13_Windows XPとLDAP・Samba連携サーバ間のトラブルシューティング


どうやらWindows XPLDAP・Samba連携サーバ間でうまく会話していないようなので、トラブルシューティングを実施する。

  • LDAP内のオブジェクトを全表示する。
[root@localhost ~]# ldapsearch -x -h localhost
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# pj-e.com
dn: dc=pj-e,dc=com
objectClass: dcObject
objectClass: organization
o: pj-e
dc: pj-e

# Users, pj-e.com
dn: ou=Users,dc=pj-e,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users

# Groups, pj-e.com
dn: ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups

# Computers, pj-e.com
dn: ou=Computers,dc=pj-e,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Computers

# Idmap, pj-e.com
dn: ou=Idmap,dc=pj-e,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Idmap

# Administrator, Users, pj-e.com
dn: uid=Administrator,ou=Users,dc=pj-e,dc=com
cn: Administrator
sn: Administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /home/Administrator
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\pdc\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\pdc\profiles\Administrator
sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-512
sambaSID: S-1-5-21-4169934945-3125951227-79960791-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: 35268FB16788CF76E3FDE35124FF2AD4
sambaAcctFlags: [U]
sambaNTPassword: 8DCA8D0BDD3434DA182CB881197F7359
sambaPwdLastSet: 1302325101
sambaPwdMustChange: 1306213101
userPassword:: e1NTSEF9N2tPcjVHeDlqN0QxamRNcEwxd1lpNnlMcjU1cVozRmE=
shadowLastChange: 15073
shadowMax: 45

# guest, Users, pj-e.com
dn: uid=guest,ou=Users,dc=pj-e,dc=com
cn: guest
sn: guest
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: guest
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\pdc\guest
sambaHomeDrive: H:
sambaProfilePath: \\pdc\profiles\guest
sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-4169934945-3125951227-79960791-2998
loginShell: /bin/false

# Domain Admins, Groups, pj-e.com
dn: cn=Domain Admins,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-4169934945-3125951227-79960791-512
sambaGroupType: 2
displayName: Domain Admins

# Domain Users, Groups, pj-e.com
dn: cn=Domain Users,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-4169934945-3125951227-79960791-513
sambaGroupType: 2
displayName: Domain Users

# Domain Guests, Groups, pj-e.com
dn: cn=Domain Guests,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-4169934945-3125951227-79960791-514
sambaGroupType: 2
displayName: Domain Guests

# Domain Computers, Groups, pj-e.com
dn: cn=Domain Computers,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-4169934945-3125951227-79960791-515
sambaGroupType: 2
displayName: Domain Computers

# Administrators, Groups, pj-e.com
dn: cn=Administrators,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators

# Account Operators, Groups, pj-e.com
dn: cn=Account Operators,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators

# Print Operators, Groups, pj-e.com
dn: cn=Print Operators,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators

# Backup Operators, Groups, pj-e.com
dn: cn=Backup Operators,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

# Replicators, Groups, pj-e.com
dn: cn=Replicators,ou=Groups,dc=pj-e,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

# PROJECT-E, pj-e.com
dn: sambaDomainName=PROJECT-E,dc=pj-e,dc=com
gidNumber: 1000
uidNumber: 1000
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaSID: S-1-5-21-4169934945-3125951227-79960791
sambaNextRid: 1000
sambaDomainName: PROJECT-E
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaRefuseMachinePwdChange: 0

# r_akagi, Users, pj-e.com
dn: uid=r_akagi,ou=Users,dc=pj-e,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: r_akagi
sn: r_akagi
givenName: r_akagi
uid: r_akagi
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/r_akagi
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: r_akagi
sambaSID: S-1-5-21-4169934945-3125951227-79960791-3000
sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-513
sambaProfilePath: \\pdc\profiles\r_akagi
sambaHomePath: \\pdc\r_akagi
sambaHomeDrive: H:
sambaLMPassword: 3BBB9BA23FA0C13CAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: CDFFA7186153AFD3656B6FB37E994005
sambaPwdLastSet: 1302322896
sambaPwdMustChange: 1306210896
userPassword:: e1NTSEF9YjZ3Vmt6Y1E5NUF0T05tb2dJelBMTVpza2lBNFRsSnM=
shadowLastChange: 15073
shadowMax: 45

