Step 1: Log into the FortiNAC CLI and enable Winbind debug with the following command:

CentOS:

nacdebug -name WinbindPlatformService true

NAC-OS:

execute enter-shell

nacdebug -name WinbindPlatformService true

Step 2: Check the SAMBA smb.conf file configuration:

cat /etc/samba/smb.conf

Example output:

[global]
log level = 0
workgroup = TEST
realm = domainname.com
password server = ad01.domainname.com
security = ads
netbios name = fnactest

Step 3: Validate the entire configuration and confirm the following:

• There is communication between FortiNAC and the LDAP server.
• The domain name (domainname.com) and the AD hostname (ad01.domainname.com) can be resolved from the FortiNAC CLI using the 'nslookup' command.
• Important: The username and password used in Winbind come from a full privileges' AD Administrator account.
• It is highly recommended to add the FortiNAC FQDN DNS Record to the production DNS (although this does not affect the functionality and operation of Winbind).
  

Step 4: Check the output.master logs from the FortiNAC CLI:

CentOS:

tf -F /bsc/logs/output.master | egrep -i "ad-server-ip-address|winbind-username"

yams.WinbindPlatformService SEVERE :: 2024-10-17 13:35:55:040 :: #629 :: Error joining domain [winbind-instance] (winbind-username)

NAC-OS:

diagnose tail -F output.master | grep "ad-server-ip-address|winbind-username"

yams.WinbindPlatformService SEVERE :: 2024-10-17 13:35:55:040 :: #629 :: Error joining domain [winbind-instance] (winbind-username)

Step 5: The configuration in the 'smb.conf' file might not be reflecting the configuration that have been added via the FortiNAC GUI. For this reason, the permissions of the Samba files must be checked.

The following sample output shows that the 'smb.conf' file was not assigned the correct group permissions at the write level:

ls -al /etc/samba
total 36
drwxr-xr-x. 2 root root 61 Jul 25 2023 .
drwxr-xr-x. 95 root root 12288 Oct 17 13:42 ..
-rw-r--r--. 1 root root 20 Mar 7 2023 lmhosts
-rw-r--r--. 1 root root 706 Mar 7 2023 smb.conf  <----- Read-Only permissions.
-rw-r--r--. 1 root root 11327 Mar 7 2023 smb.conf.example

Note: If the permissions are similar to these (-rw-r--r--.), it indicates that it has Read-Only permissions and the commands below must be executed to grant Read/Write permissions:

chgrp nac /etc/samba/smb.con
chmod g+w /etc/samba/smb.con

Now, the correct permissions can be verified with the previous command:

ls -al /etc/samba
total 36
drwxr-xr-x. 2 root root 61 Jul 25 2023 .
drwxr-xr-x. 95 root root 12288 Oct 17 13:42 ..
-rw-r--r--. 1 root root 20 Mar 7 2023 lmhosts
-rw-rw-r--. 1 root nac 706 Mar 7 2023 smb.conf <----- Read/Write permissions.

-rw-r--r--. 1 root root 11327 Mar 7 2023 smb.conf.example

Step 6: Because the 'smb.conf' file was not being updated correctly due to the lack of permissions, after adding the permissions with the previous commands, proceed to modify the Winbind configuration through the FortiNAC GUI and select Ok (no need to change any settings). This will help the smb.conf file to be updated and reflect the correct configuration.

Step 7: Finally, after correcting the permissions problems and viewing the Winbind configuration information from the CLI, proceed to join the FortiNAC to the domain from the CLI:

net join -U userfortinac@gmd.com.pe%Passw0rd2023$ --no-dns-update
Using short domain name -- TEST
Joined 'FNACMON' to dns domain 'yordomain.com'

From the FortiNAC Web interface (GUI), refresh the page and confirm that the FortiNAC is now 'Joined' to the Winbind domain correctly.

Related articles:

• Troubleshooting Tip: Failed to add Winbind to FortiNAC due to SPNEGO bind with Kerberos failure
• Troubleshooting Tip: FortiNAC Winbind Domain Join fails with 'Included profile file could not be rea...
• Technical Tip: FortiNAC Domain join using account with minimum permissions
• FortiNAC Local Winbind Configuration