Tools needed to troubleshoot a workstation joining DSfW Domain

  • 7009601
  • 19-Oct-2011
  • 31-Jul-2014

Environment

Open Enterprise Server 11 SP2 (OES11SP2)
Open Enterprise Server 11 SP1 (OES11SP1)
Open Enterprise Server 11 (OES11)
Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

What tools and logs do I need to troubleshoot a workstation that is unable to join a DSfW domain?

Resolution

Packet Trace (tcpdump or wireshark)
The /var/opt/novell/eDirectory/log/ndstrace.log
The /var/log/log.smbd (samba log) with debug enabled
The /var/log/messages
The /var/opt/novell/xad/log/kdc.log
Turn off secure channel encryption
Clear the workstation log if it exist- %windir%\debug\netsetup.log
Provide the following: 
Workstation IP Address
Workstation Name
DSfW IP Address
User Name
 
Packet Trace
Use tcpdump or wireshark to take a packet trace from the DSfW server.  A packet trace from the workstation might also be neccessary.
tcpdump -n -v -i <interface> -s0 -w /<path>/<name_of_lan_trace>.cap
Press cntrl c to stop the trace.
To find the interface use ifconfig.  It will show the interfaces the the ip addresses.  Usually the interface is eth0 or eth1.
If there is only one IP address bound on the server another option is -i any.  Using any will listen on all interfaces. 
When using tcpdump between a server and workstation on the same network a filter can be helpful in filtering traffic.
In this example of using tcpdump the workstations IP is 192.168.100.200,
the servers interface is any and the output is written to/tmp/wk_join_dsfw.cap :
Example:
tcpdump -n -v -s0 -i any 'host 192.168.100.200' -w /tmp/wk_join_dsfw.cap

LDAP Trace
Follow TID 7009602 for the ldap trace for more information on taking LDAP/NMAS traces

Start by setting the screen level to "all" or to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection"
If not use the ldapconfig -s command to set the screen level.
ldapconfig -s "ldap screen level=all" -a admin.novell

Then start ndstrace
ndstrace  #brings up the ndstrace utility

set dstrace = nodebug  #Clear the filter

dstrace NMAS LDAP TIME TAGS AUTH   #Enable the LDAP, NMAS, TIME, TAGS, and AUTH. 
Start with the filter options above.  They will provide most of the information needed for LDAP and NMAS.
Other flags that might be helpful are VCLN, RSLV, DBG, CBUF, ABUF, RECM, and MISC.

set ndstrace = *r   #Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log

ndstrace on   #Start the logging and execute your command or task

set ndstrace = off   #This will stop logging

quit  #Exit ndstrace

You might want to increase the ndstrace.log file max size.  The command to set the file max size is:
ndstrace fmax=10000000

To configure ndstrace.log log rotation read TID 7010885


Enable samba debug
To enable smb debug open  /etc/samba/smb.conf and at the end of the [global] section add  log level =10 or from the terminal type smbcontrol smbd debug "10"
Restart of smbd or the other DSfW services is not needed.
 
Turn off secure channel encryption:
A registry change is required to disable netlogon channel encryption. Change RequireSignOrSeal  from 1 to 0.
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters REG_DWORD  RequireSignOrSeal = 0 (Channel traffic need not be signed or sealed)
 
Attempt to join the workstation to the domain.
Gather the /var/log/samba/log.smb, the /etc/samba/smb.conf, the /var/opt/novell/xad/log/kdc.log,  the /var/log/messages,
%windir%\debug\netsetup.log, and packet trace.

Additional Information

To easily take the ldap and packet trace along with enabling samba debug use the ndsPacketTrace script from Cool Solutions.