13_Windows XPとLDAP・Samba連携サーバ間のトラブルシューティング
どうやらWindows XPとLDAP・Samba連携サーバ間でうまく会話していないようなので、トラブルシューティングを実施する。
- LDAP内のオブジェクトを全表示する。
[root@localhost ~]# ldapsearch -x -h localhost # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # pj-e.com dn: dc=pj-e,dc=com objectClass: dcObject objectClass: organization o: pj-e dc: pj-e # Users, pj-e.com dn: ou=Users,dc=pj-e,dc=com objectClass: top objectClass: organizationalUnit ou: Users # Groups, pj-e.com dn: ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: organizationalUnit ou: Groups # Computers, pj-e.com dn: ou=Computers,dc=pj-e,dc=com objectClass: top objectClass: organizationalUnit ou: Computers # Idmap, pj-e.com dn: ou=Idmap,dc=pj-e,dc=com objectClass: top objectClass: organizationalUnit ou: Idmap # Administrator, Users, pj-e.com dn: uid=Administrator,ou=Users,dc=pj-e,dc=com cn: Administrator sn: Administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\pdc\Administrator sambaHomeDrive: H: sambaProfilePath: \\pdc\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-512 sambaSID: S-1-5-21-4169934945-3125951227-79960791-500 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 35268FB16788CF76E3FDE35124FF2AD4 sambaAcctFlags: [U] sambaNTPassword: 8DCA8D0BDD3434DA182CB881197F7359 sambaPwdLastSet: 1302325101 sambaPwdMustChange: 1306213101 userPassword:: e1NTSEF9N2tPcjVHeDlqN0QxamRNcEwxd1lpNnlMcjU1cVozRmE= shadowLastChange: 15073 shadowMax: 45 # guest, Users, pj-e.com dn: uid=guest,ou=Users,dc=pj-e,dc=com cn: guest sn: guest objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: guest uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\pdc\guest sambaHomeDrive: H: sambaProfilePath: \\pdc\profiles\guest sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-4169934945-3125951227-79960791-2998 loginShell: /bin/false # Domain Admins, Groups, pj-e.com dn: cn=Domain Admins,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators sambaSID: S-1-5-21-4169934945-3125951227-79960791-512 sambaGroupType: 2 displayName: Domain Admins # Domain Users, Groups, pj-e.com dn: cn=Domain Users,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-4169934945-3125951227-79960791-513 sambaGroupType: 2 displayName: Domain Users # Domain Guests, Groups, pj-e.com dn: cn=Domain Guests,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-4169934945-3125951227-79960791-514 sambaGroupType: 2 displayName: Domain Guests # Domain Computers, Groups, pj-e.com dn: cn=Domain Computers,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-4169934945-3125951227-79960791-515 sambaGroupType: 2 displayName: Domain Computers # Administrators, Groups, pj-e.com dn: cn=Administrators,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators # Account Operators, Groups, pj-e.com dn: cn=Account Operators,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 5 displayName: Account Operators # Print Operators, Groups, pj-e.com dn: cn=Print Operators,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators # Backup Operators, Groups, pj-e.com dn: cn=Backup Operators,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators # Replicators, Groups, pj-e.com dn: cn=Replicators,ou=Groups,dc=pj-e,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators # PROJECT-E, pj-e.com dn: sambaDomainName=PROJECT-E,dc=pj-e,dc=com gidNumber: 1000 uidNumber: 1000 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-4169934945-3125951227-79960791 sambaNextRid: 1000 sambaDomainName: PROJECT-E sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaRefuseMachinePwdChange: 0 # r_akagi, Users, pj-e.com dn: uid=r_akagi,ou=Users,dc=pj-e,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: r_akagi sn: r_akagi givenName: r_akagi uid: r_akagi uidNumber: 1000 gidNumber: 513 homeDirectory: /home/r_akagi loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: r_akagi sambaSID: S-1-5-21-4169934945-3125951227-79960791-3000 sambaPrimaryGroupSID: S-1-5-21-4169934945-3125951227-79960791-513 sambaProfilePath: \\pdc\profiles\r_akagi sambaHomePath: \\pdc\r_akagi sambaHomeDrive: H: sambaLMPassword: 3BBB9BA23FA0C13CAAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: CDFFA7186153AFD3656B6FB37E994005 sambaPwdLastSet: 1302322896 sambaPwdMustChange: 1306210896 userPassword:: e1NTSEF9YjZ3Vmt6Y1E5NUF0T05tb2dJelBMTVpza2lBNFRsSnM= shadowLastChange: 15073 shadowMax: 45 # ldap-client$, Computers, pj-e.com dn: uid=ldap-client$,ou=Computers,dc=pj-e,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: ldap-client$ uid: ldap-client$ uidNumber: 1001 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # search result search: 2 result: 0 Success # numResponses: 20 # numEntries: 19
つまりLDAPのDB内は空ではありませんと。
- Sambaのログ出力を設定し、サービスを再起動する。
[root@localhost ~]# cat -n /etc/samba/smb.conf 83 # --------------------------- Logging Options ----------------------------- 84 # 85 # Log File let you specify where to put logs and how to split them up. 86 # 87 # Max Log Size let you specify the max size log files should reach 88 89 # logs split per machine 90 log file = /var/log/samba/%m.log ←修正 91 # max 50KB per log file, then rotate 92 max log size = 50 ←修正 93 94 debug level=3 ←追加
[root@localhost ~]# service smb restart SMB サービスを停止中: [ OK ] NMB サービスを停止中: [ OK ] SMB サービスを起動中: [ OK ] NMB サービスを起動中: [ OK ]
- Sambaのログから該当クライアントに関するデバッグ情報を確認する。
[root@localhost ~]# more /var/log/samba/ldap-client.log [2011/04/10 21:25:14, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client xxx.xxx.xxx.xxx. Error 接続が相手からリセッ トされました [2011/04/10 21:25:14, 0] lib/util_sock.c:send_smb(761) Error writing 4 bytes to client. -1. (接続が相手からリセットされました) [2011/04/10 21:25:14, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/04/10 21:25:14, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2011/04/10 21:25:14, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2011/04/10 21:25:14, 3] smbd/server.c:exit_server_common(768) Server exit (process_smb: send_smb failed.)
