Troubleshooting Linux VDA registry problems

Troubleshooting Linux VDA registry problems -

By far the most common Linux VDA support issue the VDA-registration is not. This is often caused by incorrectly configured Active Directory integration or Kerberos authentication issues. In this article I'll try to explain how the Linux VDA Active Directory and Kerberos used and what is commonly goes wrong.

is a nice feature of the Linux VDA that they in the same storefront slots, Delivery Controller (Broker) and Active Directory infrastructure you already have available. The familiar user SSO experience of logging on storefront and get access to applications and desktops, without the credentials again prompted applies to Linux VDA.

The challenge for Linux that do not play on Windows, and it's nice in a Windows domain environment, is inherently difficult. Whether you have chosen Winbind, Quest or Centrify as Active Directory Integration Platform or in fact on one leg away, trying SSSD or PowerBroker, the conditions for a clean Linux VDA Setup remain the same.

There are other some other great sources of information about the registry problems for the Windows VDA, including support articles CTX126992 and CTX126992.

much of this information is still relevant to the Linux VDA and worth reading. This article builds on this and adds the Linux flavor.

hostname

Bad host names that are too long or contain invalid characters can cause, either very obvious or annoying subtly problems in an Active Directory environment. Windows is strict with host names; However, many Linux distributions dangerously liberal, what they allow. Best Practice is:

• limiting hostname avoid length to 15 characters or less to NetBIOS name truncation
• az, AZ, 0-9 and the hyphen (-) characters only, especially avoid underscores, spaces and other symbols
• not start a host name with a number and not end it with a hyphen.

hostname short form of the need to be different FQDN of the DNS domain name contains dot notation. Running the command hostname should display a short name, such as myvda01 while running hostname -f should have its corresponding FQDN as myvda01.workers display. mycorp.net .

The host name and SAM account name of the computer in AD must match, if you ever change the host name, you need to unite the VDA the domain again. Of course, it is best your hostname to get sorted out before anything else to do.

DNS

Bad DNS configuration is a common problem. Before it is good practice, your VDA machine's network settings point to the correct DNS server and DNS server are again reasonable results to ensure. Check if you query the DNS domain name of the VDA. If in a multi-domain or cross-forest environment, also check the other domain names. For example:

 nslookup mycorp.net nslookup nslookup workers.mycorp.net central.mycorp.net 

Multi-homed VDAS

For Linux VDA 1.0, support for multiple network interfaces was limited and should be avoided. The selection of the network interface and the IP address with the broker the communication was not deterministic, which can lead to irregular registration failures.

This problem has been fixed in Linux VDA Version 1.1. To use the network interface, to communicate with the broker a configuration setting has been added to allow specific. For example, make eth0 your primary network interface:

 sudo ctxreg -f -k HKLM / Software / Citrix / Virtual Desktop Agent  -v Primary Ynet Work Interface  -t REG_SZ  -d eth0 sudo create service ctxvda new start 

If you use multiple network interfaces (no loopback interfaces) on your VDAS, it is strongly recommended that this set. If you leave the setting blank, gives way to the VDA to v1.0 behavior unpredictable selection.

Domain Membership

Perhaps obviously to register for Linux VDA with the broker, it must be joined to the domain. The join process varies between AD integration products, but mainly the result is the same - a computer object for the VDA has created in AD. is without the domain connected, the VDA and brokers will not be able to establish a security context and thus not be able to communicate with each other.

There's nothing special about a computer object in AD for Linux machines. It has seen a SID, a DNS name, a SAM account name, and other attributes that are set on a Windows computer object. If you are using Winbind, there are several commands that you can run to verify that the machine is connected and the computer object attributes are valid:

 sudo net ads TESTJOIN sudo net ads info sudo net ads status 

most other AD integration products provide similar instruction tools.

Cross domain and cross-forest

in complex environments with multiple trusted AD domains, with either the VDAS and Delivery Controller are in the same domain, or a 2-way trust relationship located in domains. From Linux 1.1 VDA these trust relationships can cross forest boundaries, use either forest or external trust types.

must be located for HDX session authentication as VDA or in an outbound trusted domain in the same domain user accounts. In other words, the VDA is to rely on the users' domain but do not necessarily have to trust the VDA domain the user's domain.

For more information, search the Active Directory planning manuals for the use of Linux VDA in complex AD environments.

sync

Kerberos is very time-sensitive. If clocks between servers drive more than a few minutes, breaking down the Kerberos authentication system. It is important that all servers and domain controller time are synchronized with each other.

a common architecture is all domain controllers synchronized either by a common internal time server or from the public pool time cluster, and all domain member servers synchronized with the domain controllers.

