ActiveDirectory

You are currently browsing articles tagged ActiveDirectory.

Articles in Progress

Thursday, April 3, 2008 in General by slowe | 6 comments

Here’s a quick list of a few of the articles that I currently have in progress:

  • I’ve been looking at the recently-announced products from Altor Networks and have their VNSA (Virtual Network Security Analyzer) running in the lab right now. Look for a short post on the product and my initial thoughts. (One piece of advice I can offer to Altor right now: use the virtual appliance OVF format and save your customers a lot of trouble.)
  • I’m going to have some hands-on time with a Xsigo I/O Director over the next few weeks, so look for an article on that product.
  • Prodded to action by Nick’s comment in my article on thin provisioned VMDKs on NFS, I’ll have an article on using SnapRestore to clone VMs on NFS without losing the thin provisioned VMDKs.
  • The Active Directory integration articles are getting a bit long in the tooth, so look for updates to both the Linux and Solaris integration instructions. (By the way, speaking of Solaris integration: I came across this article a short while ago.)

If anyone has any other topics they’d be interested in seeing me tackle, feel free to mention them in the comments below. I can’t make any promises, but I’ll certainly consider them!

UPDATE: The article on preserving thin provisioned VMDKs with SnapRestore is now available.

Tags: , , , , ,

LDAP Signing in AD Integration Situations

Monday, March 17, 2008 in Interoperability, Linux, Security by slowe | 5 comments

Reader Jeffrey Spear contacted me a while back with some problems he was experiencing in trying to integrate some Linux systems into Active Directory. Basically, Kerberos was working but LDAP wasn’t. He was able to use “kinit <AD username>” to generate a Kerberos ticket, but using the “getent passwd <AD username>” was not working. No error messages, nothing; it just didn’t work.

We traded e-mails back and forth for a while, and eventually he found the solution himself:

We work with a locked down version of OSs and in this case a domain policy on the Windows server was preventing the RHEL machines from accessing account info.  The policy was “Domain controller: LDAP server signing requirements” which was set to “Require signature.”  When I changed this setting to “None” it worked great.

This is good information and important to keep in mind; I’ll be sure to incorporate this into the next revision of the Linux-AD integration instructions. (No, I don’t have a timeframe on when that will be!)

In the meantime, if anyone has a workaround for this problem that will allow LDAP to work with signatures enabled or required, I’d love to hear it. Speak up in the comments below!

Tags: , , , , ,

Local Logins Refused in AD Integration Scenarios

Wednesday, January 9, 2008 in Interoperability, Virtualization by slowe | 5 comments

A customer with whom I had worked to fully integrate their ESX Server systems into Active Directory—using my instructions here—had run into a problem. The problem was that local logins were refused when the Service Console lost network connectivity. Clearly, this was a problem; if the customer couldn’t login as root when the network is down, even locally at the console, then we have problems. So I set out today to isolate and fix the problem.

After much trial and error, I had determined what was not the cause the problem:

  • The /etc/pam.d/system-auth file was not at fault; we tried numerous combinations in system-auth and there was no difference in behavior
  • The /etc/ldap.conf file was not at fault; we even tried adding a few additional entries (like “bind_policy soft”) to help with issues when LDAP was down and not responding
  • A lack of DNS resolution was not the problem; the behavior was the same whether DNS was working or not

Finally, I was able to track down this thread which discusses the behavior of the nss_ldap libraries when the LDAP service is not available across the network. In this specific message in the thread, it is noted that nss_ldap will try to contact LDAP to enumerate group membership, even if LDAP is down. So the problem was with using LDAP for group membership, and a quick edit to /etc/nsswitch.conf to remove LDAP from the group line proved that to be true.

As shown in the message, the only workarounds are:

  • Upgrade to v245 of nss_ldap, which allows the use of the “nss_initgroups_ignoreusers” directive; this instructs nss_ldap to not perform group enumeration for the specified users; or
  • Remove the “ldap” entry from the group line in /etc/nsswitch.conf.

Unfortunately, ESX Server 3.0.2 and ESX Server 3.5.0 only supply nss_ldap v207-17, which is too early to support that directive. Of course, we can’t really upgrade the library, either, since that’s not supported by VMware. So the only real fix for VMware ESX Server AD integration scenarios is to not use Active Directory for group memberships. User accounts can still be managed using Active Directory—and authentication occurs against Active Directory—but groups and group membership will have to be handled locally.

