#!/bin/bash ############################################################################################################################ # Novell Inc. # 1800 South Novell Place # Provo, UT 84606-6194 # Script Name: dsfw_edir_healthchk.sh # Description: This script can be used to do a basic health check on DSfW. # # %Version: 2.2 # %Creating Date: Monday Oct 2 07:37:24 MDT 2012 # %Created by: Rance Burker - Novell Technical Services # %Modified on: Mon Aug 29 17:34:41 MDT 2012 # %Modified by: Rance Burker - Novell Technical Services # %Modified on: Friday Jan 18 07:32:45 MST 2013 # %Change log: Added more TID suggestions and ndstrace heatbeat # %Modified by: Rance Burker - Novell Technical Services # %Change log: Added e-mail option, eDir healthcheck, # %Modified on: Saturday Jan 26 12:27:05 MST 2013 # %Modified by: Rance Burker - Novell Technical Services # %Change log: Added GSS-SPNEGO,dnschk (for adc not running dns), and eDir/DSfW check # The script is now compatible with eDir servers and DSfW servers ############################################################################################################################ # Set SENDEMAILSTATUS to 1 to send e-mail log when finished. Set to 0 or remove the 1 to disable emailsetting=1 # $email_to is the recipient of the e-mail. For two or more addresses seperate each address with a , email_to="rance@novell.com, admin@$(dnsdomainname)" # check user is root if [[ id -ne 0 ]]; then "You must be root to run this script" clear exit 1 fi # $server_monitored is the server to monitor. server_monitored=$(ndsconfig get n4u.nds.server-name | awk -F "name=" '{print $2}') ipaddr=$(ifconfig | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}'|head -1) > /dev/null 2>&1 # $server_name and $domain is a variable for populating the alert email as to the server and domain server_name=`perl -e '$srv = \`/bin/hostname\`; print uc($srv);'` domain=`perl -e '$dom = \`/bin/dnsdomainname\`; print uc($dom);'` # $email_sub is is the subject of the email. email_sub="eDir/DSfW Healthcheck for $server_name at $domain ($ipaddr)" if [ -f /etc/init.d/xadsd ]; then dsfwinstalled=1; fi if [ -f /etc/init.d/xadsd ]; then export _LIB=`/opt/novell/xad/share/dcinit/printConfigKey.pl "_Lib"` export SASL_PATH=/opt/novell/xad/$_LIB/sasl2 export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf fi host=`/bin/hostname` ndsinterface=$(ndsconfig get n4u.server.interfaces |awk -F"interfaces=" '{print $2}' |cut -f 1 -d @ ) > /dev/null 2>&1 hostsipaddr=$(grep $ipaddr /etc/hosts |cut -d ' ' -f1) > /dev/null 2>&1 resolvipaddr=$(grep $ipaddr /etc/resolv.conf |cut -d ' ' -f2) confdir=$(ndsconfig get n4u.server.configdir | awk -F"configdir=" '{print $2}') vardir=$(ndsconfig get n4u.server.vardir | awk -F"vardir=" '{print $2}') logdir=$(ndsconfig get n4u.server.log-file | awk -F"log-file=" '{print $2}' | awk -F"log" '{print $1}')log dibdir=$(ndsconfig get n4u.nds.dibdir | awk -F"dibdir=" '{print $2}') nicidir=/var/opt/novell/nici # Check if DNS is set to start dnschk=`find /etc/init.d/rc3.d/ -name S[0-9][0-9]novell-named` if [[ -s $dnschk ]]; then dnsstatus=1; else dnsstatus=0; fi clear if [ -f /etc/init.d/xadsd ] then echo echo -en "Please enter Administrator's password: " read -s ADMPASSWD LOG=/var/opt/novell/xad/log/dsfw_healthchk.log else LOG=$logdir/edir_healthchk.log fi #echo -e "Please enter a username with Supervisor rights to the tree " #echo -ne "Example admin.novell: " #read USERNAME #echo -ne "Enter the password for $USERNAME: " #stty -echo #read PASSWORD #stty echo # e-Mail address setting displayed EmailSetting(){ echo -e "Current e-mail address setting is \E[1;92m$email_to\E[0m" echo -e "Change the setting "email_to" in the script to the appropriate e-mail address(s)\n" } # Send e-Mail function SendEmail(){ echo -e"Healtcheck script "$0".