Environment
Samba
Situation
NOTE: As with all installation and setup issues, please patch your server to the latest code. Constant improvements are being made to the software. For instance, some of the issues/errors in this TID are non-issues with OES 2 SP 1. (This TID was originally authored during OES 2 before any support pack releases).
Resolution
- Errors While Trying To Manage Samba With iManager
- Missing or Incorrect Shares and/or Incorrect Domain/Workgroup Name
- Various Failures And/Or Errors After Patching The Server
- Gotchas When Cluster-Enabling Samba On NSS
Errors While Trying To Samba-enable Users With iManager
Fix: Under Investigation
Fix: After checking to make sure that the domain object really resides in the tree, check the following:
- Make sure that the group is LUM enabled and that it is associated with the linux workstation object.
- Make sure that the users you are trying to samba-enable are at the same level, or below the level, of the container that contains the samba domain object (this is a requirement).
Fix: The UID being referred to here is not likely dealing with the GID of the group in eDirectory. Rather, it is referring to the Domain/Local SID. Try and list the SID with 'net getlocalsid' or 'net getdomainsid'. If it is missing, try to set one manually with 'net setlocalsid S-1-5-21-50262416-1819788181-674066204'. The SID to the left is just an example. If there is a Windows Domain Contoller in the environment, find out what the SID is and set it to what Windows says. If it doesn't set the SID, the Samba packages may be corrupt. Either remove and reinstall the Samba packages (which may require a reconfiguration of Samba after reinstall), or force an update of the packages. Try and list the SID again. This should work at this point. Note that there are local SIDs and domain SIDs. Use whichever is appropriate for your environment. See the man page for net for more details (ie: man net).
Fix: As per the documentation, the user must be assigned to a Samba-compliant password policy and have a universal password set before the user can be Samba-enabled.
Error:<UserName>: Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not Linux enable users in group,<ServerName>-W-SambaUserGroup. Error: Could not get the primary LUM Group ID.
Fix: If a user belongs to a group that is not LUM-enabled (Linux User Management), this error will be displayed while trying to Samba-enable the user. Either the non-LUM-enabled groups need to be removed from the users group membership, or every group the user belongs to needs to be LUM-enabled.
Error:<UserName>: Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not Linux enable users in group,<ServerName>-W-SambaUserGroup. Error: (Error -609) One or more of the mandatory properties for the object being created is missing.
Fix: Some older eDirectory trees may have user objects that are missing some required attributes. In particular, the uniqueID attribute may be missing from the user object. The uniqueID has a value equal to that of the username. For instance, if the username is novell123, then the uniqueID will have an identical value of novell123. This can be added through various utilities, such as ConsoleOne and iManager. The attribute is setup under the "other" tab of the user object. For this particular error, make sure the uniqueID attribute exists on the user object and that the value of the attribute is correct.
Note: For administrators that need to modify many users, consider the ICE import/export wizard. Users can be exported to a file, modify the file, and re-import the file to modify the users. Please see the eDirectory documentation for more details.
Error:Cannot continue because we could not get the default Samba group, <ServerName>-W-SambaUserGroup. Please refer to the samba user documentation for more details.
Error:Object class violation (from/var/log/samba/novell-samba-config.log)
Fix : The uamPosixPAMServiceExcludeList attribute has not been assigned to the uamPosixGroup and uamPosixUser classes. Add this attribute to these two classes, re-run the OES Samba install, and double-check to see if the <ServerName>-W-SambaUserGroup has been created, and double-check the /var/log/samba/novell-samba-config.log file does not have a 'Object class violation' error (clear the log first so that any previous failed installs do not cause confusion)
There are two methods to add the uamPosixPAMServiceExcludeList attribute to the uamPosixGroup and uamPosixUser classes. The first is ConsoleOne, the second is iManager. Either method is adequate.
1. ConsoleOne:
2. iManager:
<UserName>: Could not Samba enable the user for group, <Default Samba Group Name>. {2} See help for possible causes.
Description: While trying to LUM-enable a single user, the above error would also occur and the user would not be LUM-enabled.
Fix: Some older eDirectory trees may have user objects that are missing some required attributes. In particular, the uniqueID attribute may be missing from the user object. The uniqueID has a value equal to that of the username. For instance, if the username is novell123, then the uniqueID will have an identical value of novell123. This can be added through various utilities, such as ConsoleOne and iManager. The attribute is setup under the "other" tab of the user object. Add the attribute if missing and try to LUM-enable the user again.
Note: For administrators that need to modify many users, consider the ICE import/export wizard. Users can be exported to a file, modify the file, and re-import the file to modify the users. Please see the eDirectory documentation for more details.
Errors While Trying To Manage Samba With iManager
Error:Cannot connect to the CIM agent on this server. CIM is not installed or not running.
Fix: Make sure either Samba is running, or in the case of cluster-enabled resources, make sure the resource is online and that the Samba service has started.
