PRODUCT: Advanced Server for UNIX -------- PATCH ID: ASUV51B2_350 --------- UPDATED PRODUCT: Advanced Server for UNIX Version 5.1B-2 ---------------- RELEASE DATE: June, 2004 -------------- The Advanced Server for UNIX (ASU) Version 5.1B-2 kit provides enhancements and corrections for problems found in the ASU Version 5.1B software, including ECO1, ECO2, and in earlier versions of the ASU software. This release note document has the following sections: - New Registry Parameters, Tools, and Commands - ASU Command Changes - ASU General Changes - ASU General Problem Descriptions and Solutions - ASU and TruCluster Server Version 5.x Problem Descriptions and Solutions - ASU and Windows 2000 and Windows 2003 Related Problem Descriptions and Solutions - Known Problems - ASU Installation Instructions ======================== New Registry Parameters ======================== New Registry Parameter: The FileChangeNotify registry parameter was added to the SYSTEM/CurrentControlSet/Services/AdvancedServer/FileServiceParameters path in the ASU registry. The FileChangeNotify parameter enables the ASU server to notify clients when a Windows client changes a file on an ASU share. The default value is 1 (notify clients). New Registry Parameters: The HashLongUnixUserName and TruncateLongUnixUserName registry parameters were added to the SYSTEM/CurrentControlSet/Services/AdvancedServer/UserServiceParameters path in the ASU registry. The HashLongUnixUserName(H) and TruncateLongUnixUserName(T) registry parameters define as follows how UNIX user account names are created if the ASU user name exceeds 8 characters in length: 1) If H=0, T=0: No UNIX user will be created but an event will be logged to the security event log. 2) If H=0, T=1: If the UNIX user does not exist, then the UNIX user name will be truncated; otherwise a failure event will be logged. 3) If H=1, T=0: The UNIX user name will be hashed (previous behaviour). 4) If H=1, T=1: The first UNIX user name will be truncated. Subsequent UNIX user names will be hashed. The default value for both parameters is 1. New Registry Parameter: The PostToEVM registry parameter was added under the Application, Security, and System subkeys of the SYSTEM/CurrentControlSet/Services/EventLog paths in the ASU registry. The PostToEVM registry parameter specifies which ASU events will be posted to EVM. The default value is -1 (post all ASU events to EVM). You can select ASU events to be posted to EVM by adding the event type values as follows: EVENTLOG_ERROR_TYPE 1 EVENTLOG_WARNING_TYPE 2 EVENTLOG_INFORMATION_TYPE 4 EVENTLOG_AUDIT_SUCCESS 8 EVENTLOG_AUDIT_FAILURE 16 For example, if you want System events of type Warning and Audit Failure to be posted to EVM, enter the value of PostToEVM under the System subkey as 18 (2+16). If you want Application events of type Error and Warning to be posted to EVM, enter the value of PostToEVM under the Application subkey as 3 (1+2). New Registry Parameter: The StoreAttributesAsMetadata registry parameter was added to the SYSTEM/CurrentControlSet/Services/AdvancedServer/FileServiceParameters path in the ASU registry. The StoreAttributesAsMetadata parameter enables storing of DOS attributes and file creation time in AdvFS metadata. This allows the use of DOS attributes irrespective of the UseUnixGroups registry parameter value and preserves the file creation time when modifying a file. The default value is 0 (do not store DOS attributes and file creation time in AdvFS metadata). Also, three new ASU commands chattr, lsattr, and rmattr were added to manage DOS attributes. Please see the respective reference pages for more information on these commands. New Registry Parameter: The StoreFileAcl registry parameter was added to the SYSTEM/CurrentControlSet/Services/AdvancedServer/FileServiceParameters path in the ASU registry. The StoreFileAcl parameter specifies whether or not to store explicit ACLs for files. The default value for StoreFileAcl is 1 (store file ACLs). When set to 0 the ASU server will not store explicit ACLs for files, but instead will compute inherited ACLs from files' parent directories when needed. This will prevent the ACL database from growing to an unmanageable size. Also, any attempts to set an explicit ACL on a file, through the net perms command, the net access command, or the Permissions dialog box from the Properties menu in Windows NT Explorer, will receive the "Access is denied" error message. This registry parameter can be overridden on a per-share basis. For more information, see the lmshare -A command in the ASU Command Changes section in this document. ========== New Tool: ========== A new client tool called pccheck is available in the pccheck folder of the ASTOOLS share. The pccheck tool collects and displays the following ASU information: - Network Statistics such as IP address, DNS, WINS, and so on - NetBIOS cache details - Active ports on the machine - Shares on the machine - User logon information such as username, domain name, profile path, and user accounts on the machine - Copy of lmhosts and the hosts file - Browse list for the network - Connectivity to the PDC/BDC Follow these steps to install the pccheck tool: 1) Map a drive to the ASU ASTOOLS share (\\\ASTOOLS). 