\n" "Completed healthcheck on "$server_name". "| mutt -s "$email_sub" "$email_to" -a $LOG } ## End-of-function send_email # Logging to screen and logfile function log(){ echo -e "$@" echo -e "$@"|sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" >> $LOG } ############################################################################################################################ # Begin script log "\n-------------------------------------------------------------------------" log "Health Check on server: \e[1m$(hostname)\e[0m" log "IP Address: $ipaddr" log "Date: $(date) " log "Script Name: $0" log "-------------------------------------------------------------------------" EmailSetting; echo -ne "Do you want continue? (y/n): "\y read REPLY if [[ $REPLY =~ ^[Nn]$ ]] then exit 1; fi echo # check that eDirectory is configured log "1) Checking for eDirectory database file -\e[1m"`echo $dibdir`/nds.db"\e[0m" if [ -f "`echo $dibdir`/nds.db" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31meDirectory database is not found!!! \E[0m\n" exit 0 fi if [ -f /etc/init.d/xadsd ] && [[ $dnsstatus -eq 1 ]]; then # Check that all DSfW services are running log "2) Checking that the DSfW services are running - \e[1mxadxntrl validate\e[0m" if [ `pidof ndsd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof novell-named |awk -F " " '{ print $1 }'` > 0 ] && [ `pidof nscd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof rpcd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof rsyncd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof xadsd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof krb5kdc|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof kpasswdd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof nmbd |cut -f1 -d " "` > 0 ] && [ `pidof winbindd |cut -f1 -d " "` > 0 ] && [ `pidof smbd |cut -f1 -d " "` > 0 ] > /dev/null 2>&1 then log " \E[1;32mGOOD\E[0m\n" else log "One or more DSfW service are not running, please run xadcntrl reload to restart the services" echo -ne "Do you want continue? (y/n): " read REPLY if [[ ! $REPLY =~ ^[Yy]$ ]] then exit 1; else echo -ne "Do you want restart DSfW services? (y/n): " read REPLY if [[ $REPLY =~ ^[Yy]$ ]] then xadcntrl reload echo fi fi fi # check that there is only one pid for xadsd pidof xadsd >/tmp/xadpids XADPIDS=/tmp/xadpids LXADPIDS=( `cat $XADPIDS` ) TXADPIDS=${#LXADPIDS[@]} if [ $TXADPIDS -gt 1 ] then log "The xadsd daemon has multiple pids which affects DSfW performance" echo -ne "Do you want to stop all xadsd pids and restart xadsd? (y/n): " read REPLY #read -p "Are you sure? " -n 1 if [[ $REPLY =~ ^[Yy]$ ]] then XAD_START='/etc/init.d/xadsd start' PKILLXAD=`pkill -9 xadsd` $PKILLXAD $XAD_START rm /tmp/xadpids echo fi fi elif [ -f /etc/init.d/xadsd ] && [[ $dnsstatus -eq 0 ]]; then # Check that all DSfW services are running with not novell-named log "2) Checking that the DSfW services are running - \e[1mxadxntrl validate\e[0m" if [ `pidof ndsd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof nscd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof rpcd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof rsyncd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof xadsd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof krb5kdc|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof kpasswdd|awk -F " " '{ print $1 }'` > 0 ] && [ `pidof nmbd |cut -f1 -d " "` > 0 ] && [ `pidof winbindd |cut -f1 -d " "` > 0 ] && [ `pidof smbd |cut -f1 -d " "` > 0 ] > /dev/null 2>&1 then log " \E[1;32mGOOD\E[0m\n" else log "One or more DSfW service are not running, please run xadcntrl reload to