This issue is applicable to other operating systems besides ESX Server, though, and for those operating systems an upgrade of the nss_ldap library and the use of the “nss_initgroups_ignoreuser” directive in ldap.conf may be all that is needed to fix an issue with local logins being refused when network connectivity is not present.

UPDATE: It appears that local logins will work without network connectivity, even with full Active Directory integration, if you use the Emergency Console. Thanks to Magnus for the update!

Tags: , , , , , ,

Some Things I’m Working On

Thursday, January 3, 2008 in General, Virtualization by slowe | 8 comments

I wanted to take just a brief moment and let everyone know about a few articles that I’ve got “in the pipeline” for the site. If there is one—or more—of these articles that looks particularly interesting, speak up in the comments.

Here are the articles that are currently under development:

  • An update to the Solaris-AD integration instructions: Last time I ran through these instructions I came across a number of discrepancies and little “gotchas.” I need to incorporate the workarounds into the integration instructions and publish a new version.
  • A brief blurb on NetApp OSSV: NetApp’s Open Systems SnapVault (OSSV) is a pretty cool technology, so I want to take a quick look at setting it up. I’m also exploring to see what kind of unique synergies may arise from using OSSV in a VMware environment.
  • Restricting access to ESX Server when using AD integration: As reader Scott Garrett points out in this comment to an earlier article, ESX Server’s version of sshd doesn’t support the UsePAM directive. This prevents us from using group membership in Active Directory to control access to ESX Server’s Service Console. Or does it? I have a hunch that there may be at least one workaround for this problem; once I’ve tested it, I’ll document it here.
  • New iSCSI functionality in ESX Server 3.5: VMware appears to have refreshed the software iSCSI initiator in ESX Server 3.5, so I want to take a closer look at and discuss here some of this new functionality.

That’s it for now, although I’m certainly open to other items that pique reader interest. Feel free to submit your suggestions in the comments. Thanks!

Tags: , , , , , , , ,

CentOS 5 Active Directory Integration Problem

Tuesday, December 4, 2007 in Interoperability by slowe | 22 comments

Since I had CentOS 5 up and running on ESX Server in the test lab, I decided to try to validate my latest Linux-AD integration instructions on this installation.  Unfortunately, the instructions do not seem to work well at all with CentOS 5; here are some of the errors that I ran into:

  • When using “net ads join” to join the Active Directory domain, it didn’t recognize any existing Kerberos tickets.  I’d already run a “kinit <AD username>”, but “net ads” continued to either a) try to use the root account if I didn’t specify the “-U <AD username>” parameter, and b) prompt for password even when I’d already obtained a Kerberos ticket for the specified username.
  • When initially trying to join the Active Directory domain, “net ads join” threw this error:
    [2007/12/04 12:57:08, 0] libads/kerberos.c:create_local_private_krb5_conf_
    for_domain(594) create_local_private_krb5_conf_for_domain:
    failed to create directory /var/cache/samba/smb_krb5.
    Error was Permission denied
    This error persisted until I manually created the /var/cache/samba/smb_krb5 directory myself.  Why this directory wasn’t created automatically during the Samba installation is beyond me.  Once I created that directory, the error went away, but Samba still wouldn’t create the keytab or add entries to the keytab.
  • The “net ads keytab” command failed miserably; it would not create a keytab, nor would it add entries to a keytab.  No error message is reported; it just doesn’t work.

I inquired on the #samba IRC channel on irc.freenode.net, but the only person willing or able to respond didn’t have any information to provide (in fact, he’d actually used my Solaris-AD integration instructions as a guide for some of his own work).  Various Google searches also failed to provide any helpful information.

By the way, these tests were performed on a stock installation of CentOS 5, with all the latest packages installed using “yum update”.  The Samba version was 3.0.25b-1.el5_1.2.

In the end, I’ve given up on trying to make Samba work in the AD integration process and will instead fallback to the use of ktpass.exe to create the keytab file.  If you have any useful information to share, please let me know or post it in the comments.  Thanks!

