Troubleshooting Samba On Open Enterprise Server (OES)

  • 7001492
  • 02-Oct-2008
  • 08-Nov-2012

Environment

Novell SUSE Linux Enterprise Server 10 Support Pack 1
Novell SUSE Linux Enterprise Server 10 Support Pack 2
Novell SUSE Linux Enterprise Server 10 Support Pack 3
Novell SUSE Linux Enterprise Desktop 10
Novell Open Enterprise Server 2 (OES 2)
Samba

Situation

This document (TID) is a work in progress and will be added to and expanded upon over time.  Check back regularly for updates.

NOTE:  As with all installation and setup issues, please patch your server to the latest code.  Constant improvements are being made to the software.  For instance, some of the issues/errors in this TID are non-issues with OES 2 SP 1.  (This TID was originally authored during OES 2 before any support pack releases).

Resolution

Table of contents

  1. Errors While Trying To Manage Samba With iManager
  2. Missing or Incorrect Shares and/or Incorrect Domain/Workgroup Name
  3. Various Failures And/Or Errors After Patching The Server
  4. Gotchas When Cluster-Enabling Samba On NSS

Errors While Trying To Samba-enable Users With iManager

 
Error:Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not add some of the Samba User Attributes for user {0}. See help for possible causes.
Fix: Under Investigation
 
Error:Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not find samba domain for {0}. See help for possible causes.
Fix: After checking to make sure that the domain object really resides in the tree, check the following:
  1. Make sure that the group is LUM enabled and that it is associated with the linux workstation object.
  2. Make sure that the users you are trying to samba-enable are at the same level, or below the level, of the container that contains the samba domain object (this is a requirement). 
Error:Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Invalid group UID number. See help for possible causes.
Fix: The UID being referred to here is not likely dealing with the GID of the group in eDirectory.  Rather, it is referring to the Domain/Local SID.  Try and list the SID with 'net getlocalsid' or 'net getdomainsid'.   If it is missing, try to set one manually with 'net setlocalsid S-1-5-21-50262416-1819788181-674066204'.  The SID to the left is just an example.  If there is a Windows Domain Contoller in the environment, find out what the SID is and set it to what Windows says.  If it doesn't set the SID, the Samba packages may be corrupt.  Either remove and reinstall the Samba packages (which may require a reconfiguration of Samba after reinstall), or force an update of the packages.  Try and list the SID again.  This should work at this point.  Note that there are local SIDs and domain SIDs.  Use whichever is appropriate for your environment.  See the man page for net for more details (ie: man net).
 
 
Error:<UserName>: Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Received an error when checking for a universal password. Error: Cannot continue because the user does not appear to have a universal password.
Fix: As per the documentation, the user must be assigned to a Samba-compliant password policy and have a universal password set before the user can be Samba-enabled.

 

Error:<UserName>: Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not Linux enable users in group,<ServerName>-W-SambaUserGroup. Error: Could not get the primary LUM Group ID.
Fix: If a user belongs to a group that is not LUM-enabled (Linux User Management), this error will be displayed while trying to Samba-enable the user. Either the non-LUM-enabled groups need to be removed from the users group membership, or every group the user belongs to needs to be LUM-enabled.



Error:
<UserName>: Could not Samba enable the user for group, <ServerName>-W-SambaUserGroup. Could not Linux enable users in group,<ServerName>-W-SambaUserGroup. Error: (Error -609) One or more of the mandatory properties for the object being created is missing.
Fix:  Some older eDirectory trees may have user objects that are missing some required attributes.  In particular, the uniqueID attribute may be missing from the user object.  The uniqueID has a value equal to that of the username.  For instance, if the username is novell123, then the uniqueID will have an identical value of novell123.  This can be added through various utilities, such as ConsoleOne and iManager.  The attribute is setup under the "other" tab of the user object.  For this particular error, make sure the uniqueID attribute exists on the user object and that the value of the attribute is correct. 
Note:  For administrators that need to modify many users, consider the ICE import/export wizard.  Users can be exported to a file, modify the file, and re-import the file to modify the users.  Please see the eDirectory documentation for more details.

 

Error:Cannot continue because we could not get the default Samba group, <ServerName>-W-SambaUserGroup. Please refer to the samba user documentation for more details.
Error:Object class violation (from/var/log/samba/novell-samba-config.log)
Fix : The uamPosixPAMServiceExcludeList attribute has not been assigned to the uamPosixGroup and uamPosixUser classes. Add this attribute to these two classes, re-run the OES Samba install, and double-check to see if the <ServerName>-W-SambaUserGroup has been created, and double-check the /var/log/samba/novell-samba-config.log file does not have a 'Object class violation' error (clear the log first so that any previous failed installs do not cause confusion)

There are two methods to add the uamPosixPAMServiceExcludeList attribute to the uamPosixGroup and uamPosixUser classes. The first is ConsoleOne, the second is iManager. Either method is adequate.

