Skip to main content

Confirming and troubleshooting Active Directory integration (optional)

There are several steps to take to confirm and troubleshoot Active Directory integration. First, confirm that AD Domain controller is discoverable via DNS:

tux@dhcp-142:~$ nslookup -q=srv _kerberos._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.tux.local service = 0 100 88 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:
tux@dhcp-142:~$ nslookup -q=srv _kpasswd._tcp.tux.local
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kpasswd._tcp.tux.local service = 0 100 464 win-ggog9v8aq2v.tux.local.
Authoritative answers can be found from:

Check that you are able to obtain tickets for CIFS with keytab file.

tux@dhcp-142:~$ sudo kinit -V cifs/[email protected] -t /etc/krb5.keytab
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: cifs/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

Check that key version number (KVNO) for CIFS service matches between KDC and local keytab file:

tux@dhcp-142:~$ sudo kvno cifs/[email protected]
cifs/[email protected]: kvno = 2
tux@dhcp-142:~$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------
--------
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 [email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]
2 cifs/[email protected]

...TRUNCATED...

Confirm that you are able to obtain tickets for user accounts (domain name need to be upper case).

tux@dhcp-142:~$ kinit -V [email protected]
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
tux@dhcp-142:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/16/2021 09:48:34 04/16/2021 19:48:34 krbtgt/[email protected] renew until 04/17/2021 09:48:22

After Fusion File Share is configured and running successfully, domain authentication can be further validated: Successful LDAP connection to the domain controller will be found in the Fusion logs at /var/lib/tsmb/tsmb.log (if the tsmb.conf option is set to log_destination = file, log_params = path=/var/lib/tsmb/tsmb.log and log_level = 4).

Using principal [email protected] for AD client
Resolving SRV RR _ldap._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:389
Resolving SRV RR _gc._tcp.tux.local
Found URI[0]: ldap://win-ggog9v8aq2v.tux.local:3268
Trying ldap://win-ggog9v8aq2v.tux.local:389
Connected to ldap://win-ggog9v8aq2v.tux.local:389
Our domain SID S-1-5-21-788087510-3421900764-663072633
Our domain NETBIOS-Name 'TUX'

Also, the ticket cache at /var/lib/tsmb/tsmb_ccache should show this as well. Ticket timestamp validity can be checked against local system time.

tux@dhcp-142:~$ sudo klist /var/lib/tsmb/tsmb_ccache
Ticket cache: FILE:/var/lib/tsmb/tsmb_ccache
Default principal: [email protected]
Valid starting Expires Service principal
04/16/2021 10:01:50 04/16/2021 11:01:50 krbtgt/[email protected]
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/win-ggog9v8aq2v.tux.local@
04/16/2021 10:01:50 04/16/2021 11:01:50 ldap/[email protected]