10.3. User Directory

10.3.1. Increasing Logging to Troubleshoot User Directory Problems
10.3.2. Kerberos Authentication to Active Directory Works for a While and Then Stops
10.3.3. Can I Use PKI Instead of Kerberos for Authentication to an Active Directory?
10.3.4. What Type of Privileged Access to the User Directory Is Required?
10.3.5. Can I Disable the Automatic Cleanup of Computer Objects in Active Directory?

10.3.1. Increasing Logging to Troubleshoot User Directory Problems

You can increase the detail that is shown for user directories in the Common Agent Container (Cacao) log files to assist with troubleshooting. Additional debug logging can also be enabled for troubleshooting Kerberos connections to Active Directory.

Increasing User Directory Logging

  1. Log in as root on the Oracle VDI host.

  2. Stop the Oracle VDI service.

    # /opt/SUNWvda/sbin/vda-service stop
  3. (All user directory types) Enable additional logging for user directories.

    # cacaoadm set-filter -i vda -p com.sun.directoryservices=ALL
    # cacaoadm set-filter -i vda -p com.sun.sgd=ALL

    On Linux platforms, the cacaoadm command is in /opt/sun/cacao2/bin.

  4. (Optional) Enable additional debug logging for Kerberos.

    Kerberos debug logging only applies if the user directory type is Active Directory. As Kerberos debug logging is verbose, you should only enable Kerberos logging if you are asked to by Oracle Support, or if you are particularly interested in Kerberos-related activity.

    1. Obtain the current Java settings for the VDA Cacao instance.

      # cacaoadm get-param -i vda java-flags --value
    2. Make a note of the settings or copy them to a text file so that you can reset them later.

    3. Edit the Java settings for the VDA Cacao instance including the original settings and the kerberos debug setting.

      # cacaoadm set-param -i vda java-flags=original-Java-settings -Dsun.security.krb5.debug=true 
      
  5. Start the Oracle VDI service.

    # /opt/SUNWvda/sbin/vda-service start
  6. Recreate the problem and check the Cacao log file, see Section 8.5.4, “Checking the Oracle VDI Log Files”.

    Both the user directory logging and the Kerberos logging are output in the Cacao logs.

    When you have obtained the information you need, reset the logging to the defaults.

Resetting User Directory Logging to the Defaults

  1. Log in as root on the Oracle VDI host.

  2. Stop the Oracle VDI service.

    # /opt/SUNWvda/sbin/vda-service stop
  3. (All user directory types) Disable additional logging for user directories.

    # cacaoadm set-filter -i vda -p com.sun.directoryservices=NULL
    # cacaoadm set-filter -i vda -p com.sun.sgd=NULL

    On Linux platforms, the cacaoadm command is in /opt/sun/cacao2/bin.

  4. (Optional) Disable additional debug logging for Kerberos.

    Only perform this step if you enabled the additional debug logging for Kerberos.

    Reset the Java settings for the VDA Cacao instance to their original settings.

    # cacaoadm set-param -i vda java-flags=original-Java-settings 
    
  5. Start the Oracle VDI service.

    # /opt/SUNWvda/sbin/vda-service start

10.3.2. Kerberos Authentication to Active Directory Works for a While and Then Stops

A temporary solution for this issue is to run the following on each Oracle VDI host:

kinit -V administrator@MY.DOMAIN

This might be:

  1. A time synchronization issue.

    Make sure the domain controllers and the Oracle VDI servers are connecting to the same NTP server.

  2. A Kerberos configuration issue.

    Make sure the Kerberos configuration file (krb5.conf) contains the [libdefaults] section and sets the default_realm as in the following example:

    [libdefaults]
    default_realm = MY.COMPANY.COM
    
    [realms]
    MY.COMPANY.COM = {
    kdc = my.windows.host
    }
    
    [domain_realm]
    .my.company.com = MY.COMPANY.COM
    my.company.com = MY.COMPANY.COM

10.3.3. Can I Use PKI Instead of Kerberos for Authentication to an Active Directory?

You can certainly use PKI authentication and it should offer the same features (including removing computers from the Active Directory) as Kerberos authentication.

10.3.4. What Type of Privileged Access to the User Directory Is Required?

For Active Directory (whether using Kerberos or LDAP):

  • Read access to all users and groups.

    This is required. Oracle VDI needs to able to look up users and resolve the desktops assigned to the users that log in. If Active Directory contains a single domain, this is typically the CN=Users container.

  • Write access to the computers container.

    This is optional. Active Directory automatically creates a computer entry when a Windows desktop joins the domain configured in System Preparation. Oracle VDI deletes the computer entry when a Windows desktop is deleted. If Oracle VDI does not have write access, computer entries cannot be deleted from Active Directory. Typically the computer container is OU=Computers.

  • Read access to the CN=Configuration container.

    This is optional. Oracle VDI uses this to populate the Domain field on the Desktop Login screen with the domain or a list of subdomains. If Oracle VDI does not have read access, the Domain field on the Desktop Login screen is empty.

For all other user directory types, read access to the configured base DN is required. Oracle VDI needs to able to look up users and resolve the desktops assigned to the users that log in.

10.3.5. Can I Disable the Automatic Cleanup of Computer Objects in Active Directory?

When you use Active Directory, and a Windows desktop joins a domain, a new computer object is created in Active Directory. Oracle VDI automatically removes the computer object from Active Directory whenever a desktop is deleted.

You can disable this behavior by configuring the domain-cleanup property for a pool, as follows:

/opt/SUNWvda/sbin/vda pool-setprops -p domain-cleanup=disabled pool