Confirming and troubleshooting Active Directory integration (optional)
There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:
tux@dhcp-236:~$ nslookup -q=srv _kerberos._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.tux.local service = 0 100 88 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:
tux@dhcp-236:~$ nslookup -q=srv _kpasswd._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kpasswd._tcp.tux.local service = 0 100 464 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:.
Check that you are able to obtain tickets for CIFS with keytab file.
tux@dhcp-236:~$ sudo kinit -V cifs/[email protected] -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:
tux@dhcp-236:~$ sudo kvno cifs/[email protected]
cifs/[email protected]: kvno = 2
tux@dhcp-236:~$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------
--------
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
...TRUNCATED...
Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).
tux@dhcp-236:~$ kinit -V [email protected]
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
tux@dhcp-236:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/16/2021 09:48:34 04/16/2021 19:48:34 krbtgt/[email protected] renew until 04/17/2021 09:48:22
After Fusion File Share is configured and running successfully, domain authentication can be further validated:
Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file
, log_params = path=/var/lib/tsmb/tsmb.log
and log_level = 4
).
Using principal [email protected] for AD client
Resolving SRV RR _ldap._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:389
Resolving SRV RR _gc._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:3268
Trying ldap://win-ggog9v8aq2v.tux.local:389
Connected to ldap://win-ggog9v8aq2v.tux.local:389
Our domain SID S-1-5-21-788087510-3421900764-663072633
Our domain NETBIOS-Name 'TUX'
Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.
tux@dhcp-236:~$ sudo klist /var/lib/tsmb/tsmb_ccache
Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: [email protected]
Valid starting Expires Service principal
04/16/2021 10:01:50 04/16/2021 11:01:50 krbtgt/[email protected]
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/win-ggog9v8aq2v.tux.local@
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/[email protected]