PATCH ID: ASUV51B4_497 PRODUCT: Advanced Server for UNIX -------- UPDATED PRODUCT: Advanced Server for UNIX Version 5.1B-4 ---------------- RELEASE DATE: August 2006 ---------------- The Advanced Server for UNIX (ASU) Version ASU 5.1B-4 kit provides enhancements and corrections for problems found in the ASU Version 5.1B-3 software, including ECO2 and in earlier versions of the ASU software. This release note document has the following sections: - New Registry, lanman.ini, and transports.ini Parameters - ASU Command Changes - ASU General Changes - ASU Command Problem Descriptions and Solutions - ASU General Problem Descriptions and Solutions - Known Problems - ASU and TruCluster Server Version 5.x Problem Descriptions and Solutions - ASU Installation Instructions ------------------------------------------------------- New Registry, lanman.ini, and transports.ini Parameters ------------------------------------------------------- New lanman.ini and transports.ini Parameters: Two new parameters have been added to lanman.ini and transports.ini to control the access permissions for ASU debug logs and crash directories. The parameters are found under the [lmxserver] section in lanman.ini, and under the [tcpip] section in transports.ini. The parameter "debugfileperms" specifies the access permissions given to debug logs. Its default value is 0600. The parameter "crashdirperms" specifies the access permissions given to crash directories. Its default value is 0700. For example, to make ASU server debug logs and crash directories world-readable, add the following entries to lanman.ini: [lmxserver] debugfileperms=0644 crashdirperms=0755 To make knblink debug logs and crash directories world-readable, add the following entries to transports.ini: [tcpip] debugfileperms=0644 crashdirperms=0755 New Registry Parameter: A new registry parameter, NoLMHash, can be used to disable the storage of LAN Manager (LM) hashes of users' passwords in the SAM database. Setting NoLMHash to 1 prevents the ASU server from storing an LM hash value at the user's next password change. It also prevents storing an LM hash value for any new users in the SAM database. The default value for this parameter is 0, which specifies that the ASU server will store LM hashes of users' passwords in the SAM database. This parameter is located under the following ASU registry key: SYSTEM/CurrentControlSet/Control/Lsa It is better for security to prevent the storage of the LM hash value if you do not need it for backward compatibility with clients running Windows 95, Windows 98, Windows ME, or Samba versions less than 3.0. Windows NT, 2000, 2003, and XP clients and servers can all authenticate with the NT hash value if there is no LM hash value in the SAM database. New Registry Parameter: A new registry parameter, StoreAclAsMetadata, enables the ASU server to store file and directory ACLs directly in file system metadata. This is particularly useful if the number of files with explicit ACLs has caused the ACL database to grow extremely large (more than a million ACLs). The default value for this parameter is 0, which specifies that the ASU server store ACLs in the ACL database. A value of 1 specifies that the ASU server store ACLs in file system metadata. This parameter is located under the following ASU registry key: SYSTEM/CurrentControlSet/Services/AdvancedServer/FileServiceParameters New lanman.ini Parameter: A new parameter, uniquedgname, has been added to the [lmxserver] section of lanman.ini. This parameter controls whether ASU processes append a unique suffix to the source NetBIOS name in datagrams. The default value is "no", which means that all ASU processes will use the same computer name as the source NetBIOS name. A value of "yes" means that ASU processes will append a unique suffix, as was done in previous versions of ASU. For example, the browser process will append #B, the daemon process #D, the repl process #R, and each server process #pid, where pid is the process ID of the lmx.srv process. ------------------- ASU Command Changes ------------------- Change: The "acladm" command has been enhanced to output a status message for every 100000 ACLs that are scanned in the ACL database. This is helpful when working with large ACL databases. For example: # acladm -Ty > trim.log Scanned 100000 ACL records... Scanned 200000 ACL records... Scanned 300000 ACL records... Scanned 400000 ACL records... Scanned 500000 ACL records... Scanned 600000 ACL records... # Change: The "lmstat -c" command now displays the following additional information for client connections: - The start time of the connection - The logged-in domain and user name - The mapped UNIX user name - Whether or not a NULL session has been established For terminal servers, the command displays only the number of users connected, instead of the domain, user, and mapped UNIX names. Change: The "lmstat -n" command can now display a new per-process counter called "clientclockskewed". This counter indicates how many times password authentication failed due to the server and