1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

This is the last update to the Samba-Guide for a little while. I'm about to tackle the HOWTO for a make-over.

This commit is contained in:
John Terpstra 2005-03-12 05:35:53 +00:00 committed by Gerald W. Carter
parent 2d543ee70c
commit dfef9d6ecc
6 changed files with 205 additions and 47 deletions

View File

@ -1969,7 +1969,7 @@ $rootprompt; ps ax | grep winbind
</screen>
The <command>winbindd</command> daemon is running in split mode (normal), so there are also
two instances<footnote>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
Chapter 20, Section 20.3. The single instance of <command>smbd</command> is normal. One additional
Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal. One additional
<command>smbd</command> slave process is spawned for each SMB/CIFS client
connection.</footnote> of it.
</para></step>

View File

@ -957,7 +957,8 @@ hosts: files dns wins
<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd '%g'</value></smbconfoption>
<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel '%g'</value></smbconfoption>
<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G '%g' '%u'</value></smbconfoption>
<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</value></smbconfoption>
<smbconfoption><name>add machine script</name><value>/usr/sbin/</value></smbconfoption>
<member><parameter>useradd -s /bin/false -d /var/lib/nobody '%u'</parameter></member>
<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
<smbconfoption><name>include</name><value>/etc/samba/dc-common.conf</value></smbconfoption>