# ldap-client$, Computers, pj-e.com
dn: uid=ldap-client$,ou=Computers,dc=pj-e,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: ldap-client$
uid: ldap-client$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

# search result
search: 2
result: 0 Success

# numResponses: 20
# numEntries: 19

つまりLDAPのDB内は空ではありませんと。

  • Sambaのログ出力を設定し、サービスを再起動する。
[root@localhost ~]# cat -n /etc/samba/smb.conf
    83  # --------------------------- Logging Options -----------------------------
    84  #
    85  # Log File let you specify where to put logs and how to split them up.
    86  #
    87  # Max Log Size let you specify the max size log files should reach
    88
    89          # logs split per machine
    90          log file = /var/log/samba/%m.log ←修正
    91          # max 50KB per log file, then rotate
    92          max log size = 50 ←修正
    93
    94          debug level=3 ←追加
[root@localhost ~]# service smb restart
SMB サービスを停止中:                                      [  OK  ]
NMB サービスを停止中:                                      [  OK  ]
SMB サービスを起動中:                                      [  OK  ]
NMB サービスを起動中:                                      [  OK  ]
  • Sambaのログから該当クライアントに関するデバッグ情報を確認する。
[root@localhost ~]# more /var/log/samba/ldap-client.log
[2011/04/10 21:25:14, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client xxx.xxx.xxx.xxx. Error 接続が相手からリセッ
トされました
[2011/04/10 21:25:14, 0] lib/util_sock.c:send_smb(761)
  Error writing 4 bytes to client. -1. (接続が相手からリセットされました)
[2011/04/10 21:25:14, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/10 21:25:14, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2011/04/10 21:25:14, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not exist.
[2011/04/10 21:25:14, 3] smbd/server.c:exit_server_common(768)
  Server exit (process_smb: send_smb failed.)
[root@localhost ~]# more /var/log/samba/xxx.xxx.xxx.xxx.log
[2011/04/10 21:25:14, 3] smbd/oplock.c:init_oplocks(863)
  init_oplocks: initializing messages.
[2011/04/10 21:25:14, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234)
  Linux kernel oplocks enabled
[2011/04/10 21:25:14, 3] smbd/process.c:process_smb(1083)
  Transaction 0 of length 72
[2011/04/10 21:25:14, 2] smbd/reply.c:reply_special(324)
  netbios connect: name1=LOCALHOST       name2=LDAP-CLIENT
[2011/04/10 21:25:14, 2] smbd/reply.c:reply_special(331)
  netbios connect: local=localhost remote=ldap-client, name type = 0
  • LDAPのログ出力を設定する。
[root@localhost ~]# cat -n /etc/syslog.conf
     1  # Log all kernel messages to the console.
     2  # Logging much else clutters up the screen.
     3  #kern.*                                                 /dev/console
     4
     5  # Log anything (except mail) of level info or higher.
     6  # Don't log private authentication messages!
     7  *.info;mail.none;news.none;authpriv.none;cron.none              /var/log/messages
     8
     9  # The authpriv file has restricted access.
    10  authpriv.*                                              /var/log/secure
    11
    12  # Log all the mail messages in one place.
    13  mail.*                                                  -/var/log/maillog
    14
    15
    16  # Log cron stuff
    17  cron.*                                                  /var/log/cron
    18
    19  # Everybody gets emergency messages
    20  *.emerg                                                 *
    21
    22  # Save news errors of level crit and higher in a special file.
    23  uucp,news.crit                                          /var/log/spooler
    24
    25  # Save boot messages also to boot.log
    26  local7.*                                                /var/log/boot.log
    27
    28  local4.*                                                /var/log/ldap.log ←追加
    29
    30  #
    31  # INN
    32  #
    33  news.=crit                                        /var/log/news/news.crit
    34  news.=err                                         /var/log/news/news.err
    35  news.notice                                       /var/log/news/news.notice
[root@localhost ~]# service syslog restart
カーネルロガーを停止中:                                    [  OK  ]
システムロガーを停止中:                                    [  OK  ]
システムロガーを起動中:                                    [  OK  ]
カーネルロガーを起動中:                                    [  OK  ]
[root@localhost ~]# cat -n /etc/openldap/slapd.conf
   114  #loglevel       256 ←修正
   115  loglevel        289 ←追加 (trace=1,filter=32,stats=256)
[root@localhost ~]# service ldap restart
slapd を停止中:                                            [  OK  ]
slapd の設定ファイルをチェック中:  config file testing succeeded
                                                           [  OK  ]
slapd を起動中:                                            [  OK  ]
  • LDAPログを確認する。
[root@localhost ~]# tail -f /var/log/ldap.log
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={1}cosine"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={2}inetorgperson"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={3}nis"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={4}samba"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={-1}frontend"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={0}config"
Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={1}bdb"
Apr 10 22:28:07 localhost slapd[6831]: backend_startup_one: starting "dc=pj-e,dc=com"
Apr 10 22:28:07 localhost slapd[6831]: bdb_db_open: dbenv_open(/var/lib/ldap)
Apr 10 22:28:07 localhost slapd[6831]: slapd starting