[root@localhost ~]# more /var/log/samba/xxx.xxx.xxx.xxx.log [2011/04/10 21:25:14, 3] smbd/oplock.c:init_oplocks(863) init_oplocks: initializing messages. [2011/04/10 21:25:14, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) Linux kernel oplocks enabled [2011/04/10 21:25:14, 3] smbd/process.c:process_smb(1083) Transaction 0 of length 72 [2011/04/10 21:25:14, 2] smbd/reply.c:reply_special(324) netbios connect: name1=LOCALHOST name2=LDAP-CLIENT [2011/04/10 21:25:14, 2] smbd/reply.c:reply_special(331) netbios connect: local=localhost remote=ldap-client, name type = 0
- LDAPのログ出力を設定する。
[root@localhost ~]# cat -n /etc/syslog.conf 1 # Log all kernel messages to the console. 2 # Logging much else clutters up the screen. 3 #kern.* /dev/console 4 5 # Log anything (except mail) of level info or higher. 6 # Don't log private authentication messages! 7 *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages 8 9 # The authpriv file has restricted access. 10 authpriv.* /var/log/secure 11 12 # Log all the mail messages in one place. 13 mail.* -/var/log/maillog 14 15 16 # Log cron stuff 17 cron.* /var/log/cron 18 19 # Everybody gets emergency messages 20 *.emerg * 21 22 # Save news errors of level crit and higher in a special file. 23 uucp,news.crit /var/log/spooler 24 25 # Save boot messages also to boot.log 26 local7.* /var/log/boot.log 27 28 local4.* /var/log/ldap.log ←追加 29 30 # 31 # INN 32 # 33 news.=crit /var/log/news/news.crit 34 news.=err /var/log/news/news.err 35 news.notice /var/log/news/news.notice
[root@localhost ~]# service syslog restart カーネルロガーを停止中: [ OK ] システムロガーを停止中: [ OK ] システムロガーを起動中: [ OK ] カーネルロガーを起動中: [ OK ]
[root@localhost ~]# cat -n /etc/openldap/slapd.conf 114 #loglevel 256 ←修正 115 loglevel 289 ←追加 (trace=1,filter=32,stats=256)
[root@localhost ~]# service ldap restart slapd を停止中: [ OK ] slapd の設定ファイルをチェック中: config file testing succeeded [ OK ] slapd を起動中: [ OK ]
- LDAPログを確認する。
[root@localhost ~]# tail -f /var/log/ldap.log Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={1}cosine" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={2}inetorgperson" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={3}nis" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "cn={4}samba" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={-1}frontend" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={0}config" Apr 10 22:28:07 localhost slapd[6831]: config_build_entry: "olcDatabase={1}bdb" Apr 10 22:28:07 localhost slapd[6831]: backend_startup_one: starting "dc=pj-e,dc=com" Apr 10 22:28:07 localhost slapd[6831]: bdb_db_open: dbenv_open(/var/lib/ldap) Apr 10 22:28:07 localhost slapd[6831]: slapd starting
あれ…。LDAPサービス再起動時のログしか出力されていないな。
ってことは、SambaからLDAPへの接続がそもそもうまくいってないことになるのか??