View File

@ -963,18 +963,12 @@ clients is conservative and if followed will minimize problems - but it is not a
<title>Preliminary Advice &smbmdash; Dangers Can be Avoided</title>
<para>
When I was 8 years of age there was an old man who walked with a cane. He told the the
kids of the neighborhood that when he was very yound he broke his leg. His parents could
not afford good medical care and they lived in the country when medical help was not readily
available, he suffered the consequences his whole life. His advice regarding how best
to mend a broken leg was <quote>never break a leg!</quote>
The best advice regarding how best to mend a broken leg was <quote>never break a leg!</quote>
</para>
<para>
New comers to Samba and LDAP seem to struggle a great deal at first. Many experience the
consequences of their first experience with the same emotions memory as the old Mr.
Williams referred to above. So here is my advice regarding the best way to remedy LDAP
and Samab problems: <quote>Avoid them like the plague!</quote>
New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice
regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
</para>
<para>
@ -1002,7 +996,27 @@ clients is conservative and if followed will minimize problems - but it is not a
<title>Debugging LDAP</title>
<para>
ZZ
In the example <filename>/etc/openldap/slapd.conf</filename> control file
(see <link linkend="ch6-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
To enable logging via the syslog infrastructure it is necessary to uncomment this parameter
and restart <command>slapd</command>.
</para>
<para>
LDAP log information can be directed into a file that is separate from the normal system
log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
contents:
<screen>
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
local4.* -/var/log/ldaplogs
</screen>
In the above case, all LDAP related logs will be directed to the file
<filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
</para>
</sect4>
@ -1011,14 +1025,152 @@ clients is conservative and if followed will minimize problems - but it is not a
<title>Debugging NSS_LDAP</title>
<para>
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
<filename>/etc/ldap.conf</filename> file the following parameters:
<screen>
debug 256
logdir /data/logs
</screen>
Create the log directory as follows:
<screen>
&rootprompt; mkdir /data/logs
</screen>
</para>
<para>
The diagnostic process should follow the following steps:
</para>
<procedure>
<step><para>
Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
tree location that was chosen in when the directory was first created.
</para>
<para>
One was this can be done is by executing:
<screen>
&rootprompt; slapcat | grep Group | grep dn
dn: ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
</screen>
The first line is the DIT entry point for the container for POSIX groups. The correct entry
for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
parameter therefore is the distinquished name (dn) as applied here:
<screen>
nss_base_group ou=Groups,dc=abmas,dc=biz?one
</screen>
The same process may be followed to determine the appropriate dn for user accounts.
If the container for computer accounts is not the same as that for users (see the &smb.conf;
file entry for <constant>ldap machine suffix</constant>, it may be necessary to set the
following DIT dn in the <filename>/etc/ldap.conf</filename>:
<screen>
nss_base_passwd dc=abmas,dc=biz?sub
</screen>
This instructs LDAP to search for machine as well as user entries from the top of the DIT
down. This is inefficient, but at least should work.
</para></step>
<step><para>
Perform lookups such as:
<screen>
&rootprompt; getent passwd
</screen>
Each such lookup will create an entry in the <filename>/data/log</filename> directory
for each such process executed. The contents of that file may provide a hint as to
the cause of the failure that is being investigated.
</para></step>
<step><para>
Check the contents of the <filename>/var/log/messages</filename> to see what error messages are being
generated as a result of the LDAP lookups. Here is an example of a successful lookup:
<screen>
slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
(IP=0.0.0.0:389)
slapd[12164]: conn=0 op=0 BIND dn="" method=128
slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
slapd[12164]: conn=0 op=2 UNBIND
slapd[12164]: conn=0 fd=10 closed
slapd[12164]: conn=1 fd=10 ACCEPT from
IP=127.0.0.1:33540 (IP=0.0.0.0:389)
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" method=128
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=1 op=1 SRCH
base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
filter="(objectClass=posixAccount)"
slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
nentries=2 text=
slapd[12164]: conn=1 fd=10 closed
</screen>
</para></step>
<step><para>
Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
<filename>/etc/ldap.secrets</filename> file is correct. i.e.: As specified in the
<filename>/etc/openldap/slapd.conf</filename> file.
</para></step>
</procedure>
</sect4>
<sect4>
<title>Debugging Samba</title>
<para>
The following parameters in the &smb.conf; file can be useful in tracking down Samba related problems:
<screen>
[global]
...
log level = 5
log file = /var/log/samba/%m.log
max log size = 0
...
</screen>
This will result in the creation of a separate log file for every client from which connections
are made. The log file will be quite verbose and will grow continually. Do not forget to
change these lines to the following when debugging has been completed:
<screen>
[global]
...
log level = 1
log file = /var/log/samba/%m.log
max log size = 50
...
</screen>
</para>
<para>
The log file can be analyzed by executing:
<screen>
&rootprompt; cd /var/log/samba
&rootprompt; grep -v "^\[200" machine_name.log
</screen>
</para>
<para>
Search for hints of what may have failed by lokking for the words <emphasis>fail</emphasis>
and <emphasis>error</emphasis>.
</para>
</sect4>
@ -1027,6 +1179,10 @@ clients is conservative and if followed will minimize problems - but it is not a
<title>Debugging on the Windows Client</title>
<para>
MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
version of MS Windows.
</para>
</sect4>
@ -1721,9 +1877,12 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
<smbconfoption><name>delete user script</name><value>/opt/IDEALX/sbin/smbldap-userdel "%u"</value></smbconfoption>
<smbconfoption><name>add group script</name><value>/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</value></smbconfoption>
<smbconfoption><name>delete group script</name><value>/opt/IDEALX/sbin/smbldap-groupdel "%g"</value></smbconfoption>
<smbconfoption><name>add user to group script</name><value>/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</value></smbconfoption>
<smbconfoption><name>delete user from group script</name><value>/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</value></smbconfoption>
<smbconfoption><name>set primary group script</name><value>/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</value></smbconfoption>
<smbconfoption><name>add user to group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption>
<member><parameter>smbldap-groupmod -m "%u" "%g"</parameter></member>
<smbconfoption><name>delete user from group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption>
<member><parameter>smbldap-groupmod -x "%u" "%g"</parameter></member>
<smbconfoption><name>set primary group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption>
<member><parameter>smbldap-usermod -g "%g" "%u"</parameter></member>
<smbconfoption><name>add machine script</name><value>/opt/IDEALX/sbin/smbldap-useradd -w "%u"</value></smbconfoption>
</smbconfexample>
@ -2461,7 +2620,7 @@ chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
</screen>
This demonstates that user account resolution via LDAP is working.
<para></step>
</para></step>
<step><para>
This step will determin
@ -2631,7 +2790,7 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
localhost interface with the <command>smbd</command> process. This account can be
easily created by joining the PDC to the Domain by executing the following command:
<screen>
&rootprompt; net rpc join -U root%not24get
&rootprompt; net rpc join -S MASSIVE -U root%not24get
</screen>
Note: Before executing this command on the PDC both <command>nmbd</command> and
<command>smbd</command> must be started so that the <command>net</command> command