あれ…。LDAPサービス再起動時のログしか出力されていないな。
ってことは、SambaからLDAPへの接続がそもそもうまくいってないことになるのか??

ちなみにldapserchコマンド実施時のログは以下な感じ。

[root@localhost samba]# tail -f /var/log/ldap.log
Apr 10 22:50:12 localhost slapd[3225]: slap_listener_activate(8):
Apr 10 22:50:12 localhost slapd[3225]: >>> slap_listener(ldap:///)
Apr 10 22:50:12 localhost slapd[3225]: conn=3 fd=13 ACCEPT from IP=127.0.0.1:52876 (IP=0.0.0.0:389)
Apr 10 22:50:12 localhost slapd[3225]: connection_get(13): got connid=3
Apr 10 22:50:12 localhost slapd[3225]: connection_read(13): checking for input on id=3
Apr 10 22:50:12 localhost slapd[3225]: do_bind
Apr 10 22:50:12 localhost slapd[3225]: >>> dnPrettyNormal: <>
Apr 10 22:50:12 localhost slapd[3225]: <<< dnPrettyNormal: <>, <>
Apr 10 22:50:12 localhost slapd[3225]: do_bind: version=3 dn="" method=128
Apr 10 22:50:12 localhost slapd[3225]: conn=3 op=0 BIND dn="" method=128
Apr 10 22:50:12 localhost slapd[3225]: send_ldap_result: conn=3 op=0 p=3
Apr 10 22:50:12 localhost slapd[3225]: send_ldap_response: msgid=1 tag=97 err=0
Apr 10 22:50:12 localhost slapd[3225]: conn=3 op=0 RESULT tag=97 err=0 text=
Apr 10 22:50:12 localhost slapd[3225]: do_bind: v3 anonymous bind
Apr 10 22:50:12 localhost slapd[3225]: connection_get(13): got connid=3
Apr 10 22:50:12 localhost slapd[3225]: connection_read(13): checking for input on id=3

