Environment
Open Enterprise Server 11 SP2 (OES11SP2)
Open Enterprise Server 11 SP1 (OES11SP1)
Open Enterprise Server 11 SP1 (OES11SP1)
Open Enterprise Server 11 (OES11)
Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW
Situation
What tools and logs do I need to troubleshoot a workstation that is unable to join a DSfW domain?
Resolution
Packet Trace (tcpdump or wireshark)
The /var/opt/novell/eDirectory/log/ndstrace.log
The /var/log/log.smbd (samba log) with debug enabled
The /var/log/messages
The /var/opt/novell/xad/log/kdc.log
Turn off secure channel encryption
Clear the workstation log if it exist- %windir%\debug\netsetup.log
Clear the workstation log if it exist- %windir%\debug\netsetup.log
Provide the following:
Workstation IP AddressWorkstation NameDSfW IP AddressUser Name
Packet Trace
Use tcpdump or wireshark to take a packet trace from the DSfW server. A packet trace from the workstation might also be neccessary.
tcpdump -n -v -i <interface> -s0 -w /<path>/<name_of_lan_trace>.cap
Press cntrl c to stop the trace.
To find the interface use ifconfig. It will show the interfaces the the ip addresses. Usually the interface is eth0 or eth1.
If there is only one IP address bound on the server another option is -i any. Using any will listen on all interfaces.
When using tcpdump between a server and workstation on the same network a filter can be helpful in filtering traffic.
In this example of using tcpdump the workstations IP is 192.168.100.200,
the servers interface is any and the output is written to/tmp/wk_join_dsfw.cap :
Example:
tcpdump -n -v -s0 -i any 'host 192.168.100.200' -w /tmp/wk_join_dsfw.cap
LDAP Trace
Follow TID 7009602 for the ldap trace for more information on taking LDAP/NMAS traces
Start by setting the screen level to "all" or to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection"
If not use the ldapconfig -s command to set the screen level.
ldapconfig -s "ldap screen level=all" -a admin.novell
Then start ndstrace
ndstrace #brings up the ndstrace utility
set dstrace = nodebug #Clear the filter
dstrace NMAS LDAP TIME TAGS AUTH #Enable the LDAP, NMAS, TIME, TAGS, and AUTH.
Start with the filter options above. They will provide most of the information needed for LDAP and NMAS.
Other flags that might be helpful are VCLN, RSLV, DBG, CBUF, ABUF, RECM, and MISC.
set ndstrace = *r #Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log
ndstrace on #Start the logging and execute your command or task
set ndstrace = off #This will stop logging
quit #Exit ndstrace
You might want to increase the ndstrace.log file max size. The command to set the file max size is:
ndstrace fmax=10000000
To configure ndstrace.log log rotation read TID 7010885
Enable samba debug
To enable smb debug open /etc/samba/smb.conf and at the end of the [global] section add log level =10 or from the terminal type smbcontrol smbd debug "10"
Restart of smbd or the other DSfW services is not needed.
Turn off secure channel encryption:
A registry change is required to disable netlogon channel encryption. Change RequireSignOrSeal from 1 to 0.
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters REG_DWORD RequireSignOrSeal = 0 (Channel traffic need not be signed or sealed)
Attempt to join the workstation to the domain.
Gather the /var/log/samba/log.smb, the /etc/samba/smb.conf, the /var/opt/novell/xad/log/kdc.log, the /var/log/messages,
%windir%\debug\netsetup.log, and packet trace.
Additional Information
To easily take the ldap and packet trace along with enabling samba debug use the ndsPacketTrace script from Cool Solutions.