B shouldn't. If User_A logs into TerminalServer first and opens a
> connection to \\FileServer\sharename, what is to prevent User_B from
> logging into TerminalServer and reading \\FileServer\sharename\file.dat
> through User_A's connection? What if User_B had logged in first and opened
> the connection, and then User_A tried to read file.dat? Would FileServer
> refuse the read request because the connection had been opened using
> User_B's credentials?
> 
> Anyway, good luck!
> 
> Eric
> 

Anyone know if the NT1 and SMB2 protocols handle this differently.  With the different results on different Samba servers, the only thing I can see is that, on the Solaris one, I have "max protocol = NT1" whereas on the Linux one I have "max protocol = SMB2".  I believe the reason I limited the Solaris system to NT1 is because is resolved an issue I was having with MS Office files not saving correctly to the Samba on Solaris (ZFS) system.

-Nick



--------
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information.  If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way.  If you have received this message in error, please delete the message from your mailbox.  This e-mail may contain export-controlled material and should be handled accordingly.


More information about the samba mailing list