…

Apr 10 22:50:13 localhost slapd[3225]: connection_closing: readying conn=3 sd=13 for close
Apr 10 22:50:13 localhost slapd[3225]: connection_close: deferring conn=3 sd=-1
Apr 10 22:50:13 localhost slapd[3225]: do_unbind
Apr 10 22:50:13 localhost slapd[3225]: conn=3 op=2 UNBIND
Apr 10 22:50:13 localhost slapd[3225]: connection_resched: attempting closing conn=3 sd=13
Apr 10 22:50:13 localhost slapd[3225]: connection_close: deferring conn=3 sd=-1
Apr 10 22:50:13 localhost slapd[3225]: connection_resched: attempting closing conn=3 sd=13
Apr 10 22:50:13 localhost slapd[3225]: connection_close: conn=3 sd=-1
Apr 10 22:50:13 localhost slapd[3225]: conn=3 fd=13 closed

Sambaのユーザーアカウント管理コマンドだとLDAPサーバにアクセスするのか。

[root@localhost ~]# pdbedit -L -v
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PROJECT-E))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PROJECT-E))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
ldapsam_setsampwent: 3 entries in the base dc=pj-e,dc=com
init_sam_from_ldap: Entry found for user: Administrator
---------------
Unix username:        Administrator
NT username:          Administrator
Account Flags:        [U          ]
User SID:             S-1-5-21-4169934945-3125951227-79960791-500
Primary Group SID:    S-1-5-21-4169934945-3125951227-79960791-513
Full Name:            Administrator
Home Directory:       \\pdc\Administrator
HomeDir Drive:        H:
Logon Script:
Profile Path:         \\pdc\profiles\Administrator
Domain:               PROJECT-E
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          火, 19  12038 12:14:07 JST
Kickoff time:         火, 19  12038 12:14:07 JST
Password last set:    土, 09  4月 2011 13:58:21 JST
Password can change:  土, 09  42011 13:58:21 JST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
init_sam_from_ldap: Entry found for user: guest
---------------
Unix username:        guest
NT username:          guest
Account Flags:        [NDU        ]
User SID:             S-1-5-21-4169934945-3125951227-79960791-2998
init_group_from_ldap: Entry found for group: 514
init_group_from_ldap: Entry found for group: 514
Primary Group SID:    S-1-5-21-4169934945-3125951227-79960791-514
Full Name:            guest
Home Directory:       \\pdc\guest
HomeDir Drive:        H:
Logon Script:
Profile Path:         \\pdc\profiles\guest
Domain:               PROJECT-E
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          火, 19  12038 12:14:07 JST
Kickoff time:         火, 19  12038 12:14:07 JST
Password last set:    0
Password can change:  0
Password must change: 0
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
init_sam_from_ldap: Entry found for user: r_akagi
---------------
Unix username:        r_akagi
NT username:          r_akagi
Account Flags:        [U          ]
User SID:             S-1-5-21-4169934945-3125951227-79960791-3000
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
Primary Group SID:    S-1-5-21-4169934945-3125951227-79960791-513
Full Name:            r_akagi
Home Directory:       \\pdc\r_akagi
HomeDir Drive:        H:
Logon Script:
Profile Path:         \\pdc\profiles\r_akagi
Domain:               PROJECT-E
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          火, 19  12038 12:14:07 JST
Kickoff time:         火, 19  12038 12:14:07 JST
Password last set:    土, 09  4月 2011 13:21:36 JST
Password can change:  土, 09  42011 13:21:36 JST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

これってLDAP・Samba連携はやっぱり上手くいってるってことだよな。
ってことはWindows XPとサーバ(Sambaサービス)間の通信に問題ありってことですか!?

  • smbldap-toolsのconfigureが書き換えるコンフィグファイルを確認する。
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.

/etc/samba/smb.confは対象外。
つまりnetbios nameを変更していないということに。。。

  • /etc/samba/smb.confを修正する。
    78  ;       netbios name = MYSERVER
    79          netbios name = PDC ←追加

講習会で貰った資料と説明を聞く限り、smbldap-toolsでnetbios nameをきちんと設定しないと動かないという話だったけど、そもそもで/etc/samba/smb.confを自動設定していなかったというオチ。


本操作でWindows XP上でドメイン参加できたことを確認済み。
以上、トラブルシューティング完了。