View File

@ -797,7 +797,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz
<link linkend="ch7singleLDAP"/>.
<image id="ch7singleLDAP">
<imagedescription>Samba Configuration to Use a Single LDAP Server</imagedescription>
<imagefile scale="55">ch7-singleLDAP</imagefile>
<imagefile scale="65">ch7-singleLDAP</imagefile>
</image>
<indexterm>
<primary>LDAP</primary>
@ -819,7 +819,7 @@ passdb backend = ldapsam:"ldap://master.abmas.biz \
as shown in <link linkend="ch7dualLDAP"/>.
<image id="ch7dualLDAP">
<imagedescription>Samba Configuration to Use a Dual (Fail-over) LDAP Server</imagedescription>
<imagefile scale="55">ch7-fail-overLDAP</imagefile>
<imagefile scale="65">ch7-fail-overLDAP</imagefile>
</image>
</para>
@ -1076,7 +1076,7 @@ include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database ldbm
database bdb
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"
@ -1124,7 +1124,7 @@ include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database ldbm
database bdb
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"

View File

@ -425,13 +425,16 @@
</indexterm>
Edit the &smb.conf; file to temporarily change the parameter
<smbconfoption><name>domain master</name><value>No</value></smbconfoption> so
the Samba server functions as a BDC for the purpose of migration.
the Samba server functions as a BDC for the purpose of migration. Also, temporarily
(only during domain account migration) comment out the lines that specify deletion
scripts (delete user script, etc.).
</para></step>
<step><para><indexterm>
<primary>preload.LDIF</primary>
</indexterm>
Create a file called <filename>preload.LDIF</filename> as shown in <link linkend="ch8-LDIF"/>.
Edit the contents so that the domain name and SID are correct for the site being installed.
</para></step>
<step><para><indexterm>
@ -449,7 +452,7 @@ added: "ou=People,dc=abmas,dc=biz" (00000003)
added: "ou=Computers,dc=abmas,dc=biz" (00000004)
added: "ou=Groups,dc=abmas,dc=biz" (00000005)
added: "ou=Idmap,dc=abmas,dc=biz" (00000006)
added: "ou=Domains,dc=abmas,dc=biz" (00000007)
added: "sambaDomainName=MEGANET,dc=abmas,dc=biz" (00000007)
</screen>
</para></step>
@ -616,36 +619,29 @@ objectClass: organization
dc: abmas
o: Abmas Demo
description: POSIX and Samba LDAP Identity Database
structuralObjectClass: organization
dn: cn=Manager,dc=abmas,dc=biz
objectClass: organizationalRole
cn: Manager
description: Directory Manager
structuralObjectClass: organizationalRole
dn: ou=People,dc=abmas,dc=biz
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
dn: ou=Groups,dc=abmas,dc=biz
objectClass: top
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
dn: ou=Domains,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: Domains
structuralObjectClass: organizationalUnit
dn: sambaDomainName=MEGANET2,dc=abmas,dc=biz
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: MEGANET
sambaSID: S-1-5-21-1988699175-926296742-1295600288
uidNumber: 1000
gidNumber: 1000
</screen>
</example>
@ -711,6 +707,14 @@ Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Engineers'
Creating unix group: 'Marketoids'
Creating unix group: 'Account Operators'
Creating unix group: 'Administrators'
Creating unix group: 'Backup Operators'
Creating unix group: 'Guests'
Creating unix group: 'Print Operators'
Creating unix group: 'Replicator'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'
Creating account: Administrator
Creating account: Guest
Creating account: oldnt4pdc$
@ -731,14 +735,6 @@ Group members of Marketoids: Administrator,jacko(primary),
Creating unix group: 'Gnomes'
Fetching BUILTIN database
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Account Operators'
Creating unix group: 'Administrators'
Creating unix group: 'Backup Operators'
Creating unix group: 'Guests'
Creating unix group: 'Print Operators'
Creating unix group: 'Replicator'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'
</screen>
</para></step>
@ -788,8 +784,8 @@ sleeth:~ # pdbedit -Lv maryk
Unix username: maryk
NT username: maryk
Account Flags: [UX ]
User SID: S-1-5-21-5672968813-926296742-3245673225-1003
Primary Group SID: S-1-5-21-5672968813-926296742-3245673225-1007
User SID: S-1-5-21-1988699175-926296742-1295600288-1003
Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007
Full Name: Mary Kathleen
Home Directory: \\diamond\maryk
HomeDir Drive: X:

View File

@ -13,11 +13,13 @@
<version>20050304</version>
</bookinfo>
<?latex \clearpage ?>
<!--- Leave the commented out lines they are needed for book production.
<para>boo</para>
<?latex \clearpage ?>
<para>boo</para>
<?latex \clearpage ?>
<para>boo</para>
-->
<xi:include href="inside-cover.xml"/>
<xi:include href="acknowledgements.xml"/>
<xi:include href="foreword.xml"/>