From 61526c44ac974e3df5a93981c995fc19cc2ed0ee Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 12 Mar 2005 05:35:53 +0000 Subject: This is the last update to the Samba-Guide for a little while. I'm about to tackle the HOWTO for a make-over. (This used to be commit dfef9d6ecc7f3c403b5c259d40935d976fcf884d) --- docs/Samba-Guide/Chap04-SecureOfficeServer.xml | 2 +- docs/Samba-Guide/Chap05-500UserNetwork.xml | 3 +- docs/Samba-Guide/Chap06-MakingHappyUsers.xml | 189 +++++++++++++++++++++++-- docs/Samba-Guide/Chap07-2000UserNetwork.xml | 8 +- docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml | 48 +++---- docs/Samba-Guide/index.xml | 2 + 6 files changed, 205 insertions(+), 47 deletions(-) (limited to 'docs') diff --git a/docs/Samba-Guide/Chap04-SecureOfficeServer.xml b/docs/Samba-Guide/Chap04-SecureOfficeServer.xml index 06d52c08b7..947ac4a9b7 100644 --- a/docs/Samba-Guide/Chap04-SecureOfficeServer.xml +++ b/docs/Samba-Guide/Chap04-SecureOfficeServer.xml @@ -1969,7 +1969,7 @@ $rootprompt; ps ax | grep winbind The winbindd daemon is running in split mode (normal), so there are also two instancesFor more information regarding winbindd, see TOSHARG, - Chapter 20, Section 20.3. The single instance of smbd is normal. One additional + Chapter 22, Section 22.3. The single instance of smbd is normal. One additional smbd slave process is spawned for each SMB/CIFS client connection. of it. diff --git a/docs/Samba-Guide/Chap05-500UserNetwork.xml b/docs/Samba-Guide/Chap05-500UserNetwork.xml index 8ad8d81573..0b38bfde83 100644 --- a/docs/Samba-Guide/Chap05-500UserNetwork.xml +++ b/docs/Samba-Guide/Chap05-500UserNetwork.xml @@ -957,7 +957,8 @@ hosts: files dns wins add group script/usr/sbin/groupadd '%g' delete group script/usr/sbin/groupdel '%g' add user to group script/usr/sbin/usermod -G '%g' '%u' -add machine script/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' +add machine script/usr/sbin/ +useradd -s /bin/false -d /var/lib/nobody '%u' preferred masterYes wins supportYes include/etc/samba/dc-common.conf diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml index 2bb1fb8b98..d0f1515652 100644 --- a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml +++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml @@ -963,18 +963,12 @@ clients is conservative and if followed will minimize problems - but it is not a Preliminary Advice &smbmdash; Dangers Can be Avoided - When I was 8 years of age there was an old man who walked with a cane. He told the the - kids of the neighborhood that when he was very yound he broke his leg. His parents could - not afford good medical care and they lived in the country when medical help was not readily - available, he suffered the consequences his whole life. His advice regarding how best - to mend a broken leg was never break a leg! + The best advice regarding how best to mend a broken leg was never break a leg! - New comers to Samba and LDAP seem to struggle a great deal at first. Many experience the - consequences of their first experience with the same emotions memory as the old Mr. - Williams referred to above. So here is my advice regarding the best way to remedy LDAP - and Samab problems: Avoid them like the plague! + New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice + regarding the best way to remedy LDAP and Samba problems: Avoid them like the plague! @@ -1002,7 +996,27 @@ clients is conservative and if followed will minimize problems - but it is not a Debugging LDAP - ZZ + In the example /etc/openldap/slapd.conf control file + (see ) there is an entry for loglevel 256. + To enable logging via the syslog infrastructure it is necessary to uncomment this parameter + and restart slapd. + + + + LDAP log information can be directed into a file that is separate from the normal system + log files by changing the /etc/syslog.conf file so it has the following + contents: + +# Some foreign boot scripts require local7 +# +local0,local1.* -/var/log/localmessages +local2,local3.* -/var/log/localmessages +local5.* -/var/log/localmessages +local6,local7.* -/var/log/localmessages +local4.* -/var/log/ldaplogs + + In the above case, all LDAP related logs will be directed to the file + /var/log/ldaplogs. This makes it easy to track LDAP errors. @@ -1011,14 +1025,152 @@ clients is conservative and if followed will minimize problems - but it is not a Debugging NSS_LDAP + The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the + /etc/ldap.conf file the following parameters: + +debug 256 +logdir /data/logs + + Create the log directory as follows: + +&rootprompt; mkdir /data/logs + + + + + The diagnostic process should follow the following steps: + + + + Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries + in the /etc/ldap.conf file and compare them closely with the directory + tree location that was chosen in when the directory was first created. + + + + One was this can be done is by executing: + +&rootprompt; slapcat | grep