client clock being skewed more than 30 minutes with respect to each other when the LMCompatibilityLevel registry parameter is set to 5. Change: The "lmstat" command has a new option, -P, which displays the posted NetBIOS names that are stored in shared memory. Note that the nbemon and knbmon utilities may show additional posted NetBIOS names that are not stored in shared memory. Change: The "lsacl" command has a new option, -T, that can be used to display an ACL for a file or directory only if the ACL is stored in file system metadata. Change: The "nbtlookup" command has a new option, -a, to display the TCP/IP address of the NetBIOS name. This option can be combined with the -h option to display both the TCP/IP address and the TCP/IP host name of the NetBIOS name in a single command. For example: # nbtlookup -ah server 16.123.123.123 server.test.com This new option is the default option for compatibility with previous versions of nbtlookup. Change: The "net localgroup /add" command on an ASU backup domain controller (BDC) now displays the following message: The request will be processed at the primary domain controller for domain . where is the current domain name. --------------- General Changes --------------- Change: The ASU server can now be configured to use port 445 for SMB connections in addition to the default ports 138 and 139. Configuring ASU to use port 445 is useful if any Windows servers or clients in the network have been configured to use only port 445 for SMB connections. By default, ASU does not use port 445. Use asusetup to configure ASU to use port 445. Change: The knblink debug log now has time stamps at the beginning of each line to aid in analyzing ASU transport problems. ---------------------------------------------- ASU Command Problem Descriptions and Solutions ---------------------------------------------- Problem Addressed: The "acladm -D" command had a large memory leak. This caused poor performance of the command, and eventually a core dump if the ACL database was extremely large. This problem has been corrected. Problem Addressed: If the registry parameters EnableSecuritySignature and RequireSecuritySignature are set to 1, the "asuivp" command would fail with the following error message: Verification #1 via network knbtcp Create Share knbtcp ...Failed Logon failure: the user has not been granted the requested logon type at this computer. This problem has been corrected. Change: If the SyncUnixPerms registry parameter was enabled, the "asuivp" command would fail with the following error, even though the ASU installation was correct and functioning: Create File ...Failed Failed Access is denied. This problem has been corrected. Problem Addressed: If the asusetup or joindomain utility was used to join a domain, but the domain's administrator password was longer than 14 characters, the utility would fail with the following error: Password must be shorter than 15 characters. This problem has been corrected. Problem Addressed: If the Primary Domain Controller (PDC) of a domain was changed, and "asusetup" was run on an ASU member server of that domain, the member server's SAM database was not updated to reflect the new PDC. Under certain conditions, this would prevent the ASU member server's NetLogon service from starting properly. This in turn would prevent users from being able to access resources on the member server using their domain accounts. This problem has been corrected. Problem Addressed: The "elfread" command used to crash if the secure channel to a trusted domain controller was down, because elfread needed the domain controller to translate a SID (Security Identifier) to a user name. This problem has been corrected. Problem Addressed: The "joindomain" command used to warn that all data in the user accounts database and related files would be re-initialized. However, this is not true for a member server if the server remains a member (even if the domain name is changed). The warning messages have been corrected. Problem addressed: If ASU was configured as a BDC or member server, and the user executed the "joindomain" command but did not change the server name, role, or PDC name, then the command would sometimes fail with the following error message: ERROR: Creation of remote account failed - Access Denied. The account or password is invalid or 'invalid' is not an administrative account. This problem has been corrected. Problem Addressed: The "net start server" command would sometimes display a success message even though it failed to start all the ASU processes. This problem has been corrected. Problem addressed: The "net logon" command from a non-root process used to display the following warning message: You were logged on, but have not been validated by a server. Therefore, you may not have permission to use some network resources. This problem has been corrected. Problem Addressed: If the registry parameter LMCompatibilityLevel under the key SYSTEM/CurrentControlSet/Control/Lsa was set to 3, 4, or 5, the "net user /add" command from a root process, or a