2) Change to the pccheck directory. 3) Run setup.bat file, which copies the pccheck executables to the system32 directory of the client system. You can run the pccheck tool from either the DOS prompt or by double clicking on system32\pccheck entry from the Windows Explorer window. A window displays specifying that the 'data collection is in progress......' and on completion, the path and the name of the file that contains the collected information is displayed. ============= New Commands: ============= New Command: A new command called chattr is available to: - Set and clear DOS attributes - Move DOS attributes from metadata to DOS group - Move DOS attributes from DOS group to metadata See the chattr reference page for more information about the chattr command. New Command: A new command called lsattr is available to display the DOS attributes and creation time of objects. The DOS attributes can be stored either in a DOS group or in AdvFS metadata. See the lsattr reference page for more information about the lsattr command. New Command: A new command called rmattr is available to remove the DOS attributes stored in the AdvFS metadata for an object. See the rmattr reference page for more information about the rmattr command. New Command: You can now enter the kill -3 command to force a crash dump of an ASU process. Crash dump directories are created in the /usr/net/servers/lanman/debug directory. New Command: A new command called prcheck is available to check and enumerate ASU printer entries, which includes the ASU printer share entries, printer printcap entries, printer registry entries, and printer spool directory entries. See the prcheck reference page for more information about the prcheck command. =================== ASU Command Changes =================== Change: The acladm -p option has been extended to migrate the Power Users local group to the Server Operators local group on a domain controller. This option is automatically used when changing the role of an ASU server with the asusetup utility or the joindomain command. Change: The blobadm command now detects if too few or too many command options were specified. Change: The blobadm -b -v command now displays free fragment statistics, including a histogram of sizes of groups of free fragments. It also displays the position where each group size first occurs. Change: The blobadm -S -v command now displays the key values from the SAM database and change log records for better identification. Change: The listcache -S command now displays better NetBIOS name cache statistics, including the number of hit and missed NetBIOS name lookups. Change: The lmshare command has a new -A option that you can use to set or clear a per-share store file ACL parameter. The default value is 0 (use the value of the StoreFileAcl registry parameter). A value of 1 stores explicit ACLs for files. The value of the StoreFileAcl parameter can be displayed with the lmshare -L command. Change: The lmstat -a command now supports printer share names that are longer than 8 characters. Change: The lmstat -c command now displays the client operating system type. Change: The lmstat -S command now displays the Distributed Lock Manager (DLM) locks used for controlling access to blob files. Change: The regconfig command now accepts a hexadecimal value in the standard form 0xNNN in addition to the form xNNN, where NNN is one or more hex digits. Change: The regconfig command has the following two new options: - The -o option displays the registry value in octal - The -h option displays the registry value in hexadecimal Change: The samcheck -a command now decodes the privileges held by a user or group and displays them in text format. =================== ASU General Changes =================== Change: The asusetup utility now checks the share database for corruption. Change: There is a new tokensidlimit parameter under the [lmxserver] section in the lanman.ini file. The minimum value is 100 and the default value is 750. This value specifies the maximum number of groups that a user may belong to. Change: The LMCompatibilityLevel value is now retained in the lanman.ini file if the asusetup utility is rerun. This value is set according to the value of the LMCompatibilityLevel registry entry located in the SYSTEM/CurrentControlSet/Control/Lsa registry path. Change: If you change the ASU server's role from member server to primary or backup domain controller, all access control entries for the Power Users local group will be