Debugging Active Directory in CentOS

Having a Linux server querying Windows Active Directory for credentials gives your users a wonderful, unified experience - they only need a single logon for the intranet, and their machine. However, sometimes you need to browse the AD tree to see if/what is going on. Two things I've learned while debugging follow.

1. Try emulating the query from your server command line

Sounds silly, but most of the errors pop up nicely this way on your console, instead of some log somewhere in between. The recommended tool for the job is ldapsearch, which naturally is not available as a standalone package on CentOS. Instead, it's hidden in the openldap-clients package.

So after getting it

# yum install openldap-clients

you can actually run queries from your terminal. The syntax is nothing short of tedious, so here's the example that works for me:

# ldapsearch -LLL -H ldap://activedirectory.example.com:389 -b 'dc=example,dc=com' -D 'DOMAIN\Hex.Blot' -W '(sAMAccountName=test)'

In the above example:

  • activedirectory.example.com is your AD server (duh)
  • dc=example,dc=com is what to search under, and is usually the last part of your domain ( in this case, example.com but it can be example.local )
  • DOMAIN\Hex.blot since AD does not allow anonymous queries by default, you need a valid account to login with, and then run the query. This is the username part, and it needs the domain in front. Note that this is not the example.com domain -- see what appears in front of your login on your windows machine when you lock it. Most of the times it's a shorthand.
  • test is the account name we're testing, ie the one we want the info about. You can substitute that (or the sAMAccountName query) and enter whatever terms you want here.

You should get a wall of text, or an error message. It will contain all that AD knows about the selected query, in our case some user.

If you'd prefer to redirect the wall of text to a file for easier analysis, just append > /path/to-file.txt at the end of the above command.

2. Sniff the packets off the wire

If the above method fails... well, not all is lost. Some sneaky errors don't even show up in the above, so we need to roll our sleeves up and dig a little deeper. The next method (which I'm going to tell you upfront that some sysadmins won't look kindly upon, but will never find out) is to see what goes over the wire.

To do so, we need wireshark :

# yum install wireshark

To run it, and capture all traffic between you and the AD server, use

# tshark tcp and host activedirectory.example.com

While that is running on your terminal, use whatever your're developing. All packets going to/from the AD server will be logged there, along with error messages in the lowest level possibe.

I sincerely hope this will assist others trouble shooting their AD connections - let me know if it does!