ちなみにldapserchコマンド実施時のログは以下な感じ。
[root@localhost samba]# tail -f /var/log/ldap.log Apr 10 22:50:12 localhost slapd[3225]: slap_listener_activate(8): Apr 10 22:50:12 localhost slapd[3225]: >>> slap_listener(ldap:///) Apr 10 22:50:12 localhost slapd[3225]: conn=3 fd=13 ACCEPT from IP=127.0.0.1:52876 (IP=0.0.0.0:389) Apr 10 22:50:12 localhost slapd[3225]: connection_get(13): got connid=3 Apr 10 22:50:12 localhost slapd[3225]: connection_read(13): checking for input on id=3 Apr 10 22:50:12 localhost slapd[3225]: do_bind Apr 10 22:50:12 localhost slapd[3225]: >>> dnPrettyNormal: <> Apr 10 22:50:12 localhost slapd[3225]: <<< dnPrettyNormal: <>, <> Apr 10 22:50:12 localhost slapd[3225]: do_bind: version=3 dn="" method=128 Apr 10 22:50:12 localhost slapd[3225]: conn=3 op=0 BIND dn="" method=128 Apr 10 22:50:12 localhost slapd[3225]: send_ldap_result: conn=3 op=0 p=3 Apr 10 22:50:12 localhost slapd[3225]: send_ldap_response: msgid=1 tag=97 err=0 Apr 10 22:50:12 localhost slapd[3225]: conn=3 op=0 RESULT tag=97 err=0 text= Apr 10 22:50:12 localhost slapd[3225]: do_bind: v3 anonymous bind Apr 10 22:50:12 localhost slapd[3225]: connection_get(13): got connid=3 Apr 10 22:50:12 localhost slapd[3225]: connection_read(13): checking for input on id=3 … Apr 10 22:50:13 localhost slapd[3225]: connection_closing: readying conn=3 sd=13 for close Apr 10 22:50:13 localhost slapd[3225]: connection_close: deferring conn=3 sd=-1 Apr 10 22:50:13 localhost slapd[3225]: do_unbind Apr 10 22:50:13 localhost slapd[3225]: conn=3 op=2 UNBIND Apr 10 22:50:13 localhost slapd[3225]: connection_resched: attempting closing conn=3 sd=13 Apr 10 22:50:13 localhost slapd[3225]: connection_close: deferring conn=3 sd=-1 Apr 10 22:50:13 localhost slapd[3225]: connection_resched: attempting closing conn=3 sd=13 Apr 10 22:50:13 localhost slapd[3225]: connection_close: conn=3 sd=-1 Apr 10 22:50:13 localhost slapd[3225]: conn=3 fd=13 closed
Sambaのユーザーアカウント管理コマンドだとLDAPサーバにアクセスするのか。
[root@localhost ~]# pdbedit -L -v smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PROJECT-E))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PROJECT-E))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server ldapsam_setsampwent: 3 entries in the base dc=pj-e,dc=com init_sam_from_ldap: Entry found for user: Administrator --------------- Unix username: Administrator NT username: Administrator Account Flags: [U ] User SID: S-1-5-21-4169934945-3125951227-79960791-500 Primary Group SID: S-1-5-21-4169934945-3125951227-79960791-513 Full Name: Administrator Home Directory: \\pdc\Administrator HomeDir Drive: H: Logon Script: Profile Path: \\pdc\profiles\Administrator Domain: PROJECT-E Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 火, 19 1月 2038 12:14:07 JST Kickoff time: 火, 19 1月 2038 12:14:07 JST Password last set: 土, 09 4月 2011 13:58:21 JST Password can change: 土, 09 4月 2011 13:58:21 JST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF init_sam_from_ldap: Entry found for user: guest --------------- Unix username: guest NT username: guest Account Flags: [NDU ] User SID: S-1-5-21-4169934945-3125951227-79960791-2998 init_group_from_ldap: Entry found for group: 514 init_group_from_ldap: Entry found for group: 514 Primary Group SID: S-1-5-21-4169934945-3125951227-79960791-514 Full Name: guest Home Directory: \\pdc\guest HomeDir Drive: H: Logon Script: Profile Path: \\pdc\profiles\guest Domain: PROJECT-E Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 火, 19 1月 2038 12:14:07 JST Kickoff time: 火, 19 1月 2038 12:14:07 JST Password last set: 0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF init_sam_from_ldap: Entry found for user: r_akagi --------------- Unix username: r_akagi NT username: r_akagi Account Flags: [U ] User SID: S-1-5-21-4169934945-3125951227-79960791-3000 init_group_from_ldap: Entry found for group: 513 init_group_from_ldap: Entry found for group: 513 Primary Group SID: S-1-5-21-4169934945-3125951227-79960791-513 Full Name: r_akagi Home Directory: \\pdc\r_akagi HomeDir Drive: H: Logon Script: Profile Path: \\pdc\profiles\r_akagi Domain: PROJECT-E Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 火, 19 1月 2038 12:14:07 JST Kickoff time: 火, 19 1月 2038 12:14:07 JST Password last set: 土, 09 4月 2011 13:21:36 JST Password can change: 土, 09 4月 2011 13:21:36 JST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
これってLDAP・Samba連携はやっぱり上手くいってるってことだよな。
ってことはWindows XPとサーバ(Sambaサービス)間の通信に問題ありってことですか!?
- smbldap-toolsのconfigureが書き換えるコンフィグファイルを確認する。
writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done.
/etc/samba/smb.confは対象外。
つまりnetbios nameを変更していないということに。。。
- /etc/samba/smb.confを修正する。
78 ; netbios name = MYSERVER 79 netbios name = PDC ←追加
講習会で貰った資料と説明を聞く限り、smbldap-toolsでnetbios nameをきちんと設定しないと動かないという話だったけど、そもそもで/etc/samba/smb.confを自動設定していなかったというオチ。
本操作でWindows XP上でドメイン参加できたことを確認済み。
以上、トラブルシューティング完了。