For virtual machines, it is generally best practice that the time will not be synchronized with network time servers rely solely on the hypervisor-time synchronization.

synchronize for each server with a time server, make sure that you select a cluster that is geographically close. It was observed that NTP may last synchronization time when network latency or jitter is too high.

system keytab

The VDA and brokers use Kerberos to mutually authenticate and secure communication with each other. Each side is the identity of the computer account to use, which create the need for the admin service accounts in Active Directory. Under Windows Kerberos keys are used to secure the machine and the authentication with the domain controller identify are stored and managed by the LSA service. The equivalent on Linux is the system keytab file named usually /etc/krb5.keytab .

The keytab file is typically created when the Linux machine is connected to the domain, and only with the root user. Note that if you use Winbind, the default configuration will not create the keytab file by default. Before joining a domain, make sure that in the /etc/samba/smb.conf

 kerberos method = secrets and keytab 

You can check the list of keys available, even if the keys have been created by running as root:

 klist -ket 

Note that since the VDA communication broker is bidirectional, where on both sides can initiate or accept connections, the VDA both client (UPN) and service (SPN) used keys of the computer account. UPN keys (eg MYVDA$@WORKERS.MYCORP.NET ) used to establish a security context with the broker and SPN-keys (eg host/myvda.domain.net@WORKERS.MYCORP . NET ) are used to accept a connection request from the broker.

for the VDA to decrypt incoming messages is important that the FQDN of the VDA FQDN matches exactly contained within the SPN. The FQDN in the SPN is after host / prefix and before @REALM suffix.

 hostname -f 

For example, if an SPN for the VDA is host/myvda.domain.net@WORKERS.MYCORP.NET , then the above command will need return myvda.domain.net . If they do not match, VDA will fail registration. It might be necessary to combine the machine to the domain again every name to troubleshoot problems.

Kerberos server location

It is important that Kerberos on the Linux VDA has its own domain configured properly to locate domain controllers and if the working cross-domain, the domain controller of the domain of the broker. This is achieved by domain name to KDC server assignments. These assignments are either statically configured in /etc/krb5.conf on each VDA or DNS SRV records retrieved.

For example, the following /etc/krb5.conf file shows how a VDA, residing in workers.mycorp.net domain, could communicate with brokerage services in the foreign central.mycorp.net domain are configured.

 [libdefaults] default_ccache_name = FILE: / tmp / krb5cc _% {uid} default_realm = WORKERS.MYCORP.NET dns_lookup_kdc = false [realms] = {WORKERS.MYCORP.NET KDC primarydc.workers.mycorp. net KDC backupdc.workers.mycorp.net} = {CENTRAL.MYCORP.NET KDC primarydc.central.mycorp.net KDC backupdc.central.mycorp.net} [domain_realm] = workers.mycorp.net wORKERS.MYCORP. NET. workers.mycorp.net = WORKERS.MYCORP.NET central.mycorp.net = CENTRAL.MYCORP.NET .central.mycorp.net = CENTRAL.MYCORP.NET 

The assignment of DNS domain names to KDC server is more than two hops. The DNS maps domain names to the Kerberos realm name (under the [domain_realm] section) and the Kerberos realm name maps to the KDC server (under the [realms] section) ,

This is difficult on any VDA configuration and does not scale well. The better option is to use the DNS SRV records that were created by domain controllers. These records are identified by the prefix _kerberos._tcp. to the DNS domain name. For example, to verify that the DNS SRV records for both VDA and broker-domains are available, perform the following steps:

 host -t SRV _kerberos._tcp.workers.mycorp.net -t SRV _kerberos._tcp host. central.mycorp.net 

These commands should list for the two domains Kerberos ticket distribution services capable of all domain controllers. If no SRV records are returned, this could the DNS service records show are not for the domain released, or there is some other underlying DNS problem. It might be necessary to consider /etc/krb5.conf with static configuration in instead file.

