Confirming and troubleshooting Active Directory integration (optional)

Version: Legacy docs

Confirming and troubleshooting Active Directory integration (optional)

There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:

tux@dhcp-142:~$ nslookup -q=srv _kerberos._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.tux.local service = 0 100 88 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:
tux@dhcp-142:~$ nslookup -q=srv _kpasswd._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kpasswd._tcp.tux.local service = 0 100 464 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:

Check that you are able to obtain tickets for CIFS with keytab file.

tux@dhcp-142:~$ sudo kinit -V cifs/SMBCLUSTER@TUX.LOCAL -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/SMBCLUSTER@TUX.LOCAL
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:

tux@dhcp-142:~$ sudo kvno cifs/SMBCLUSTER@TUX.LOCAL
cifs/SMB@TUX.LOCAL: kvno = 2
tux@dhcp-142:~$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------
--------
2 SMBCLUSTER$@TUX.LOCAL
2 SMBCLUSTER$@TUX.LOCAL
2 SMBCLUSTER$@TUX.LOCAL
2 SMBCLUSTER$@TUX.LOCAL
2 SMBCLUSTER$@TUX.LOCAL
2 SMBCLUSTER$@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL
2 cifs/SMBCLUSTER@TUX.LOCAL

...TRUNCATED...

Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).

tux@dhcp-142:~$ kinit -V tuxadmin@TUX.LOCAL
Using default cache: /tmp/krb5cc_1000
Using principal: tuxadmin@TUX.LOCAL
Password for tuxadmin@TUX.LOCAL:
Authenticated to Kerberos v5
tux@dhcp-142:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tuxadmin@TUX.LOCAL
Valid starting Expires Service principal
04/16/2021 09:48:34 04/16/2021 19:48:34 krbtgt/TUX.LOCAL@TUX.LOCAL renew until 04/17/2021 09:48:22

After Fusion File Share is configured and running successfully, domain authentication can be further validated: Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file, log_params = path=/var/lib/tsmb/tsmb.log and log_level = 4).

Using principal SMBCLUSTER$@TUX.LOCAL for AD client
Resolving SRV RR _ldap._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:389
Resolving SRV RR _gc._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:3268
Trying ldap://win-ggog9v8aq2v.tux.local:389
Connected to ldap://win-ggog9v8aq2v.tux.local:389
Our domain SID S-1-5-21-788087510-3421900764-663072633
Our domain NETBIOS-Name 'TUX'

Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.

tux@dhcp-142:~$ sudo klist /var/lib/tsmb/tsmb_ccache
Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: SMBCLUSTER$@TUX.LOCAL
Valid starting Expires Service principal
04/16/2021 10:01:50 04/16/2021 11:01:50 krbtgt/TUX.LOCAL@TUX.LOCAL
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/win-ggog9v8aq2v.tux.local@
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/win-ggog9v8aq2v.tux.local@TUX.LOCAL

Confirming and troubleshooting Active Directory integration (optional)​

Confirming and troubleshooting Active Directory integration (optional)