Tags: , , ,

Some Notes on Solaris-AD Integration

Tuesday, November 27, 2007 in Interoperability, UNIX by slowe | 8 comments

This afternoon, I walked back through my own instructions for integrating Solaris 10 and Active Directory, and I found that the process wasn’t as smooth as perhaps I’d believed it to be.  As a result of walking back through the process again myself, I’ve collected some notes.  At some point in the near future, these notes will be integrated into a new version of the Solaris-AD integration instructions.

So, without further ado, here are the notes I collected in no particular order:

  • The Blastwave Samba package does not create it’s own smb.conf file in /opt/csw/etc/samba.  This is correctly pointed out in the latest integration instructions, but I wanted to mention it again here.  You’ll need to manually create the /opt/csw/etc/samba/smb.conf file before attempting to join the Solaris server to Active Directory via the ‘net ads join’ command.
  • The defaultServerList portion of the ‘ldapclient manual’ command only supports IP addresses.  The LDAP client service kept going into maintenance mode when using hostnames.  On a hunch, I substituted IP addresses for hostnames, and it worked.  Go figure.
  • Apparently, you can’t use ‘ldapclient mod’ to change an existing attribute map.  I had a hunch about resolving a co-existence issue where both Solaris and Linux are both authenticating against Active Directory—more on that particular topic is coming soon as well—and needed to change the attribute maps for the homedirectory and loginshell attributes.  I ended up editing the ldap_client_file manually (found in /var/ldap; must be made writable using chmod) in order to make the change.  If anyone has a more elegant fix, please let me know.
  • The ‘net ads join’ command correctly creates a Kerberos keytab with the appropriate entries, but places it in the wrong location.  On my test system, it placed the krb5.keytab file in the /etc directory, and Solaris expected it to be in /etc/krb5 instead.  Until I moved that file, authentication against Active Directory consistently failed.
  • It turns out that it’s not really necessary to enable the DNS client using ‘svcadm enable svc:/network/dns/client:default’; from what I’ve been able to gather, that’s there as a dependency only.  The ‘nslookup’ and ‘host’ commands seemed to work just fine with this service still disabled.

Again, I’ll be incorporating these changes into a future version of the Solaris-AD integration instructions.  I hope to have that complete within the next week or two, so stay tuned.  In addition, I have information coming to help with the co-existence of multiple UNIX and UNIX-like operating systems all authenticating against the same Active Directory forest, so keep your eyes peeled for that as well.

Tags: , , , , , ,

Performance in Linux-AD Integration Scenarios

Tuesday, November 13, 2007 in Interoperability, Linux by slowe | 1 comment

A reader kindly shared with me some tips and tweaks he used to help resolve some performance issues with Linux-AD integration, and now I’d like to share them with you:

I ran into some nagging performance issues with Linux/AD integration the other day, and managed to solve them (mostly)—I thought you might be interested in the solution.

Since I’m not exactly following your integration guide (I use DNS lookups to locate LDAP servers in AD, and use GSSAPI authentication for nss_ldap instead of a binddn), I have a bit more overhead on my getent system calls, that was starting to get noticable when it came to getting directory listings, etc.

Two things I have done to alleviate this issue:

  1. Since we have a flat catalog, and all of our DCs are also GCs, I
    disabled recursion. This is not universally relevant, but it does assist me
  2. I edited /etc/nscd.conf to set a 5 minute cache time for passwd and group (but not host!) entries. Data is still usually piping fresh, but now we only call nss_ldap once every 5 minutes, instead of every time we need to know who owns a file. Then I started nscd, and set it to start on boot.

NSCD is a standard part of most RHEL and derivative installs.

Since implementing the above, the user-level experience is no longer
discernably different than the old /etc/passwd method of authentication/authorization.

This is good information to have.  Thanks to Brandon for sharing his experience!

Tags: , , ,

LM and NTLM Authentication in AD Integration

Thursday, November 1, 2007 in Interoperability by slowe | 2 comments

I’ve received some feedback from a reader who alerted me to some sort of interaction between the Local Security Policy on the Windows side and Linux servers authenticating to Active Directory via Kerberos/LDAP/Samba.  I haven’t quite been able to get to the root issue yet, but here’s the high level overview.

The reader was seeing strange delays at the end of a Linux logon process that seemingly could not be explained.  After jumping through all the hoops, another administrator within the organization changed the Local Security Policy setting that governed the use of LM and NTLM authentication, and the delays disappeared.