changed to Server Operators group, because domain controllers do not have a Power Users local group. Change: Blob files will now automatically shrink in size if there is more than 20% space free after deleting some data. For example, if you enter the acladm -T command to delete thousands of redundant ACLs, the ACL database will shrink, leaving between 10% and 20% space free. Change: When the ASU SIA subset was installed, the setld utility used to configure ASU SIA by default, which was not always desirable. Now when the ASU SIA subset is installed, the setld utility only installs the subset. To configure ASU SIA, you must use the new asusiasetup utility or the asusetup utility. Change: The ASU server sends change notify responses to the clients right away, regardless of the value for the FileChangeNotifyInterval registry entry. Change: The asusetup utility has been enhanced to preserve the previous configuration if the asusetup utility is interrupted. Change: The asusetup utility requires at least one DNS subdomain entry when configuring Domain Name Server (DNS) name resolution for the first time. The asusetup utility now provides the DNS subdomain of the host system as the default. This makes it quicker and easier to configure DNS name resolution for the first time. ============================================== ASU General Problem Descriptions and Solutions ============================================== Problem Addressed: Sometimes a NetBIOS name conflict would cause the system to panic. This problem has been corrected. Problem Addressed: Renaming a folder that had several thousand files under it would take an excessive amount of time. This problem has been corrected. Problem Addressed: If you deinstall the ASU software and saved only the server configuration (BASE subset) and not the transport configuration (TRANSPORTS subset), the asusetup utility would recreate the SAM database, which would overwrite the existing server configuration information and remove user accounts. This problem has been corrected. The transports configuration is automatically saved when the server configuration is saved. Problem Addressed: Removing the ASUSIA subset would delete the /etc/asusiausers file. This problem has been corrected. Problem Addressed: The ASU net commands would hang if the Samba smbd process was running on the same system as the ASU server. This problem has been corrected. Problem Addressed: If the SyncUnixPassword registry entry was set to 1 (enabled), and the UNIX password database contained a large number of entries, then changing an ASU password would excessively delay other users from logging in or changing their password. This problem has been corrected. Problem Addressed: When moving a Member Server from one domain to another, the local user account information was not retained. This problem has been corrected. Problem Addressed: The ASU lmx.srv process would sometimes hang when connecting to a trusted domain controller over NetBEUI. This problem has been corrected. Problem Addressed: The net access command would set invalid Access Control Entry (ACE) flags in Access Control Lists (ACLs) for files, which the net perms command would then display as "Special Access" access control entries. This problem has been corrected. Problem Addressed: If a trusted domain controller was unavailable, or the trust was broken, then any access permissions which referenced any users or groups from that unavailable domain could not be modified with the net perms command. This problem has been corrected. Problem Addressed: When adding an existing local group, the net localgroup command would display the following message: "Error 1379 has occurred." Now the following message is displayed: "The specified local group already exists." Problem Addressed: Occasionally the ASU lmx.dmn process would leak memory and consume 100% CPU when periodically updating machine accounts. This problem has been corrected. Problem Addressed: Running the samcheck -s command on a ASU Backup Domain Controller (BDC) would sometimes display the following message: "The Everyone account object is missing." This problem has been corrected. Problem Addressed: The lsacl command would not return a non-zero exit status in case of an error. For example: # lsacl some-non-existent-file # echo $? 