10.2. User Directory

10.2.1. I Am Having Some Trouble With the User Directory. Can I Adjust the Log Level to Get More Information?
10.2.2. Kerberos Authentication to Active Directory Works for a While and Then Stops
10.2.3. Can I Use PKI Instead of Kerberos for Authentication to an Active Directory?
10.2.4. What Type of Privileged Access to the User Directory Is Required?

10.2.1. I Am Having Some Trouble With the User Directory. Can I Adjust the Log Level to Get More Information?

Yes, you can increase the detail that is shown in the logs.

By default, all Oracle VDI service messages are logged in the Cacao log files, see Section 9.3.2, “How to Check the Oracle VDI Log Files”. To increase the logging level for directory services, run the following command as root:

# cacaoadm set-filter -i vda -p com.sun.directoryservices=ALL
# cacaoadm set-filter -i vda -p com.sun.sgd=ALL

On Linux platforms, the cacaoadm command is in /opt/sun/cacao2/bin.

After changing the logging level, restart the Oracle VDI service:

# /opt/SUNWvda/sbin/vda-service restart

After restarting the Oracle VDI service, recreate the problem and check the Cacao log file, see Section 9.3.2, “How to Check the Oracle VDI Log Files”.

To reset the logging level for directory services to their default, run the following command as root:

# cacaoadm set-filter -i vda -p com.sun.directoryservices=NULL
# cacaoadm set-filter -i vda -p com.sun.sgd=NULL

Then restart the Oracle VDI service:

# /opt/SUNWvda/sbin/vda-service restart

10.2.2. Kerberos Authentication to Active Directory Works for a While and Then Stops

A temporary solution for this issue is to run the following on each Oracle VDI host:

kinit -V administrator@MY.DOMAIN

This might be:

  1. A time synchronization issue.

    Make sure the domain controllers and the Oracle VDI servers are connecting to the same NTP server.

  2. A Kerberos configuration issue.

    Make sure the Kerberos configuration file (krb5.conf) contains the libdefaults section and sets the default_realm as in the following example:

    [libdefaults]
    default_realm = MY.COMPANY.COM
    
    
    [realms]
    MY.COMPANY.COM = {
    kdc = my.windows.host
    }
    
    [domain_realm]
    .my.company.com = MY.COMPANY.COM
    my.company.com = MY.COMPANY.COM

10.2.3. Can I Use PKI Instead of Kerberos for Authentication to an Active Directory?

You can certainly use PKI authentication and it should offer the same features (including removing computers from the Active Directory) as Kerberos authentication.

10.2.4. What Type of Privileged Access to the User Directory Is Required?

For LDAP type of authentication:

  • Read access to the entire users and groups base, so that Oracle VDI is able to look up for users and resolve the desktops assigned to the users that log in. (if using Active Directory with a single domain, this is typically under CN=Users,DC=my,DC=domain,DC=com).

  • If using Active Directory, read access to the CN=Configuration,DC=my,DC=domain,DC=com location. This is used by Oracle VDI to pre-populate the domain field of the login dialog for end-users, with the domain or the list of subdomains. This is not mandatory, if no such access is given to Oracle VDI, the domain field of the login dialog will be left empty.

For Active Directory type of authentication:

  • Read access to the entire users and groups base, so that Oracle VDI is able to look up for users and resolve the desktops assigned to the users that log in. (If using Active Directory with a single domain, this is typically under CN=Users,DC=my,DC=domain,DC=com).

  • Read access to the CN=Configuration,DC=my,DC=domain,DC=com location. This is used by Oracle VDI to pre-populate the domain field of the login dialog for end-users, with the domain or the list of subdomains. This is not mandatory, if no such access is given to Oracle VDI, the domain field of the login dialog will be left empty.

  • Write access to the computers location. This is typically under CN=Computers,DC=my,DC=domain,DC=com when a Windows host joins to the my.domain.com domain. Write access to the computers location is used by Oracle VDI to delete the corresponding computer entry from the AD when a cloned desktop (VM) gets destroyed. The computer entry is automatically created by AD when the cloned Windows desktop joins the domain, which is generally instructed in the Sysprep. Write access is not mandatory, if you provide a user which has no such access, Oracle VDI won't be able to delete computers entries from the AD and you'll be left with a growing number of computer entries in your AD, this will only happen in the case you are using the cloning of Windows desktops.