non-root process logged in with administrative privileges, used to fail with the following error: Error 86 has occurred. The specified network password is not correct. This problem has been corrected. Problem Addressed: The "regconfig -l" command used to return an exit status of 1 on successful completion instead of returning an exit status of 0. This problem has been corrected. ---------------------------------------------- ASU General Problem Descriptions and Solutions ---------------------------------------------- Problem Addressed: The netbeui and knbtcp transports have been fixed to handle the case of the streams variable "lbolt" becoming negative. It is not known what all the symptoms of this problem were. However, this fix should result in more consistent behavior of the ASU transports. Problem addressed: Under rare conditions, the lmx.dmn PULSE task would stall, waiting for the discovery of a domain controller. For example, the "lmstat -t" command would display the following output: lmx.dmn pid 4614 4477 cycles, 4 tasks Idle Task Pulse is paused since Wed Dec 29 12:40:14 2004 waiting for discovery of DC Logon is waiting for a semaphore in Queue.get Replicate is waiting for a semaphore in Queue.get This caused the following problems: - Updates to the SAM database (such as group membership) were not replicated to Backup Domain Controllers. - Trust passwords were not automatically refreshed every 7 days. This problem has been corrected. Problem addressed: Shared memory locking has been improved for SMP systems. This should prevent obscure problems on heavily-loaded servers. Problem addressed: If the SyncUnixPassword registry parameter was set to 1 (enabled), and the UNIX password database contained a large number of entries, then changing an ASU password would cause the Windows client to disconnect from the ASU server because an SMB response was not received within the default timeout period of 45 seconds. This problem has been corrected. -------------- Known Problems -------------- Problem: If you disable the use of ports 138 and 139, ASU will be unable to find the PDC of the domain. This will prevent replication of the SAM database to an ASU BDC, and prevent proper authentication of domain user names and passwords on an ASU BDC or member server. Problem: The knblink process will log the contents of invalid datagrams sent to port 138 in an unusual event log in the /usr/net/servers/lanman/debug directory. Unusual events are not necessarily problems. If you notice such unusual events being logged, please report this to HP field service for further diagnosis. ------------------------------------------------------------------------ ASU and TruCluster Server Version 5.x Problem Descriptions and Solutions ------------------------------------------------------------------------ Problem addressed: Occasionally, the ASU server would incorrectly reject connections made to the cluster alias IP address. This problem has been corrected. ----------------------------- ASU Installation Instructions ----------------------------- This kit is a complete software kit that includes the features and functionality of previous ASU software releases, and provides corrections for the problems described in this document. If you are installing the ASU software for the first time, change to the directory where the software was downloaded, enter the following command, and follow the instructions on the screen: # setld -l . If you have ASU, ASDU, or PATHWORKS for DIGITAL UNIX subsets installed, you must use the Tru64 UNIX setld command to deinstall those subsets before you install the subsets in this kit. Follow these steps to use the setld command to deinstall ASU, ASDU, or PATHWORKS subsets and install the ASU Version 5.1B-4 software: 1. Display the installed ASU, ASDU, or PATHWORKS subsets. Enter one of the following commands depending on the software installed: # /usr/sbin/setld -i | grep ASU | grep -v not # /usr/sbin/setld -i | grep ASDU | grep -v not # /usr/sbin/setld -i | grep PATHWORKS | grep -v not 2. Deinstall the ASU, ASDU, or PATHWORKS subsets. Enter the /usr/sbin/setld -d command followed by the name of each subset. For example, to deinstall the ASU Version 5.0 base, transport, and reference page subsets enter: # /usr/sbin/setld -d ASUBASE500 ASUTRAN500 ASUMANPAGE500 While subsets are being deinstalled, you are prompted to save configuration files and the user account and share databases. Save these files and databases if you want to reuse them with the ASU Version 5.1B-4 software. 3. Install the ASU Version 5.1B-4 software. Change to the directory where the ASU Version 5.1B-4 software was downloaded, enter the following command, and follow the instructions on the screen: # setld -l . See the ASU Installation and Administration guide for more information on installing the ASU software. =============================================================== © 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX® is a registered trademark of The Open Group. Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.