restart the services" echo -ne "Do you want continue? (y/n): " read REPLY if [[ ! $REPLY =~ ^[Yy]$ ]] then exit 1; else echo -ne "Do you want restart DSfW services? (y/n): " read REPLY if [[ $REPLY =~ ^[Yy]$ ]] then xadcntrl reload echo fi fi fi # check that there is only one pid for xadsd pidof xadsd >/tmp/xadpids XADPIDS=/tmp/xadpids LXADPIDS=( `cat $XADPIDS` ) TXADPIDS=${#LXADPIDS[@]} if [ $TXADPIDS -gt 1 ] then log "The xadsd daemon has multiple pids which affects DSfW performance" echo -ne "Do you want to stop all xadsd pids and restart xadsd? (y/n): " read REPLY #read -p "Are you sure? " -n 1 if [[ $REPLY =~ ^[Yy]$ ]] then XAD_START='/etc/init.d/xadsd start' PKILLXAD=`pkill -9 xadsd` $PKILLXAD $XAD_START rm /tmp/xadpids echo fi fi else log "2) Checking that eDirectory (ndsd) is running - \e[1mrcndsd status\e[0m" if [ `pidof ndsd|awk -F " " '{ print $1 }'` > 0 ] then log " \E[1;32mGOOD\E[0m\n" else log "eDirectory (ndsd) is not running" echo -ne "Do you want continue? (y/n): " read REPLY if [[ ! $REPLY =~ ^[Yy]$ ]] then exit 1; else echo -ne "Do you want restart eDirectory? (y/n): " read REPLY if [[ $REPLY =~ ^[Yy]$ ]] then rcndsd restart echo fi fi fi fi # check eDirectory time is in sync log "3) Checking eDirectory Time Synchronization using command \e[1mndsrepair -T\e[0m" ndstrace -l > /dev/null 2>&1 & sleep .2 ndstrace -c "set ndstrace=*u;set ndstrace=*h" >/dev/null 2>&1 sleep 5 edirtimesync=$(/opt/novell/eDirectory/bin/ndsrepair -T | grep "Total errors: 0") if [ "$edirtimesync" == "" ] then log " \E[1;31mTime Not in Sync \E[0m" log " Check the /etc/ntp configuration" log " Check /var/log/messages for errors regarding ntpd\n" else log " \E[1;32mGOOD\E[0m\n" fi # check eDirectory synchronization log "4) Checking eDirectory Replica Synchronization using command \e[1mndsrepair -E\e[0m" sleep 5 ndstrace -u >/dev/null 2>&1 sleep 2 edirreportsync=$(/opt/novell/eDirectory/bin/ndsrepair -E | grep "Total errors: 0") sleep 1 if [ "$edirreportsync" == "" ] then log " \E[1;31mErrors in Report Synchronization\E[0m" log " Look up the error(s) reported in the ndsrepair.log at http://novell.com/support\n" else log " \E[1;32mGOOD\E[0m\n" fi # check eDirectory obituaries log "5) Checking for eDirectory Obituaries using command \e[1mndsrepair -C -Ad -a\e[0m" edircheckobits=$(/opt/novell/eDirectory/bin/ndsrepair -C -Ad -a | grep "Found: 0 total obituaries in this DIB") if [ "$edircheckobits" == "Found: 0 total obituaries in this DIB, " ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mUnprocessed Obits exist\E[0m" log " See TID 7011536 Obituary Troublshooting" log " See TID 7002659 How to progress stuck obituraris\n" fi # check external references log "6) Checking for eDirectory External References using command \e[1mndsrepair -C\e[0m" edircheckexref=$(/opt/novell/eDirectory/bin/ndsrepair -C | grep "Total errors: 0") sleep 1 if [ "$edircheckexref" == "" ] then log " \E[1;31mErrors in External Reference Check\E[0m" log " Look up the error(s) reported in the ndsrepair.log at http://novell.com/support\n" else log " \E[1;32mGOOD\E[0m\n" fi # check that the nds4.server.interfaces matches that in the /etc/hosts log "7) Checking the ip address assigned to the ncpserver is correct - \e[1m$ipaddr\e[0m" sleep 1 if [ $ndsinterface == $ipaddr ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mn4u.server.interfaces does not match address \E[0m" log " See TID 3201067" log " Novell Documentation http://www.novell.com/documentation/oes11/oes_implement_lx/?page=/documentation/oes11/oes_implement_lx/data/ipchange.html\n" fi # check that the servers ip address is listed in the /etc/hosts.conf log "8) Checking the ip address in the /etc/hosts file is correct - \e[1m$ipaddr = $hostsipaddr\e[0m" sleep 