1. ConsoleOne:

Highlight the tree and select TOOLS > SCHEMA MANAGER > and browse to the uamPosixUser/Group classes. Press INFO on each class and click ADD in the popup window. Browse for the uamPosixPAMServiceExcludeList and add it.

2. iManager:

Assuming the correct plugins are installed, select SCHEMA from the menu on the left > CLASS INFORMATION > and browse to the uamPosixUser/Group classes. Press the VIEW button on each of them > ADD A NEW ATTRIBUTE > and browse for the uamPosixPAMServiceExcludeList and add it.

 

Description:  While trying to Samba-enable users that belong to non-LUM enabled groups, the following error occurs:
Error:  <UserName>: Could not Samba enable the user for group, <Default Samba Group Name>.
<UserName>: Could not Samba enable the user for group, <Default Samba Group Name>. {2} See help for possible causes.
Workaround:  Either LUM-enable every group the user belongs to, or remove the user from the non-LUM enabled groups.
Fix:  This issue is resolved with OES 2 SP 1 (at the time of this writing, SP 1 for OES 2 is still in public beta).
 
 
 
 
 
 
 
Errors/Failures While Trying To LUM-enable Users, Groups, And/Or Group Users Simultaneously
 
Description:  While trying to LUM-enable a group, if checking the box to LUM-enable all users under that group, a failure would occur and the group would not be LUM-enabled.
Error:  (Error -609) One or more of the mandatory properties for the object being created is missing.
Workaround:  LUM-enable the group without checking the box to LUM-enable all users that belong to that group.  LUM-enable the users with an additional step.
Description:  While trying to LUM-enable a single user, the above error would also occur and the user would not be LUM-enabled.
Fix:  Some older eDirectory trees may have user objects that are missing some required attributes.  In particular, the uniqueID attribute may be missing from the user object.  The uniqueID has a value equal to that of the username.  For instance, if the username is novell123, then the uniqueID will have an identical value of novell123.  This can be added through various utilities, such as ConsoleOne and iManager.  The attribute is setup under the "other" tab of the user object.   Add the attribute if missing and try to LUM-enable the user again.
Note:  For administrators that need to modify many users, consider the ICE import/export wizard.  Users can be exported to a file, modify the file, and re-import the file to modify the users.  Please see the eDirectory documentation for more details.


 
 
 

Errors While Trying To Manage Samba With iManager

Error:Cannot connect to the CIM agent on this server. CIM is not installed or not running.
Fix: Make sure either Samba is running, or in the case of cluster-enabled resources, make sure the resource is online and that the Samba service has started.

 

Error:Could not create an instance of SambaUserArray. Error: Could not get the CIM server data. Error: CIM_ERR_INVALID_CLASS
Error: Could not Samba enable the user for group, SambaUserGroup. Could not get the sambaSamAccount class definition.
Fix: Be sure that the Samba schema has been extended correctly. See TID 3341399. More likely than not, TID 3768604 will resolve the issue.
For redundancy purposes the essential shell commands from each TID are mentioned below. For more detailed explanations of the commands, and why they are necessary, refer to the TIDs directly:

TID 3341399:
ldapmodify -h 192.168.2.10 -p 389 -D cn=admin,o=novell -w <password> -f /usr/share/samba/LDAP/samba-nds.schema -x -c

TID 3768604:
owmofc -u https://localhost/root/cimv2 /usr/share/mof/novell-lum-providers/novell-lum-providers.mof

Table of Contents

 

Missing or Incorrect Shares and/or Incorrect Domain/Workgroup Name

 

In a cluster-enabled environment iManager doesn't look at the correct smb.conf for management purposes. Because iManager looks at the local smb.conf file, instead of the smb.conf located on the shared resource, iManager presents the wrong Workgroup and share information to the user.

Workaround: Edit the cluster smb.conf manually. Test through a Novell clientless Windows workstation to check for shares, Workgroup, and NetBios names. They should be correct despite what iManager reports. Despite iManager looking in the wrong place, the cluster piece looks in the correct place.


