Skip to main content

Confirming and troubleshooting Active Directory integration (optional)

There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:

[tux@dhcp-200 ~]$ nslookup -q=srv _kerberos._tcp.fusion.tuxera
Server: 10.13.0.2
Address: 10.13.0.2#53
_kerberos._tcp.fusion.tuxera service = 0 100 88
fusiondc.fusion.tuxera.

Check that you are able to obtain tickets for CIFS with keytab file.

[tux@dhcp-200 ~]$ sudo kinit -V cifs/[email protected] -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:

[tux@dhcp-200 ~]$ sudo kvno cifs/[email protected]
cifs/[email protected]: kvno = 2
[tux@dhcp-200 ~]$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------
--------
2 [email protected]
2 [email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]

Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).

[tux@dhcp-200 ~]$ kinit -V [email protected]
Using default cache: 1000
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
[tux@dhcp-200 ~]$ klist
Ticket cache: KCM:1000
Default principal: [email protected]
Valid starting Expires Service principal
08/04/2021 06:57:55 08/04/2021 16:57:55
krbtgt/[email protected]
renew until 08/11/2021 06:57:49

After Fusion File Share is configured and running successfully, domain authentication can be further validated: Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file, log_params = path=/var/lib/tsmb/tsmb.log and log_level = 4).

Using principal [email protected] for AD client
Resolving SRV RR _ldap._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:389
Resolving SRV RR _gc._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:3268
Trying ldap://fusiondc.fusion.tuxera:389
Connected to ldap://fusiondc.fusion.tuxera:389
Our domain SID S-1-5-21-2806065472-3853621301-3373475599
Our domain NETBIOS-Name 'FUSION'

Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.

[tux@dhcp-200 ~]$ sudo klist /var/lib/tsmb/tsmb_ccache
Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: [email protected]
Valid starting Expires Service principal
08/05/2021 10:24:04 08/05/2021 11:24:04 krbtgt/[email protected] renew until 08/12/2021 10:24:04
08/05/2021 10:24:04 08/05/2021 11:24:04 ldap/fusiondc.fusion.tuxera@ renew until 08/12/2021 10:24:04
Ticket server: ldap/[email protected]