1 if [ $ipaddr == $hostsipaddr ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mip address in /etc/hosts is incorrect \E[0m" log " Correct the ip address in the /etc/hosts file then run SuSEconfig\n" fi if [ -f /etc/init.d/xadsd ] && [[ $dnsstatus -eq 0 ]]; then # check that resolv.conf has the servers ip address listed log "9) Checking that the DSfW server is listed as a nameserver in the /etc/resolv.conf - \e[1m$resolvipaddr = $ipaddr\e[0m" log " \E[1;32mnovell-named is not set to load" log " Ignore\E[0m\n" fi if [ -f /etc/init.d/xadsd ] && [[ $dnsstatus -eq 1 ]]; then # check that resolv.conf has the servers ip address listed log "9) Checking that the DSfW server is listed as a nameserver in the /etc/resolv.conf - \e[1m$resolvipaddr = $ipaddr\e[0m" sleep 1 if [ $resolvipaddr == $ipaddr ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;33mDSfW server is not listed as nameserver in /etc/resolv.conf\E[0m" log " If this is an ADC or DNS is running on another server do: chkconfig novell-named off" log " See TID 7006844 - How to Consolidate Matching DNS Zone" log " Verify the dns is working using nslookup or dig" log " nslookup $domain" log " nslookup -type=all _ldap._tcp.dc._msdcs.$domain\n" fi fi if [ -f /etc/init.d/xadsd ]; then # check dns is responding with nslookup domain name log "10) Checking dns is returning the domain name - \e[1mnslookup $domain\e[0m" nslookup $domain > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mnslookup failed for Domain $domain \E[0m" log " Verify the DNS server is running" log " Verify the nameserver is listed correctly in the /etc/resolv.conf\n" fi # check dns is responding with nslookup domain name log "11) Checking that the DSfW server is listed as a DC in dns - \e[1mnslookup -type=all _ldap._tcp.dc._msdcs.$domain\e[0m" nslookup $domain > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mnslookup failed for Domain $domain \E[0m" log " Verify the DNS server is running" log " Verify the nameserver is listed correctly in the /etc/resolv.conf\n" fi # check /opt/novell/xad/libexec/xadsd -S log "12) Checking the Domain service is active using command \e[1m/opt/novell/xad/libexec/xadsd -S\e[0m" /opt/novell/xad/libexec/xadsd -S > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mDomain Controller is NOT located \E[0m" log " Take a ldap/nmas trace (TID 7009602) and check the /var/log/messages\n" fi # check that the DC is responding log "13) Checking the Domain Controller using command \e[1mprovision --locate-dc $domain\e[0m" /opt/novell/xad/sbin/provision --locate-dc $domain > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mDomain Controller is NOT located \E[0m" log " Take a ldap/nmas trace (TID 7009602) and check the /var/log/messages\n" fi # check that kinit is able to issue a ticket for Administrator log "14) Checking kinit is able to issue a ticket for Administrator - \e[1mkinit Administrator@$domain\e[0m" echo $ADMPASSWD | /opt/novell/xad/bin/kinit Administrator@$domain > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31m kinit is NOT operational \E[0m" log "\tBe sure the Administrators password was entered correctly" log "\tRun 'kinit Administrator'" log "\tTake a ldap/nmas trace (TID 7009602) and check the /var/log/messages for troublshooting" log "\tIf while running kinit Administrator the following error is returned" log "\tkinit(v5): Clients credentials have been revoked while getting initial credentials" log "\tThe account is locked out" echo -ne "\tDo you want to re-enter Administrators password and continue? (y/n): " read REPLY if [[ $REPLY =~ ^[Yy]$ ]] then echo echo -en "Please enter Administrator's password: " read -s ADMPASSWD echo $ADMPASSWD | /opt/novell/xad/bin/kinit