The policy had been set to allow both LM and NTLM authentication; when changed to allow only NTLM authentication, the delays disappeared immediately.  The Linux server in question did have Samba installed, so apparently Samba was timing out trying the LM authentication; this caused the delays.  Of course, this is all just speculation, as we don’t know exactly why the policy change eliminated the delay.

In any case, since I’ve been pushing the use of Samba in my latest integration instructions (Solaris version here), I thought it might be prudent to mention this feedback.  In the event you start seeing some strange delays in your Linux authentication requests, check the Local Security Policy and see if LM authentication is being permitted.  That might just be your culprit.

Tags: , , , , ,

Lessons Learned About Exchange Server 2007

Wednesday, October 31, 2007 in Microsoft by slowe | 12 comments

I’m in the midst of a non-virtualization-related project right now, which is a bit odd; a great majority of my work these days is centered around virtualization.  Nevertheless, I try to view every project as one from which I can learn.  I have definitely learned some things with this project, that’s for sure.

Here are a few tidbits that I’ve learned so far this week, most of them centered around the installation of Microsoft Exchange Server 2007:

  • First, if you have even one Active Directory domain controller that isn’t running Windows Server 2003 SP1, you can’t use the GUI setup routine for installing Exchange Server 2007.  That’s right, no GUI setup for you.  Instead, you’ll have to install from the command line like this:

    setup.com /mode:install /roles:mb, ca, ht, mt /EnableLegacyOutlook /LegacyRoutingServer:oldserver.domain.com /dc:win2k3sp1.domain.com

    Nice, eh?  Supposedly this will be fixed in Exchange 2007 SP1.

  • Apparently, about 20% of the installations run from the command-line fail with an error about being unable to access the source files.  This is even when installing from local CD-ROM, as I was.  The Microsoft tech I spoke with recognized that this was a problem; the suggested solution was to copy the files from the CD to a local hard drive and run setup from there.
  • The use of the “/LegacyRoutingServer:” command-line switch, which is required for interoperability with “legacy” Exchange 2000/2003 servers, can only be used when installing the very first server with the Hub Transport role (the “ht” in the command line above).  If the installation of that first server dies for some reason—say, like due to some strange error about not being able to access the source files—then you won’t be able to use this command-line switch again.  This means you’ll need to create the appropriate connector yourself manually after installation.
  • If Exchange Server 2007 setup fails while installing the Client Access server role (the “ca” in the setup command line above) citing an error about not being able to find an object (see this URL), then you’ve got some damaged attributes in Active Directory.  In my case, while sitting on hold with Microsoft Support for an hour, I resolved it by doing a full dump of the domain and configuration naming contexts of Active Directory using LDIFDE:

    ldifde -f example.domain.ldf -d “dc=example,dc=com”
    ldifde -f example.config.ldf -d “cn=configuration,dc=example,dc=com”

    I was then able to find the specific object with which Exchange Server 2007 Setup was having a problem and fix it.  In my case, the Offline Address Book server had somehow gotten damaged and was causing setup to fail.  I was able to manually correct the problem using Exchange 2000 System Manager and then Exchange Server 2007 setup proceeded to completion.

  • Specifying a smart host on the SMTP virtual server properties on your “legacy” Exchange servers will cause a routing loop, and mail won’t flow between the new and old servers.  Apparently this is documented somewhere, although the Microsoft tech I spoke to could only point me to some articles about how to configure a smart host.  I haven’t seen any documentation yet that recommends checking and fixing this potential problem.  Furthermore, the troubleshooting tools in Exchange Server 2007 pick this up, but fail to tell you that it could be a problem.
  • Oh, yes, I almost forgot about one: ASP.NET is required for Exchange Server 2007, but what happens when you can’t install it via Add/Remove Programs > Add/Remove Windows Components?  That’s right, back to the command line again:

    %systemroot%\Microsoft.NET\Framework64\
    v2.0.50727\aspnet_regiis.exe -ir -enable

    This is assuming, of course, that you’ve already installed the .NET Framework 2.0 on your server in preparation for Exchange.

