Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Staj last won the day on November 11 2020

Staj had the most liked content!

About Staj

  • Rank

Profile Information

  • Gender
    Not Telling
  • Location

Recent Profile Visitors

1,008 profile views
  1. @Peter RandziakCan I please grab the systemd service unit file? I still need to resolve the problem.
  2. The Apache HTTP Proxy installation - Linux documentation neglected to instruct on configuring htcacheclean, now the filesystem is full, can I please have a working systemd service unit file that I may use for /var/cache/apache2/mod_cache_disk ? Also, this should be included in documentation.
  3. I'm looking into expanding our use of ESET products into a different part of the business but they utilise Proxy Auto Config (PAC) for their devices (Windows). I'm aware you can configure proxies statically in policies and that there is a "Detect proxy" button as well but is there support for PAC for Endpoint Antivirus and Security products?
  4. I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required. Let's assume we have the following environment: ESMC Linux Distribution: Ubuntu Server 18.04 ESMC Hostname: esmc ESMC FQDN: esmc.test.local ESMC IP Address: Active Directory Domain: test.local NetBIOS Domain: TEST Domain Controller: dc.test.local ( ESET ESMC AD User Account: eset.esmc@test.local (eset.esmc) Ensure the required Server prerequisites (v7.2) are installed. sudo apt-get install krb5-user ldap-utils libsasl2-modules-gssapi-mit samba Configure Samba at /etc/samba/smb.conf Ensure you change workgroup to the NetBIOS Domain, netbios name to the ESMC Hostname and realm to the Active Directory Domain. The following configuration is based on one found in ESMC VA v7.2 [global] workgroup = TEST netbios name = esmc server string = Samba Server Version %v security = ads realm = test.local domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client max protocol = SMB3 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes client ipc signing = auto Configure Kerberos at /etc/krb5.conf Ensure you change default_realm to Active Directory Domain (Must be capitalised) and the realm definition Active Directory Domain (Must be capitalised). Ensure you specify your Domain Controller as a kdc under the realm definition for your Active Directory Domain, if you have multiple Domain Controllers, specify multiple kdc's. Ensure you map Active Directory Domain (prefixed with ".") to the realm name (Your Active Directory Domain but capitalised) under domain_realm. The following configuration is based on one found in ESMC VA v7.2 [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL Configure DNS Resolution. systemd-resolved can cause issues with Kerberos, it can probably be worked around but disabling it as follows also works. sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved Configure /etc/resolv.conf Specify your Domain Controller as a nameserver, create additional nameserver definitions for each Domain Controller. Specify Active Directory Domain for search nameserver search test.local Ensure Hostname is set correctly If you need to change your hostname, you can use: sudo hostnamectl set-hostname esmc.test.local Configure /etc/hosts Add your ESMC and your Domain Controllers to the hosts file. Take note of the ordering of FQDN and aliases after the IP Address as net join will use the first defined alias for your host as SPNs etc. when joining the system to the domain. All values are tab separated. localhost esmc.test.local esmc dc.test.local dc Configure Time Synchronisation By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos Key Distribution Center (KDC; in our case, the Domain Controller) to operate correctly. If ESMC is in a VM, you may already be using a Hypervisor with some VM Agent that handles this but, if not, then systemd-timesyncd should suffice or you can use ntpd. Let's assume you use systemd-timesyncd: Configure /etc/systemd/timesyncd.conf NTP Server addresses are separated by spaces. specify each of your Domain Controllers [Time] NTP= Ensure systemd-timesyncd is set to sync and force it to resync. You should see a log entry that it "Sychronized to time server" as per your configuration. sudo timedatectl set-ntp on sudo timedatectl status sudo systemctl restart systemd-timesyncd.service systemctl status systemd-timesyncd.service Join System to Domain If you have Webmin you can use Rejoin Domain (VA v7.2) but it more or less just runs the following command (Replace Administrator with an authorised AD User that can join systems to the domain): sudo net join ads join -U Administrator This relies on a correctly configured /etc/smb.conf You will probably want to move the resulting Computer object this creates in your domain from the default Computers OU to a