If you use the DNS SRV records, open / etc / krb5 conf and make the following change in the context of [libdefaults] section:

 dns_lookup_kdc = true 

Testing Kerberos

the easiest way to ensure that your VDA properly connected to the domain, your system KEYTAB file is valid and the Kerberos services are localized and operable manually authenticate the computer account. myvda.workers.mycorp.net For our fictitious VDA, we perform:

 sudo kinit -k MYVDA  $ @ WORKERS.MYCORP.NET 

Since WORKERS.MYCORP .NET configured as the default region, we could have something to do saved us by the suffix omission:

 sudo kinit -k MYVDA  $ 

If all goes well, the TGT ticket was fresh through the KDC marked and stored by the VDA in the cache. To view the cached ticket, run:

 sudo klist 

The start time of the ticket should be the time kinit reflect was performed

Ports

the default port for VDA-communication Broker is TCP port 80. connections are established in both directions, this incoming port on the firewall on both the broker and VDA must be open. If you use a port other than the default, you must specify this port as part of the configuration ctxsetup.sh

order by ctxreg check the configured port tool .:

 ctxreg -k HKLM / software / Citrix / Virtual desktop Agent  -v controller Registrar Port 

This is the interface in hex to display. A value of 0x00000050 80 decimal.

port 1494 on the firewall should be open to accept for HDX session traffic from the receiver.

Test Controller Endpoint

To test whether the brokerage service is available, listening and processing requests to the configured port, you can empty HTTP POST requests to the registrar service Broker grant.

 curl -i -d "X"  H: A simple way is that  curl  tool to use is "Content-Type: application / soap + xml"  -H " expect: 100-continue " http://mybroker.central.mycorp.net/Citrix/CdsController/IRegistrar

If the first line is displayed HTTP / 1.1 100 further , and the Broker service responds. This will be followed by a HTTP / 1.1 400 Bad Request response that can be ignored.

Another way to get the broker is to explore using the new Linux XDPing tool that will I describe later.

reintegration into the domain and stale service tickets

Under certain circumstances, if a VDA offset the domain and a fresh set of Kerberos keys are generated, suggests the broker to create a security context with the VDA. This is often caused by the broker a cached out-of-date VDA service ticket based on the previous series of Kerberos keys. This is not the VDA stop to the broker by the compound, but the broker is not be able to establish a secure connection back in the opposite direction to the VDA. The usual symptom VDA fails registry.

This problem is finally resolved if the VDA service ticket finally expires and is renewed, but service tickets are durable as a rule. This could potentially hours.

If you experience registrations problem after VDA on the domain re-entry, the solution of the broker ticket cache must be deleted. You could simply start the broker new, but a less drastic measure is the following run on the broker at a command prompt as an administrator:

 klist -li 0x3e4 Purge 

This will clean up all service tickets in the LSA cache by the rather major network service, under the Citrix Broker service is running. This is service tickets for other VDAs and possibly remove other services. This is harmless - this service tickets will be from the KDC reacquired if needed again

LDAP configuration

The Linux VDA query its domain controller to obtain information about the computer's it. runs. This was indirectly carried out by specially crafted Winbind Quest or Centrify call shell scripts Before Linux Virtual Desktop 1.1. As of version 1.1, which was rationalized into a single direct LDAP query, eliminating the need for special AD integration product scripts can be dispensed with.

For both methods, this will usually only work without administrator intervention. However, if you use Linux Virtual Desktop 1.1 or later, there are a few LDAP service needs to be aware of:

• The LDAP service must be running on the domain controller
• The LDAP service must be hosted on standard port 389
• LDAP tunneled over SSL / TLS (ie LDAPS) is not supported
• The LDAP service endpoints using DNS SRV records be discoverable must

the last element test described earlier similar Kerberos service endpoint for the location. For example:.

 host -t SRV _ldap._tcp.workers.mycorp.net 

If you experience problems registering, look out for any LDAP errors in the VDA logfiles

known bug

if you are using the older Linux VDA 1.0 release, note there is a known issue when the OpenJDK using 1.7.0.85 or later that the registry cause failures. The resolution is either to update the VDA to the v1.1 version or the OpenJDK back to 1.7.0.79 or degrade earlier.

Soft-registration

If the VDA logs show that only "soft-registration" has been achieved, it probably means the Linux VDA has been added to a machine or catalog delivery group. Soft-registration means that the VDA and brokers are to communicate securely with each other, but not to provide setup meetings.

If your VDA experienced Soft registration under the domain reentry while before your VDA registered hard, either a controller configuration change was made to a new AD identity or the VDA has taken after. At the reentry domain You can use the new VDA computer object to the machines catalog and delivery groups.

Linux XDPing

Based must add to the success of Windows XDPing tool, developed by Citrix Support again, we have developed our own validation tool for Linux environments. Under some artistic license by our colleagues in support, we called it the Linux XDPing tool. This is carried out extensive tests on the system and is invaluable to capture at frequently asked questions, including also described many of the items in this article.

Summary

that the most frequently asked questions Registration covers we know. Anything we missed?

to read more of the Linux Virtual Desktop Team, please see here the rest of our posts.

Tweet