0 This problem has been corrected. ======================================================================== ASU and TruCluster Server Version 5.x Problem Descriptions and Solutions ======================================================================== Problem Addressed: The ASU server was generating NetBIOS name conflicts with identical browser and daemon NetBIOS listen names when server names were greater than 10 characters in length. This was because the ASU server generated NetBIOS listen names for the browser and daemon by truncating the server name to 10 characters and then appending #BROW and #DMN suffixes. For example, server names Fileserver-1 and Fileserver-2 would generate Fileserver#BROW and Fileserver#DMN for both servers, which led to a NetBIOS name conflict on the network. Now the server name limit has been increased to 13 characters from 10 characters by reducing #BROW to #B and #DMN to #D. For example, the NetBIOS listen names now generated would be: Fileserver-1#B and Fileserver-1#D (for Fileserver-1) Fileserver-2#B and Fileserver-2#D (for Fileserver-2) Problem Addressed: When using the asusetup utility to reconfigure the ASU server cluster mode from multi to none, entries for other nodes of the cluster (controller_nn, member_nn) were not removed in the transports.ini file. This problem has been corrected. Problem Addressed: When the ASU server was configured in single mode on a TruCluster server on which the caad daemon is not running, the net start server command would display the following message: "The service is not responding to the control function. More help is available by typing NET HELPMSG 2186." Now the following message is displayed: "The SERVER service could not be started. Problem with CAA or ASU's CAA configuration." Problem Addressed: When the ASU server was configured in single mode on a TruCluster server on which the caad daemon is not running, the net stop server command would display the following message: "The SERVER service could not be stopped. More help is available by typing NET HELPMSG 6126". Now the following message is displayed: "The SERVER service could not be stopped. Problem with CAA or ASU's CAA configuration." Problem Addressed: When the ASU server was configured in single mode on a TruCluster server on which the caad daemon is not running, the asusetup utility would continue even if it failed to stop the ASU server. Now the asusetup utility terminates and displays the following message: "Please see the /var/adm/smlogs/asusetup.log for more information." Problem Addressed: You can now configure the ASU server to use a non-default cluster alias. The ASU server supports only one cluster alias, which can be either the default alias or a non-default alias. When using the non-default cluster alias, configure all of the nodes in the cluster before configuring the ASU server. Use the asusetup utility to configure the name of the cluster alias that the ASU server will use. Do not manually edit ASU configuration files. Problem Addressed: While installing the ASU subsets in a cluster environment, the setld utility uses the member id of the cluster members to display any information that is specific to member nodes. For example: "Configuring "Transports" (ASUTRAN542) on member0 "Configuring "Base Server" (ASUBASE542) on member0 ********************************************* When installation has completed, please run /usr/sbin/asusetup to configure your server. ********************************************* Configuring "Transports" (ASUTRAN542) on member1 Configuring "Base Server" (ASUBASE542) on member1 Configuring "Transports" (ASUTRAN542) on member2 Configuring "Base Server" (ASUBASE542) on member2" In the previous output, the setld utility treats member0 as the member on which the setld utility is running or on which the subsets are being installed. The actual member ids are member1, member2, and so on. As the setld utility only displayed the member id's, it might have been difficult to understand which cluster node the member id referred to. Now both the member name and member id are displayed. Problem Addressed: The lmx.srv process would sometimes hang waiting for an UNIX lock on a file served by the Network File System (NFS). This would prevent the client from doing any further work, and eventually would cause the ASU server to crash. This problem has been corrected. A new parameter called nfstimeout has been added to the lanman.ini file in the [lmxserver] section. The nfstimeout parameter specifies, in seconds, the maximum amount of time that the lmx.srv process will wait for an UNIX lock on a file served by NFS. The default value is 15 seconds. Problem Addressed: In CAA mode, The ASU server would try to start on member nodes that were not configured for ASU. This problem has been corrected. Problem Addressed: While configuring the ASU server in a cluster environment with the asusetup utility, the following error message would display if the server name was changed from the cluster alias in single instance mode and if the server name was changed from the node name in multi instance mode. "ERROR: An account for this machine cannot be created. The Primary Domain Controller for this domain must be started and active on the network before the installation of a Backup Domain Controller is attempted. Remove this package and any previous installations before reinstalling. ERROR: The Compaq Advanced Server