Skip to main content
Version: Legacy docs

Confirming and troubleshooting Active Directory integration (optional)

There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:

[tux@dhcp-200 ~]$ nslookup -q=srv _kerberos._tcp.fusion.tuxera
Server:         10.13.0.2
Address:        10.13.0.2#53

_kerberos._tcp.fusion.tuxera    service = 0 100 88 fusiondc.fusion.tuxera.

Check that you are able to obtain tickets for CIFS with keytab file.

[tux@dhcp-200 ~]$ sudo kinit -V cifs/SMBCLUSTER@FUSION.TUXERA -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/SMBCLUSTER@FUSION.TUSERA
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:

[tux@dhcp-200 ~]$ sudo kvno cifs/SMBCLUSTER@FUSION.TUXERA
cifs/SMBCLUSTER@FUSION.TUXERA: kvno = 2

[tux@dhcp-200 ~]$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 SMBCLUSTER$@FUSION.TUXERA
   2 SMBCLUSTER$@FUSION.TUXERA
   2 cifs/SMBCLUSTER@FUSION.TUXERA
   2 cifs/SMBCLUSTER@FUSION.TUXERA
   2 cifs/smbcluster.FUSION.TUXERA@FUSION.TUXERA
   2 cifs/smbcluster.FUSION.TUXERA@FUSION.TUXERA
   2 host/SMBCLUSTER@FUSION.TUXERA
   2 host/SMBCLUSTER@FUSION.TUXERA
   2 host/smbcluster.FUSION.TUXERA@FUSION.TUXERA
   2 host/smbcluster.FUSION.TUXERA@FUSION.TUXERA
   2 RestrictedKrbHost/SMBCLUSTER@FUSION.TUXERA
   2 RestrictedKrbHost/SMBCLUSTER@FUSION.TUXERA
   2 RestrictedKrbHost/smbcluster.FUSION.TUXERA@FUSION.TUXERA
   2 RestrictedKrbHost/smbcluster.FUSION.TUXERA@FUSION.TUXERA

Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).

[tux@dhcp-200 ~]$ kinit -V Administrator@FUSION.TUXERA
Using default cache: 1000
Using principal: Administrator@FUSION.TUXERA
Password for Administrator@FUSION.TUXERA:
Authenticated to Kerberos v5
[tux@dhcp-200 ~]$ klist
Ticket cache: KCM:1000
Default principal: Administrator@FUSION.TUXERA

Valid starting       Expires              Service principal
08/04/2021 06:57:55  08/04/2021 16:57:55  krbtgt/FUSION.TUXERA@FUSION.TUXERA
        renew until 08/11/2021 06:57:49

After Fusion File Share is configured and running successfully, domain authentication can be further validated:

Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file, log_params = path=/var/lib/tsmb/tsmb.log and log_level = 4).

Using principal SMBCLUSTER$@FUSION.TUXERA for AD client
Resolving SRV RR _ldap._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:389
Resolving SRV RR _gc._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:3268
Trying ldap://fusiondc.fusion.tuxera:389
Connected to ldap://fusiondc.fusion.tuxera:389
Our domain SID S-1-5-21-2806065472-3853621301-3373475599
Our domain NETBIOS-Name 'FUSION'

Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.

[tux@dhcp-200 ~]$ sudo klist /var/lib/tsmb/tsmb_ccache                                       Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: SMBCLUSTER$@FUSION.TUXERA

Valid starting       Expires              Service principal
08/05/2021 10:24:04  08/05/2021 11:24:04  krbtgt/FUSION.TUXERA@FUSION.TUXERA
        renew until 08/12/2021 10:24:04
08/05/2021 10:24:04  08/05/2021 11:24:04  ldap/fusiondc.fusion.tuxera@
        renew until 08/12/2021 10:24:04
        Ticket server: ldap/fusiondc.fusion.tuxera@FUSION.TUXERA