more relevant OU given your OU hierarchy design in your domain. Setup Mapped Domain Security Groups under Access Rights in ESMC Configure Active Directory under Advanced Settings in Server Settings (v7.2) Map Domain Security Groups and assign Permission Setting Map Domain Security Group users (v7.2) Setup a Static Group Synchronization Server Task in ESMC Synchronization mode - Active Directory / Open Directory / LDAP (v7.2) Setup a User Synchronization Server Task in ESMC User Synchronization (v7.2) Troubleshooting The following can be used to test Kerberos login and LDAP GSSAPI whilst showing debug information, useful for troubleshooting. It destroys and existing Kerberos tickets for your user, obtains a Kerberos ticket for the specified AD user, lists obtained Kerberos tickets then performs LDAP Search by authenticating with GSSAPI. When troubleshooting Kerberos, you should always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default). Replace eset.esmc with the AD User Account that ESET ESMC will connect under. Replace dc.test.local with your Domain Controller. Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects of. kdestroy KRB5_TRACE=/dev/stdout kinit eset.esmc klist -f KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' @tomasS @Peter Randziak
  5. @Peter Randziak This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this. I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made.
  6. @tomasSThat ldapsearch command yields the same problem, it states "Matching credential not found" as it tries for ldap ticket but eventually finds krbtgt ticket. It then tries, and fails, to query non-standard DNS records for Kerberos using and eventually fails. This is after kdestroy. I had a more thorough krb5.conf but it failed to work correctly so I grabbed, and modified, a working one from a working test ESMC VA instance and modified it. [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL It's a lot more minimal then we usually do but it's more or less the same as my working test ESMC instance against a test WS2019 DC. As for the user: UPN: eset.esmc@test.local NetBIOS Domain: TEST SAM Username: eset.esmc Account Options: User cannot change password Password never expires Account expires: Never We have security groups to minimise permissions of such users but I've tried it as nothing more than a member of Domain Users and even Domain Admins, ensuring to kdestroy between each test, so I don't think that's related. Also, I'm currently redacting information (search/replace), if there is a way to do this privately I can provide unredacted information.
  7. @janoo Thanks for that, that explains the dependency as we as we're also having issues with Active Directory integration as well.
  8. @MartinK Running ldapsearch with KRB5_TRACE revealed much more information Example: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' Despite kinit being successful and klist indicating valid ticket, ldapsearch with Kerberos tracing reveals the actual problem is "Matching credential not found" from the cache: Getting credentials eset.esmc@TEST.LOCAL -> ldap/ using ccache FILE:/tmp/krb5cc_1000 Retrieving eset.esmc@TEST.LOCAL -> ldap/ from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000) klist $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: eset.esmc@TEST.LOCAL Valid starting Expires Service principal 06/11/20 18:51:47 07/11/20 04:51:47 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 07/11/20 18:51:43 I've redacted/replaced identifying information in logs.
  9. @MartinK It feels like a hostname mismatch but the hostname of the ESMC linux instance matches the dNSHostName and servicePrincipalName of the Computer object in AD, will keep looking at that angle.
  10. @MartinK libsasl2-modules-gssapi-mit is installed as per Server prerequisites - Linux (7.2) kinit runs successfully but using ldapsearch in the same described in the Synchronization mode - Active Directory / Open Directory LDAP (7.2) documentation triggers the same error. I created a lab environment and setup a WS2019 Domain Controller (ADDS) with ADCS and a test ESMC VA instance was able to connect. Next thing I might look at is GPOs as we apply baselines but I think the issue is more likely the configuration on our ESMC linux instance.
  11. @Peter Randziak I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch. SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) #011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation.
  12. I'm very unhappy with the quality of the documentation and the level of support we're receiving for an enterprise setup, are there plans or products available that give us more than level-1 support?
  13. Where is the documentation for getting Active Directory Integration setup for ESMC on Linux (Non-VA)?
  • Create New...