isi_auth_expert
command to examine a PowerScale OneFS cluster's authentication environment. This can help ensure that it is properly configured and to identify conditions that could be causing data access latency as a result of authentication issues.
isi_auth_expert
command runs a series of tests, including network and port connectivity and latency, binding, and clock skew. These results can be used to isolate a problematic configuration or network path that is causing data access issues.
isi_auth_expert
command in OneFS 7.2.1.5. See the Additional checks and parameters in OneFS 7.2.1.5 and later section of this article for more information.
isi_auth_expert
command, do the following:
isi_auth_expertIndividuals can also run the command with one or more of the options listed in the table below:
Option | Explanation |
-h, --help |
Show the syntax for this command |
-h, --debug |
Display debugging messages |
-v, --verbose |
Enable verbose (more robust) output |
--no-color |
Disable colored output |
wcvirt1-1# isi_auth_expert Checking authentication process health ... done Checking LDAP provider 'ldaptest' server connectivity ... done Checking LDAP provider 'ldaptest' base dn ... done Checking LDAP provider 'ldaptest' object enumeration support ... done Checking LDAP provider 'ldaptest' group base dn ... done Checking LDAP provider 'ldaptest' user base dn ... done [ERROR] The configured base user dn 'ou=dne,dc=isilon,dc=com' in LDAP provider 'ldaptest' was not found on LDAP server ldaptest.west.isilon.com. Checking AD provider 'WMC-ADA.WEST.ISILON.COM' DC connectivity ... done Checking AD provider 'WMC-ADA.WEST.ISILON.COM' auth related ports ... done [ERROR] Failed to establish a connection to the AD domain controller wmc-ada-dc1 .wmc-ada.west.isilon.com on port 3268.
When running isi_auth_expert
command, the following checks are performed:
The following section describes the tests that the isi_auth_expert
command performs for each Active Directory (AD) provider.
Check Domain Controller connectivity
Determine whether the cluster has basic network connectivity to at least one domain controller (DC) in the AD domain.
Check DC ports
Verify that for every DC, the cluster can connect to the AD-related ports, and that the ports are accepting connections.
Port | Explanation | AD Usage | Traffic Type |
---|---|---|---|
88 | Port 88 is used for Kerberos authentication traffic. | User and Computer Authentication, Forest Level Trusts | Kerberos |
139 | Port 139 is used for NetBIOS and NetLogon traffic. | User and Computer Authentication, Replication | DFSN, NetBIOS Session Service, NetLogon |
389 | Port 389 is used for LDAP queries. | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP |
445 | Port 445 is used for replication. | Replication, User and Computer Authentication, Group Policy, Trusts. | SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
3268 | Port 3268 is used for global catalog LDAP queries. (used if the global catalog in the AD provider is enabled) | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC |
isi_auth_expert
command performs for each LDAP provider.
LDAP connectivity
LDAP enumerated objects support
Validate configured base-dn
Validate configured user-base-dn
Validate configured group-base-dn
The following checks were added in OneFS 7.2.1.5.
Active Directory
isi_auth_expert
command can calculate two types of latencies: Ping latency and LDAP latency for all the domain controllers. If the clock skew is less than five minutes, the command returns: "There is minimal or no skew between the AD provider and your machine."
Option | Explanation |
---|---|
--ldap-user |
Checks the LDAP provider for a specified user |
--sfu-user |
Checks the Active Directory Global Catalog for a specified user |
--admin-creds |
Supply the credentials that are required when checking the Active Directory Global Catalog. |
isi_auth_expert
command with the --ldap-user=<user>
parameter where <user> is the user you want to check. The username has to be of the form "plain name" for the search to work. The LDAP user attribute check connects to an LDAP server and queries it for the specified user. We can then check the results of the query to ensure that the user has all necessary attributes necessary for authentication in any domain.
isi_auth_expert
command with the --sfu-user=<user>
and --admin-creds="[('<Domain>', '<User>', '<password>')]"
parameters where <user> is the SFU user you want to check and "[('<Domain>', '<User>', '<password>')]" are the credentials the isi_auth_expert
command must provide to perform the Global Catalog lookup in the domain controller. We have the following limitation when checking the global catalog: You must provide administrator credentials.
isi_auth_expert
command determines if SPNs are missing, stale, or incorrect. This feature runs automatically whenever the isi_auth_expert
command is run.
isi auth ads spn
or isi auth krb5 spn
commands to list, check, or fix reported missing SPNs.