Administrator@$domain > /dev/null 2>&1 if [ $? -eq "0" ] then log "\n \E[1;32mGOOD\E[0m\n" else log "\n \E[1;31mkinit is still NOT operational\E[0m" log " Take a ldap/nmas trace (TID 7009602) and check the /var/log/messages\n" fi else exit 1; fi fi # check that the IPCEXTERNAL method is working log "15) Checking ldap using command \e[1mldapsearch -Y EXTERNAL -b '' -s base dn\e[0m" /usr/bin/ldapsearch -Y EXTERNAL -b '' -s base dn -LLL > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mLDAPI EXTERNAL method is NOT working \E[0m" log " Check that IPCEXTERNAL method is installed" log " Take a ldap trace (TID 7009602) and look for errors\n" fi # check ldap and SASL-GSSAPI log "16) Checking SASL-GSSAPI using command \e[1mldapsearch -Y GSSAPI -b '' -s base dn\e[0m" /usr/bin/ldapsearch -Y GSSAPI -b '' -s base dn -LLL > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mldapsearch using SASL-GSSAPI bind is NOT working \E[0m" log " Most likely this is because kinit Administrator fails" log " Check that GSSAPI method is installed" log " Take a ldap/nmas trace (TID 7009602) and look for errors\n" fi # check ldap and SASL-GSS-SPNEGO log "17) Checking SASL-GSS-SPNEGO using command \e[1mldapsearch -Y GSS-SPNEGO -b '' -s base dn\e[0m" /usr/bin/ldapsearch -Y GSSAPI -b '' -s base dn -LLL > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mldapsearch using SASL-GSSAPI bind is NOT working \E[0m" log " Most likely this is because kinit Administrator fails" log " Check that GSS-SPNEGO method is installed" log " Take a ldap/nmas trace (TID 7009602) and look for errors\n" fi # check rpc connection log "18) Checking rpc connection using command \e[1mrpcclient -k localhost -c dsroledominfo\e[0m" /usr/bin/rpcclient -k localhost -c dsroledominfo > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mrpcclient -k localhost -c dsroledominfo is NOT working\E[0m" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi # check rpc connection log "19) Checking rpc connection using command \e[1mrpcclient -k ncalrpc: -c dsroledominfo\e[0m" /usr/bin/rpcclient -k ncalrpc: -c dsroledominfo > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mrpcclient -k ncalrpc: -c dsroledominfo is NOT working\E[0m" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi # check wbinfo status log "20) Checking wbinfo status using command \e[1mwbinfo -p\e[0m" wbinfo -p > /dev/null 2>&1 sleep 1 if [ $? == "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1:31mwbinfo -p is NOT working\E[0m" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi # check wbinfo trust secret log "21) Checking wbinfo trust secret using command \e[1mwbinfo -t\e[0m" wbinfo -t > /dev/null 2>&1 sleep 1 if [ $? == "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1:31mwbinfo -t is NOT working\E[0m" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi # check name to SID conversion log "22) Checking name to SID conversion using command \e[1mwbinfo -n administrator\e[0m" adminSID=`wbinfo -n administrator | cut -f 1 -d ' '` > /dev/null 2>&1 sleep 1 if [ "$adminSID" == "" ] then log " \E[1;31mwbinfo: name to SID conversion is NOT working\E[0m" log " Run wbinfo -n administrator and check for errors" log " Try the wbinfo -n command with different users in the domain" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd" log " The /var/lib/samba/*.tdb files might be corrupt" log " Stop the DSfW services, backup the *.tdb files (tdbbackup /var/lib/samba/*.tdb, delete the *.tdb file, start the services\n" else log " \E[1;32mGOOD\E[0m\n" fi # check SID to name conversion log "23) Checking SID to name conversion using command \e[1mwbinfo -s $adminSID\e[0m" wbinfo -s $adminSID > /dev/null 2>&1 sleep 1 if [ $? == "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1:31mwbinfo: SID to name conversion is NOT working\E[0m" log " Run wbinfo -n administrator and check for errors" log " Try the wbinfo -n command with different users in the domain" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd" log " The /var/lib/samba/*.tdb files might be corrupt" log " Stop the DSfW services, backup the *.tdb files (tdbbackup /var/lib/samba/*.tdb, delete the *.tdb file, start the services\n" fi # check SID to uid conversion log "24) Checking SID to uid conversion using command \e[1mwbinfo -S $adminSID\e[0m" adminuid=`wbinfo -S $adminSID` > /dev/null 2>&1 sleep 1 if [ "$adminuid" == "" ] then log " \E[1;31mwbinfo: SID to uid conversion is NOT working\E[0m" log " Run wbinfo -n administrator and check for errors" log " Try the wbinfo -n command with different users in the domain" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" else log " \E[1;32mGOOD\E[0m\n" fi # check UID to name conversion log "25) Checking UID to name conversion using command \e[1mwbinfo -U $adminuid | grep S-1-5-21\e[0m" tmp=`wbinfo -U $adminuid | grep S-1-5-21` > /dev/null 2>&1 sleep 1 if [ "$tmp" == "" ] then log " \E[1;31m wbinfo: UID to name conversion is NOT working\E[0m " log " Run wbinfo -n administrator and check for errors" log " Try the wbinfo -n command with different users in the domain" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" else log " \E[1;32mGOOD\E[0m\n" fi # check smb connection log "26) Checking smb connection using command \e[1msmbclient -k -L $host.$domain\e[0m" smbclient -k -L $host.$domain > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31msmbclient is NOT working\E[0m \n" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi # check smb connection log "27) Checking smb connection using command \e[1msmbclient //$server_name/sysvol -k -I $ipaddr -c "showconnect"\e[0m" smbclient //$server_name/sysvol -k -I $ipaddr -c "showconnect" > /dev/null 2>&1 sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31msmbclient //$server_name/sysvol -k -I $ipaddr -c "showconnect" is NOT working\E[0m\n" log " Take a ldap trace (TID 7009602) and look for errors" log " Enable Samba debug and tail the /var/log/samba/log.smbd\n" fi defaultnamingcontext=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'` dcserver=`/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "" -s base |grep serverName: |awk -F '=|,' '{ print $2 }'` # check for domain container has uniquedomainid log "28) Checking that \e[1m$defaultnamingcontext\e[0m has a \e[1muniquedomainid\e[0m" lsdc=$(ldapsearch -Y EXTERNAL -b "$defaultnamingcontext" -s base uniquedomainid -LLL -Q |grep uniquedomainid: |cut -d : -f1) sleep 1 if [ "$lsdc" == "uniquedomainid" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31m$defaultnamingcontext does not have a uniquedomainid\E[0m" log " See TID 7009851\n" fi # check that krbtgt has uniquedomainid log "29) Checking that \e[1mkrbtgt\e[0m has a \e[1muniquedomainid\e[0m" lskrbtgt=$(ldapsearch -Y EXTERNAL -b "cn=krbtgt,cn=users,$defaultnamingcontext" -s base uniquedomainid -LLL -Q |grep uniquedomainid: |cut -d : -f1) sleep 1 if [ "$lskrbtgt" == "uniquedomainid" ]; then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mkrbtgt does not have a uniquedomainid\E[0m" log " See TID 7009851\n" fi # check that ou=Domain Controllers has uniquedomainid log "30) Checking that \e[1mou=Domain Controllers\e[0m has a \e[1muniquedomainid\e[0m" lsdcs=$(ldapsearch -Y EXTERNAL -b "ou=domain controllers,$defaultnamingcontext" -s base uniquedomainid -LLL -Q |grep uniquedomainid: |cut -d : -f1) sleep 1 if [ "$lsdcs" == "uniquedomainid" ]; then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31mou=Domain Controllers does not have a