Click here to load reader

EMC ISILON CUSTOMER TROUBLESHOOTING GUIDE ... 1 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon cluster For links to all Isilon customer troubleshooting

  • View
    30

  • Download
    2

Embed Size (px)

Text of EMC ISILON CUSTOMER TROUBLESHOOTING GUIDE ... 1 - EMC Isilon Customer Troubleshooting Guide:...

  • 1 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Abstract

    This troubleshooting guide helps you with Kerberos authentication issues on your Isilon cluster.

    February 13, 2018

    EMC ISILON CUSTOMER TROUBLESHOOTING GUIDE

    TROUBLESHOOT KERBEROS ISSUES ON YOUR ISILON CLUSTER

    OneFS 7.2.0 - 8.1.0

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017

  • 2 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Contents and overview

    Page 3 Before you begin

    Appendix A If you need further assistance

    Page 4 Start troubleshooting

    Page 5 Verify the SmartConnect zone name

    Page 6 Active Directory

    Page 7 Check for time skew

    Note Follow all of these steps, in order, until you reach a resolution.

    1. Follow these

    steps.

    2. Perform

    troubleshooting

    steps in order.

    3. Appendixes

    Appendix B How to use this flowchart

    Page 8 Verify the domain

    Page 9 Check for missing SPNs

    Page 10 Add missing SPNs

    Page 11 Verify SPNs

    Page 12 Retrieve a Kerberos ticket

    Page 13 Verify the Kerberos ticket

    Page 14 Domain controllers

    Page 15 Check for duplicate SPNs

    Page 16 Remove duplicate SPNs

    Page 17 Verify the Kerberos ticket (2)

    Page 18 Packet capture

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017

  • 3 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Configure screen logging through SSH

    We recommend that you configure screen logging to log all session input and output during your troubleshooting session.

    This log file can be shared with EMC Isilon Technical Support, if you require assistance at any point during troubleshooting.

    Note: The screen session capability does not work in OneFS 7.1.0.6 and 7.1.1.2. If you are running either of these versions,

    you can configure logging by using your local SSH client's logging feature.

    1. Open an SSH connection to the cluster and log in by using the root account .

    Note: If the cluster is in compliance mode, use the compadmin account to log in. All compadmin commands must be

    preceded by the sudo prefix.

    2. Change the directory to /ifs/data/Isilon_Support by running the following command:

    cd /ifs/data/Isilon_Support

    3. Run the following command to capture all input and output from the session:

    screen -L

    This will create a file named screenlog.0 that will be appended to during your session.

    4. Perform troubleshooting.

    Before you begin

    CAUTION! If the node, subnet, or pool that you are working on goes down during the course of

    troubleshooting and you do not have any other way to connect to the cluster, you could

    experience data unavailability.

    Therefore, make sure that you have more than one way to connect to the cluster before

    you start this troubleshooting process. The best method is to have a serial cable

    available. This way, if you are unable to connect through the network, you will still be

    able to connect to the cluster physically.

    For specific requirements and instructions for making a physical connection to the

    cluster, see article 16744 on the EMC Online Support site.

    Before you begin troubleshooting, confirm that you can connect through either another

    subnet or pool, or that you have physical access to the cluster.

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017 https://support.emc.com/kb/16744

  • 4 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Start troubleshooting

    Go to Page 5

    Start

    Introduction Start troubleshooting here. If you need

    help to understand the flowchart

    conventions that are used in this guide,

    see Appendix B: How to use this

    flowchart.

    If you have not done so already, log in to

    the cluster and configure screen logging

    through SSH, as described on page 3.

    Open an SSH connection to any node connected to the

    network with access to the domain controllers (DCs) for

    the domain.

    During the troubleshooting process, we will troubleshoot each

    problematic SmartConnect zone name, one at a time.

    You will begin troubleshooting the first zone name on the next page.

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017

  • 5 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Verify the SmartConnect zone name

    Page

    5

    You could have arrived here from:

     Page 4 - Start troubleshooting

    Begin troubleshooting the first problematic SmartConnect zone name.

    Verify the name of the SmartConnect zone that is having issues by running the following command :

    OneFS 8.0.0 - 8.1.0

    isi network pools list -v

    OneFS 7.2.0

    isi networks list pools -v

    From the output for the problematic pool, record the Access Zone, SmartConnect Zone, and

    SmartConnect Zone Aliases. See Appendix C for example output.

    Go to Page 6

    __________

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017

  • 6 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Active Directory

    Are you using NFS with

    Kerberos in a non-Active

    Directory environment?

    Page

    6

    You could have arrived here from:

     Page 5 - Verify the SmartConnect zone

    name

    Yes

    No

    Were you directed to

    this guide from:

    EMC Isilon Customer

    Troubleshooting Guide:

    Troubleshoot Windows Active

    Directory Authentication?

    Go to Page 7Yes

    Go to:

    EMC Isilon Customer

    Troubleshooting Guide:

    Troubleshoot Windows Active

    Directory Authentication

    No

    Note the page number that you are

    currently on.

    Upload log files and contact Isilon

    Technical Support, as instructed in

    Appendix A.

    http://bit.ly/isi-docfeedback http://bit.ly/isi-docfeedback https://community.emc.com/docs/DOC-49017 http://www.emc.com/collateral/TechnicalDocument/docu63151.pdf

  • 7 - EMC Isilon Customer Troubleshooting Guide: Troubleshoot Kerberos issues on your Isilon

    cluster

    For links to all Isilon customer troubleshooting guides, visit the Customer Troubleshooting - Isilon Info Hub.

    We appreciate your help in improving this document. Submit your feedback at http://bit.ly/isi-docfeedback._________________

    ___________________________

    Check for time skew

    A time skew on the cluster can cause authentication issues. Verify that the

    time on the cluster is accurate by running the following command, where

    is the IP address of the DC:

    ntpdate -q -u

    The example output at the bottom of this page shows a large time offset.

    Page

    7

    You could have arrived here from:

     Page 6 - Active Directory

    How many

    seconds is the time

    off by, if any?

    More than

    300 seconds 299 seconds

    or less

    Go to Page 8

    Verify the IP address of the domain controller on the domain that you are troubleshooting by running

    the following command:

    isi auth ads tru