For redundancy purposes the essential shell commands from each TID are mentioned below. For more detailed explanations of the commands, and why they are necessary, refer to the TIDs directly:
TID 3341399:
ldapmodify -h 192.168.2.10 -p 389 -D cn=admin,o=novell -w <password> -f /usr/share/samba/LDAP/samba-nds.schema -x -c
TID 3768604:
owmofc -u https://localhost/root/cimv2 /usr/share/mof/novell-lum-providers/novell-lum-providers.mof
Missing or Incorrect Shares and/or Incorrect Domain/Workgroup Name
In a cluster-enabled environment iManager doesn't look at the correct smb.conf for management purposes. Because iManager looks at the local smb.conf file, instead of the smb.conf located on the shared resource, iManager presents the wrong Workgroup and share information to the user.
Workaround: Edit the cluster smb.conf manually. Test through a Novell clientless Windows workstation to check for shares, Workgroup, and NetBios names. They should be correct despite what iManager reports. Despite iManager looking in the wrong place, the cluster piece looks in the correct place.
Various Failures And/Or Errors After Patching The Server
Gotchas When Cluster-Enabling Samba On NSS
There is a great document, Configuring OES SP2 with NSS, NCS, and Samba, that will walk even a novice user through setting up a cluster-enabled Samba resource on NSS. If familiar with setting up clusters, and needing just help with the resource, start at step 22. Below are a few things to be aware of and that can easily be missed.
1. Edit the smb.conf file's global section to include the following. If this step isn't completed, then whenever samba loads it will place its PID files under /var/run/samba. When unloading or migrating the resource the services will not be shut down properly:
2. Sample, basic resource load script (edit with iManager, not ConsoleOne). For an example on how to include options, such as loading long name spaces when the volume mounts, please see the document referenced above. The following scripts assume you setup a directory structure as outlined in the document above:
#!/bin/bash
. /opt/novell/ncs/lib/ncsfuncs
exit_on_error nss /poolact=<PoolName>
exit_on_error ncpcon mount <VolName>=<254>
exit_on_error add_secondary_ipaddress <192.168.2.10>
exit_on_error ncpcon bind --ncpservername=<VirtualServerName> --ipaddress=<192.168.2.10>
SAMBA_ROOT=/media/nss/<VolName>/samba
exit_on_error /usr/sbin/nmbd -l $SAMBA_ROOT/logs -s $SAMBA_ROOT/etc/smb.conf
exit_on_error /usr/sbin/smbd -l $SAMBA_ROOT/logs -s $SAMBA_ROOT/etc/smb.conf
exit 0
In the above script, replace anything in between <> to match your system. The items to be replace are POOL, VOLUME, VOLID, a couple instances of the IP ADDRESS, and the Virtual Server Name (not the cluster resource name--the actual Virtual NCP server object name). (Note: After the replacement is made, be sure to exclude the characters <>). The volid can be obtained from the original resource script before modifying it. Each volume resource that loads will have a unique volid. In the example above, the volid is 254.
3. Sample, basic resource unload script (edit with iManager, not ConsoleOne):
#!/bin/bash
. /opt/novell/ncs/lib/ncsfuncs
SAMBA_ROOT=/media/nss/<VolName>/samba
ignore_error killproc -p $SAMBA_ROOT/locks/nmbd-smb.conf.pid /usr/sbin/nmbd
ignore_error killproc -p $SAMBA_ROOT/locks/smbd-smb.conf.pid /usr/sbin/smbd
ignore_error fuser -k $SAMBA_ROOT
ignore_error ncpcon unbind --ncpservername=<VirtualServerName> --ipaddress=<192.168.2.10>
ignore_error del_secondary_ipaddress <192.168.2.10>
ignore_error nss /pooldeact=<PoolName>
exit 0
4. Be sure that each cluster node has been updated with the proper load and unload scripts.
- cd /var/opt/novell/ncs
- cat <ResourceName>.load; cat <ResourceName>.unload
- If the scripts have not been update after offlining and onlining the resource a couple of times, execute the following command on each node:
- Double-check the /etc/opt/novell/ncs/clstrlib.conf file and make sure it is correct and that the CASE is correct for the cluster object (including the O (organization) and OU (organizational unit).
- Run "/opt/novell/ncs/bin/ncs-configd.py -init" on each node (without quotes). NOTE: "-init" only includes one dash, not two. The scripts should have been pulled down after executing this command.
- Double-check the load and unload scripts have been pulled down correctly by repeating steps 1 and 2.
5. Troubleshooting log files and scripts:
- /media/nss/<VolName>/samba/logs/log.smbd
- /var/log/messages
- /var/run/ncs/<ResourceName>.load.out (and unload.out)
- /var/log/samba/novell-samba-config.log
When the log files don't give much information, execute the load and unload scripts manually and watch for errors. - /var/opt/novell/ncs/<ResourceName>.load (and unload).