Group | grep dn +dn: ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz +dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz +dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz + + The first line is the DIT entry point for the container for POSIX groups. The correct entry + for the /etc/ldap.conf for the nss_base_group + parameter therefore is the distinquished name (dn) as applied here: + +nss_base_group ou=Groups,dc=abmas,dc=biz?one + + The same process may be followed to determine the appropriate dn for user accounts. + If the container for computer accounts is not the same as that for users (see the &smb.conf; + file entry for ldap machine suffix, it may be necessary to set the + following DIT dn in the /etc/ldap.conf: + +nss_base_passwd dc=abmas,dc=biz?sub + + This instructs LDAP to search for machine as well as user entries from the top of the DIT + down. This is inefficient, but at least should work. + + + + Perform lookups such as: + +&rootprompt; getent passwd + + Each such lookup will create an entry in the /data/log directory + for each such process executed. The contents of that file may provide a hint as to + the cause of the failure that is being investigated. + + + + Check the contents of the /var/log/messages to see what error messages are being + generated as a result of the LDAP lookups. Here is an example of a successful lookup: + +slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 +(IP=0.0.0.0:389) +slapd[12164]: conn=0 op=0 BIND dn="" method=128 +slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 +filter="(objectClass=*)" +slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 +nentries=1 text= +slapd[12164]: conn=0 op=2 UNBIND +slapd[12164]: conn=0 fd=10 closed +slapd[12164]: conn=1 fd=10 ACCEPT from +IP=127.0.0.1:33540 (IP=0.0.0.0:389) +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" method=128 +slapd[12164]: conn=1 op=0 BIND +dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 +slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= +slapd[12164]: conn=1 op=1 SRCH +base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 +filter="(objectClass=posixAccount)" +slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword +uidNumber gidNumber cn +homeDirectory loginShell gecos description objectClass +slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 +nentries=2 text= +slapd[12164]: conn=1 fd=10 closed + + + + + + Check that the bindpw entry in the /etc/ldap.conf or in the + /etc/ldap.secrets file is correct. i.e.: As specified in the + /etc/openldap/slapd.conf file. + + + + Debugging Samba + The following parameters in the &smb.conf; file can be useful in tracking down Samba related problems: + +[global] + ... + log level = 5 + log file = /var/log/samba/%m.log + max log size = 0 + ... + + This will result in the creation of a separate log file for every client from which connections + are made. The log file will be quite verbose and will grow continually. Do not forget to + change these lines to the following when debugging has been completed: + +[global] + ... + log level = 1 + log file = /var/log/samba/%m.log + max log size = 50 + ... + + + + + The log file can be analyzed by executing: + +&rootprompt; cd /var/log/samba +&rootprompt; grep -v "^\[200" machine_name.log + + + + + Search for hints of what may have failed by lokking for the words fail + and error. @@ -1027,6 +1179,10 @@ clients is conservative and if followed will minimize problems - but it is not a Debugging on the Windows Client + MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured + to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search + the Microsoft knowledge base for detailed instructions. The techniques vary a little with each + version of MS Windows. @@ -1721,9 +1877,12 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 delete user script/opt/IDEALX/sbin/smbldap-userdel "%u" add group script/opt/IDEALX/sbin/smbldap-groupadd -p "%g" delete group script/opt/IDEALX/sbin/smbldap-groupdel "%g" - add user to group script/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" - delete user from group script/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" - set primary group script/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" + add user to group script/opt/IDEALX/sbin/ +smbldap-groupmod -m "%u" "%g" + delete user from group script/opt/IDEALX/sbin/ +smbldap-groupmod -x "%u" "%g" + set primary group script/opt/IDEALX/sbin/ +smbldap-usermod -g "%g" "%u" add machine script/opt/IDEALX/sbin/smbldap-useradd -w "%u" @@ -2461,7 +2620,7 @@ chrisr:x:1002:513:System User:/home/chrisr:/bin/bash maryv:x:1003:513:System User:/home/maryv:/bin/bash This demonstates that user account resolution via LDAP is working. - + This step will determin @@ -2631,7 +2790,7 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps localhost interface with the smbd process. This account can be easily created by joining the PDC to the Domain by