uniquedomainid\E[0m" log " See TID 7009851\n" fi # check that domain controller server object has uniquedomainid log "31) Checking that \e[1mcn=$dcserver,ou=Domain Controllers,$defaultnamingcontext\e[0m has a \e[1muniquedomainid\e[0m" lsdcserver=$(ldapsearch -Y EXTERNAL -b "cn=$dcserver ,ou=domain controllers,$defaultnamingcontext" -s base uniquedomainid -LLL -Q |grep uniquedomainid: |cut -d : -f1) sleep 1 if [ "$lsdcserver" == "uniquedomainid" ]; then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31m$dcserver does not have a uniquedomainid\E[0m" log " See TID 7009851\n" fi # check cldap request to netlogon log "32) Checking cldap to returns netlogon \e[1mldapsearch -H cldap://localhost:389 '(&(DnsDomain=$domain)(Host=$host.$domain)(NtVer="\006"))' -b '' -s base netlogon | grep -i netlogon\e[0m" lsdcnetlogon=$(ldapsearch -H cldap://localhost:389 "(&(DnsDomain=$domain)(Host=$host.$domain)(NtVer=\006))" -b "" -s base netlogon 2>&1 | grep -i netlogon ) sleep 1 if [ $? -eq "0" ] then log " \E[1;32mGOOD\E[0m\n" else log " \E[1;31m$host does return netlogon\E[0m" log " Take a ldap/nmas trace (TID 7009602) and look for errors" log " How active is the Domain Controller is?" log " How many active users are there?" log " If there are over 200 active users another domain controller might help\n" fi # check for winbind: Exceeding 200 errors log "33) Checking /var/log/messages for \e[1mwinbind: Exceeding 200\e[0m errors" grep -e "winbind: Exceeding 200" /var/log/messages sleep 1 if [ $? == "1" ] then log " \E[1;33m winbind: Exceeding 200 client connections, no idle connections found\E[0m" log " Check the kdc.log for errors" log " Check the log.smbd for errors" log " Take a ldap/nmas trace (TID 7009602) and look for errors" log " If there are several searches for tokenGroupsDomainLocal see TID 7011498" log " The /var/lib/samba/*.tdb files might be corrupt" log " Stop the DSfW services, backup the *.tdb files (tdbbackup /var/lib/samba/*.tdb, delete the *.tdb file, start the services" log " How active is the Domain Controller is?" log " How many active users are there?" log " If there are over 200 active users another domain controller might help\n" else log " \E[1;32mGOOD\E[0m\n" fi #check kdc.log for Decrypt integrity check failed log "34) Checking kdc.log for \e[1mDecrypt integrity check failed (Bad Passwords)\e[0m errors" grep -A1 -i 'Decrypt integrity check failed' /var/opt/novell/xad/log/kdc.log > /dev/null if [ $? == "0" ] then grep -A1 -i 'Decrypt integrity check failed' /var/opt/novell/xad/log/kdc.log |grep -v 'Decrypt integrity check failed' |awk -F ')' '{print $3}' |grep -v '^$' |awk -F 'for' '{print $1}' |sort -n | uniq -c | sort -n |tail|tee -a $LOG log " \E[1;33mDecrypt integrity check failed (Bad Passwords) errors found in the kdc.log\E[0m" log " Look for principals with $ - example workstation"'$'"@dsfw.lan" log " These are workstation with bad passwords and can cause slow performance" log " Follow the kerberos section in TID 7010462\n" else log " \E[1;32mGOOD\E[0m\n" fi #check kdc.log for client not found log "35) Checking kdc.log for \e[1mclient not found (Account Does not Exist)\e[0m errors" grep -i 'client not found' /var/opt/novell/xad/log/kdc.log > /dev/null if [ $? == "0" ] then grep -i 'client not found' /var/opt/novell/xad/log/kdc.log |cut -d ')' -f3 |awk -F 'for' '{print $1}' |sort -n | uniq -c |sort -n |tail|tee -a $LOG log " \E[1;33mclient not found (Account Does not Exist) errors found\E[0m" log " Follow the kerberos section in TID 7010462\n" else log " \E[1;32mGOOD\E[0m\n" fi fi log "End of script: $0" log "-------------------------------------------------------------------------" #send email if set to 1 [ $emailsetting -eq 1 ] && SendEmail