You are welcome to tell me that I’m an idiot for not knowing this stuff, on one condition: you provide a URL where information about the problem is posted and a workaround provided.  That way, when someone else runs into the issue, we’ll at least know where to point them for help.

Tags: , , ,

One Potential Issue in AD Integration Scenarios

Monday, September 17, 2007 in Interoperability by slowe | 8 comments

Regular readers of this blog know that I like to work on integrating various systems into Active Directory.  I’ve written a couple of articles on the issue:

Linux-AD Integration, Version 4
Solaris 10-AD Integration, Version 3
Active Directory Integration Index

These articles have been pretty successful and from what I understand have helped a fair number of people integrate their non-Windows systems into Active Directory for simplified user management and authentication.  Occasionally, though, we run into the odd issue that isn’t quite so straightforward to resolve.

For example, I recently had a reader (let’s call him Johnny) who was having a difficult time getting the Linux-AD integration to work.  The “ldapsearch” and “kinit” commands worked fine, but “getent passwd” or “getent group” failed with no output.  The users in Active Directory did indeed have UNIX attributes added to their accounts.  There were no firewalls between the non-Windows systems and the Active Directory domain controllers, and there did not appear to be any connectivity issues whatsoever (this further underscored by the fact that “ldapsearch” successfully returned LDAP search results from AD, and “kinit” successfully obtained a Kerberos ticket from AD).  We were stumped.

Johnny and I traded e-mails back and forth a few times, until finally Johnny found his error and notified me about what had been happening.  As I read the description about the problem, I realized that this may be a problem that is affecting a lot of users, and may, in fact, have stumped some of you out there reading right now.  Here’s the details.

The method that I suggest using for AD integration uses two parts:

  • First, we use Kerberos to obtain a Kerberos ticket from an Active Directory domain controller (also a Kerberos key distribution center, or KDC).  This handles the authentication side of things and prevents the password from crossing the wire at any point in time.
  • Next, we use LDAP to centrally store account information, such as UID number, GID number, home directory, login shell, etc.  This is the part that typically requires schema extensions (although there is a workaround for that) and using this technique ensures that we don’t have to manage accounts individually on each Linux server.

This approach doesn’t work without both pieces.  The Kerberos authentication takes care of the password, but without account information logins still fail.  So if Kerberos works but LDAP doesn’t, logins will fail.  If Kerberos doesn’t work but LDAP is fine, logins will fail.  So part of troubleshooting this configuration is isolating where the problem lies.  In this particular case, “kinit” worked fine—no error was returned and “klist” showed a valid Kerberos ticket.  So the problem had to be with LDAP.  But where?  The “ldapsearch” command worked fine.

The problem lie with the /etc/ldap.conf file.  See, the nss_ldap libraries (which are responsible for using LDAP—and other sources, as defined in /etc/nsswitch.conf—as the backend information database for account information) are controlled by this file, but “ldapsearch” does not use it.  Specifically, the error was with the account that is used to bind (or connect) to Active Directory to perform the searches.

There are two ways of specifying this account in /etc/ldap.conf.  You can use the full DN, which looks something like “cn=Scott Lowe,cn=Users,dc=example,dc=com” or “cn=John Smith,ou=Marketing,ou=Departments,dc=example,dc=com”.  Alternately, you can use the universal principal name (UPN), which looks something like an e-mail address, such as “slowe@example.com” or “john.smith@example.com”.  In this particular case, Johnny (our reader with the problem) was using the full DN, but he was using the wrong attribute in the DN.  Here’s the information he had:

First Name: John
Last Name: Smith
Full Name: John Smith
Display Name: John Smith
UPN: jsmith@example.com
SAM Account Name (downlevel logon name): jsmith
Object name: jsmith

Which of these do you suppose should be used in the DN?  Full name?  No.  Display name?  No.  It must be the object name, in this case “jsmith”.  You can double-check your object name (or CN) using ADSI Edit or a similar utility.  You could use Active Directory Users and Computers, but that’s typically the confusing part.  In any case, once Johnny fixed the syntax for the bind account then “getent passwd” and “getent group” worked like a champ.

How do we avoid this kind of issue?  Simple: just use the UPN instead of the full DN.  This syntax works just as well and avoids the potential problem of using the wrong name when building the full DN.

Tags: , , , , , , ,

« Older entries § Newer entries »