Confirming and troubleshooting Active Directory integration (optional)
There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:
[tux@dhcp-200 ~]$ nslookup -q=srv _kerberos._tcp.fusion.tuxera
Server: 10.13.0.2
Address: 10.13.0.2#53
_kerberos._tcp.fusion.tuxera service = 0 100 88
fusiondc.fusion.tuxera.
Check that you are able to obtain tickets for CIFS with keytab file.
[tux@dhcp-200 ~]$ sudo kinit -V cifs/[email protected] -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:
[tux@dhcp-200 ~]$ sudo kvno cifs/[email protected]
cifs/[email protected]: kvno = 2
[tux@dhcp-200 ~]$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------
--------
2 [email protected]
2 [email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).
[tux@dhcp-200 ~]$ kinit -V [email protected]
Using default cache: 1000
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
[tux@dhcp-200 ~]$ klist
Ticket cache: KCM:1000
Default principal: [email protected]
Valid starting Expires Service principal
08/04/2021 06:57:55 08/04/2021 16:57:55
krbtgt/[email protected]
renew until 08/11/2021 06:57:49
After Fusion File Share is configured and running successfully, domain authentication can be further validated:
Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file
, log_params = path=/var/lib/tsmb/tsmb.log
and log_level = 4
).
Using principal [email protected] for AD client
Resolving SRV RR _ldap._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:389
Resolving SRV RR _gc._tcp.fusion.tuxera
Found URI[0]: ldap://fusiondc.fusion.tuxera:3268
Trying ldap://fusiondc.fusion.tuxera:389
Connected to ldap://fusiondc.fusion.tuxera:389
Our domain SID S-1-5-21-2806065472-3853621301-3373475599
Our domain NETBIOS-Name 'FUSION'
Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.
[tux@dhcp-200 ~]$ sudo klist /var/lib/tsmb/tsmb_ccache
Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: [email protected]
Valid starting Expires Service principal
08/05/2021 10:24:04 08/05/2021 11:24:04 krbtgt/[email protected] renew until 08/12/2021 10:24:04
08/05/2021 10:24:04 08/05/2021 11:24:04 ldap/fusiondc.fusion.tuxera@ renew until 08/12/2021 10:24:04
Ticket server: ldap/[email protected]