executing the following command: -&rootprompt; net rpc join -U root%not24get +&rootprompt; net rpc join -S MASSIVE -U root%not24get Note: Before executing this command on the PDC both nmbd and smbd must be started so that the net command diff --git a/docs/Samba-Guide/Chap07-2000UserNetwork.xml b/docs/Samba-Guide/Chap07-2000UserNetwork.xml index dac023f4a6..529b66918c 100644 --- a/docs/Samba-Guide/Chap07-2000UserNetwork.xml +++ b/docs/Samba-Guide/Chap07-2000UserNetwork.xml @@ -797,7 +797,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz . Samba Configuration to Use a Single LDAP Server - ch7-singleLDAP + ch7-singleLDAP LDAP @@ -819,7 +819,7 @@ passdb backend = ldapsam:"ldap://master.abmas.biz \ as shown in . Samba Configuration to Use a Dual (Fail-over) LDAP Server - ch7-fail-overLDAP + ch7-fail-overLDAP @@ -1076,7 +1076,7 @@ include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args -database ldbm +database bdb suffix "dc=abmas,dc=biz" rootdn "cn=Manager,dc=abmas,dc=biz" @@ -1124,7 +1124,7 @@ include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args -database ldbm +database bdb suffix "dc=abmas,dc=biz" rootdn "cn=Manager,dc=abmas,dc=biz" diff --git a/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml b/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml index dc7609ef59..4f0f74744c 100644 --- a/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml +++ b/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml @@ -425,13 +425,16 @@ Edit the &smb.conf; file to temporarily change the parameter domain masterNo so - the Samba server functions as a BDC for the purpose of migration. + the Samba server functions as a BDC for the purpose of migration. Also, temporarily + (only during domain account migration) comment out the lines that specify deletion + scripts (delete user script, etc.). preload.LDIF Create a file called preload.LDIF as shown in . + Edit the contents so that the domain name and SID are correct for the site being installed. @@ -449,7 +452,7 @@ added: "ou=People,dc=abmas,dc=biz" (00000003) added: "ou=Computers,dc=abmas,dc=biz" (00000004) added: "ou=Groups,dc=abmas,dc=biz" (00000005) added: "ou=Idmap,dc=abmas,dc=biz" (00000006) -added: "ou=Domains,dc=abmas,dc=biz" (00000007) +added: "sambaDomainName=MEGANET,dc=abmas,dc=biz" (00000007) @@ -616,36 +619,29 @@ objectClass: organization dc: abmas o: Abmas Demo description: POSIX and Samba LDAP Identity Database -structuralObjectClass: organization - -dn: cn=Manager,dc=abmas,dc=biz -objectClass: organizationalRole -cn: Manager -description: Directory Manager -structuralObjectClass: organizationalRole dn: ou=People,dc=abmas,dc=biz objectClass: top objectClass: organizationalUnit ou: People -structuralObjectClass: organizationalUnit dn: ou=Groups,dc=abmas,dc=biz objectClass: top objectClass: organizationalUnit ou: Groups -structuralObjectClass: organizationalUnit dn: ou=Idmap,dc=abmas,dc=biz objectClass: top objectClass: organizationalUnit ou: Idmap -structuralObjectClass: organizationalUnit -dn: ou=Domains,dc=abmas,dc=biz -objectClass: organizationalUnit -ou: Domains -structuralObjectClass: organizationalUnit +dn: sambaDomainName=MEGANET2,dc=abmas,dc=biz +objectClass: sambaDomain +objectClass: sambaUnixIdPool +sambaDomainName: MEGANET +sambaSID: S-1-5-21-1988699175-926296742-1295600288 +uidNumber: 1000 +gidNumber: 1000 @@ -711,6 +707,14 @@ Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' Creating unix group: 'Engineers' Creating unix group: 'Marketoids' +Creating unix group: 'Account Operators' +Creating unix group: 'Administrators' +Creating unix group: 'Backup Operators' +Creating unix group: 'Guests' +Creating unix group: 'Print Operators' +Creating unix group: 'Replicator' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' Creating account: Administrator Creating account: Guest Creating account: oldnt4pdc$ @@ -731,14 +735,6 @@ Group members of Marketoids: Administrator,jacko(primary), Creating unix group: 'Gnomes' Fetching BUILTIN database SAM_DELTA_DOMAIN_INFO not handled -Creating unix group: 'Account Operators' -Creating unix group: 'Administrators' -Creating unix group: 'Backup Operators' -Creating unix group: 'Guests' -Creating unix group: 'Print Operators' -Creating unix group: 'Replicator' -Creating unix group: 'Server Operators' -Creating unix group: 'Users' @@ -788,8 +784,8 @@ sleeth:~ # pdbedit -Lv maryk Unix username: maryk NT username: maryk Account Flags: [UX ] -User SID: S-1-5-21-5672968813-926296742-3245673225-1003 -Primary Group SID: S-1-5-21-5672968813-926296742-3245673225-1007 +User SID: S-1-5-21-1988699175-926296742-1295600288-1003 +Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007 Full Name: Mary Kathleen Home Directory: \\diamond\maryk HomeDir Drive: X: diff --git a/docs/Samba-Guide/index.xml b/docs/Samba-Guide/index.xml index a4b788ef83..bb72a62cea 100644 --- a/docs/Samba-Guide/index.xml +++ b/docs/Samba-Guide/index.xml @@ -13,11 +13,13 @@ 20050304 + -- cgit