Table of Contents

 

Various Failures And/Or Errors After Patching The Server

Some users have reported that after patching and restarting the server that they can no longer join the domain.  Some have reported that wbinfo will not report all users and/or groups.  Some have reported that they can no longer access their Samba shares.  Whatever the symptoms may be, make sure to check the version of openldap2-client that is installed on the system. 
Fix: If openldap2-client-2.3.32-0.28 is installed, check for a more up-to-date patch in the patch channel and apply it.  At the time of this writing, openldap2-client-2.3.32-0.30 resolves these issues.



 


Gotchas When Cluster-Enabling Samba On NSS

There is a great document, Configuring OES SP2 with NSS, NCS, and Samba, that will walk even a novice user through setting up a cluster-enabled Samba resource on NSS. If familiar with setting up clusters, and needing just help with the resource, start at step 22. Below are a few things to be aware of and that can easily be missed.

1. Edit the smb.conf file's global section to include the following. If this step isn't completed, then whenever samba loads it will place its PID files under /var/run/samba. When unloading or migrating the resource the services will not be shut down properly:

pid directory = /media/nss/<Your Vol>/samba/locks

2. Sample, basic resource load script (edit with iManager, not ConsoleOne). For an example on how to include options, such as loading long name spaces when the volume mounts, please see the document referenced above. The following scripts assume you setup a directory structure as outlined in the document above:

    #!/bin/bash 
    . /opt/novell/ncs/lib/ncsfuncs
    exit_on_error nss /poolact=<PoolName>
    exit_on_error ncpcon mount <VolName>=<254>
    exit_on_error add_secondary_ipaddress <192.168.2.10>
    exit_on_error ncpcon bind --ncpservername=<VirtualServerName> --ipaddress=<192.168.2.10>
    SAMBA_ROOT=/media/nss/<VolName>/samba
    exit_on_error /usr/sbin/nmbd -l $SAMBA_ROOT/logs -s $SAMBA_ROOT/etc/smb.conf
    exit_on_error /usr/sbin/smbd -l $SAMBA_ROOT/logs -s $SAMBA_ROOT/etc/smb.conf
    exit 0

    In the above script, replace anything in between <> to match your system. The items to be replace are POOL, VOLUME, VOLID, a couple instances of the IP ADDRESS, and the Virtual Server Name (not the cluster resource name--the actual Virtual NCP server object name). (Note: After the replacement is made, be sure to exclude the characters <>). The volid can be obtained from the original resource script before modifying it. Each volume resource that loads will have a unique volid. In the example above, the volid is 254.

3. Sample, basic resource unload script (edit with iManager, not ConsoleOne):

    #!/bin/bash 
    . /opt/novell/ncs/lib/ncsfuncs
    SAMBA_ROOT=/media/nss/<VolName>/samba
    ignore_error killproc -p $SAMBA_ROOT/locks/nmbd-smb.conf.pid /usr/sbin/nmbd
    ignore_error killproc -p $SAMBA_ROOT/locks/smbd-smb.conf.pid /usr/sbin/smbd
    ignore_error fuser -k $SAMBA_ROOT
    ignore_error ncpcon unbind --ncpservername=<VirtualServerName> --ipaddress=<192.168.2.10>
    ignore_error del_secondary_ipaddress <192.168.2.10>
    ignore_error nss /pooldeact=<PoolName>
    exit 0

4. Be sure that each cluster node has been updated with the proper load and unload scripts.

    • cd /var/opt/novell/ncs
    • cat <ResourceName>.load; cat <ResourceName>.unload
    • If the scripts have not been update after offlining and onlining the resource a couple of times, execute the following command on each node:
    • Double-check the /etc/opt/novell/ncs/clstrlib.conf file and make sure it is correct and that the CASE is correct for the cluster object (including the O (organization) and OU (organizational unit).
    • Run "/opt/novell/ncs/bin/ncs-configd.py -init" on each node (without quotes). NOTE: "-init" only includes one dash, not two. The scripts should have been pulled down after executing this command.
    • Double-check the load and unload scripts have been pulled down correctly by repeating steps 1 and 2.

     

5. Troubleshooting log files and scripts:

    • /media/nss/<VolName>/samba/logs/log.smbd
    • /var/log/messages
    • /var/run/ncs/<ResourceName>.load.out (and unload.out)
    • /var/log/samba/novell-samba-config.log

      When the log files don't give much information, execute the load and unload scripts manually and watch for errors.

    • /var/opt/novell/ncs/<ResourceName>.load (and unload).

 

Table of Contents

Feedback service temporarily unavailable. For content questions or problems, please contact Support.