Technical Tip: FSSO polling mode for AD server wtih Samba can not connect properly.
| Description | This article describes a scenario when a FortiGate unit has FSSO setting with polling mode for Windows AD server with Samba but not able to communicate each other properly. |
| Scope | - FortiGate v6.2.x. - FortiGate high-end models (FortiGate 1000 series and higher models) and Virtual Machine models. - FortiGate unit with FSSO polling mode which connects to Windows AD server with Samba. |
| Solution | 1) Execute the following commands to check the traffic between FortiGate unit and the Windows AD server:
# diagnose sniffer packet any "host x.x.x.x" 6 0 l
Note: x.x.x.x is the Windows AD server. 2) After the logs are received, convert it to a pcap file. It is possible to check that if there are SMB (SMB version 1) packet communicating between FortiGate and the Windows AD server or not.
3) If there are SMB (SMB version 1) packets communicating between FortiGate and Windows AD server, enable SMB version 1 for FSSO polling mode in the FortiGate unit following CLI commands:
# config user fsso-polling edit <y> set smbv1 enable end
Note: <y> is the fsso-polling setting that is used. - smbv1 is disable by default. - The CLI commands above is available with high-end FortiGate models (FortiGate 1000 series and higher models) and Virtual Machine models. To change sniffer logs to be pcap file to be able open in Wireshark: |