V5.1B for UNIX was unable to be configured successfully." This problem has been corrected. ===================================================== ASU and Windows 2000 and Windows 2003 Related Problem Descriptions and Solutions ===================================================== Problem Addressed: Changing a password at first logon failed on an ASU cluster member server in a windows 2003 domain. This problem has been corrected. Problem Addressed: Entering the net user user-name command on a ASU backup domain controller in a Windows 2000 and Windows 2003 domain failed and displayed the following message: "Arguments to NET USER are invalid. Check the minimum password length and/or arguments supplied. More help is available by typing NET HELPMSG 3770." This problem has been corrected. Problem Addressed: The net logon user-name password /domain:domain-name command failed on an ASU member server in windows 2003 domain and displayed the following message: "Error 1380 has occurred. Logon failure: the user has not been granted the requested logon type at this computer." This problem has been corrected. Problem Addressed: When setting up a trust to the ASU server, the following messages are displayed on the Windows 2003 system: The verification of the incoming trust failed with the following error(s): The verification of the outgoing trust failed with the following error(s): These messages are followed by a detailed list of the actual errors. You can ignore these messages and complete the setup of the trust on the ASU server by using the following net commands: # net logon administrator # net trust /domain: /allow # net trust /add You can validate the trust by using the Windows 2003 "Active Directory Domains and Trusts" snap-in. ============== Known Problems ============== Problem: The ASU server does not support any locale with an expanding character set, such as UTF-8 codesets. For example, locale Ja_JP.UTF-8. Problem: The ASU server does not set the archive attribute when backing up a modified Microsoft Word file on a network share from a Windows client. Problem: The ASU server does not synchronize UNIX passwords for Network Information Service (NIS) users when the SyncUnixPassword registry parameter is enabled and if Enhanced Security is installed. Note: this does not affect the ASU password change. Problem: The SAM database replication to an ASU BDC configured in a multi mode cluster fails if ASU is configured to use TCP/IP only. The solution is to execute the net accounts /sync command on the ASU BDC as needed. ============================= ASU Installation Instructions ============================= This kit is a complete software kit that includes the features and functionality of previous ASU software releases, and provides corrections for the problems described in this document. If you are installing the ASU software for the first time, change to the directory where the ASU software was downloaded, enter the following command, and follow the instructions on the screen: # setld -l . If you have ASU, ASDU, or PATHWORKS for DIGITAL UNIX subsets installed, you must use the Tru64 UNIX setld command to deinstall those subsets before you install the subsets in this kit. Follow these steps to use the setld command to deinstall ASU, ASDU, or PATHWORKS subsets and install the ASU Version 5.1B-2 software: 1. Display the installed ASU, ASDU, or PATHWORKS subsets. Enter one of the following commands depending on the software installed: # /usr/sbin/setld -i | grep ASU | grep installed | grep -v not # /usr/sbin/setld -i | grep ASDU | grep installed | grep -v not # /usr/sbin/setld -i | grep PATHWORKS | grep installed | grep -v not 2. Deinstall the ASU, ASDU, or PATHWORKS subsets. Enter the /usr/sbin/setld -d command followed by the name of each subset. For example, to deinstall the ASU Version 5.0 base, transport, and reference page subsets enter: # /usr/sbin/setld -d ASUBASE500 ASUTRAN500 ASUMANPAGE500 While subsets are being deinstalled, you are prompted to save configuration files and the user account and share databases. Save these files and databases if you want to reuse them with the ASU Version 5.1B-2 software. 3. Install the ASU Version 5.1B-2 software. Change to the directory where the ASU Version 5.1B-2 software was downloaded, enter the following command, and follow the instructions on the screen: # setld -l . See the ASU Installation and Administration guide for more information on installing the ASU software. =============================================================== Copyright 2004 Hewlett-Packard Company. All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. The software contained on this media is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, duplication, or dissemination of the software and media is authorized only pursuant to a valid written license from Hewlett-Packard Company.