Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Staj last won the day on November 11 2020

Staj had the most liked content!

Profile Information

  • Gender
    Not Telling
  • Location

Recent Profile Visitors

890 profile views
  1. I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required. Let's assume we have the following environment: ESMC Linux Distribution: Ubuntu Server 18.04 ESMC Hostname: esmc ESMC FQDN: esmc.test.local ESMC IP Address: Active Directory Domain: test.local NetBIOS Domain: TEST Domain Controller: dc.test.local ( ESET ESMC AD User Account: eset.esmc@test.local (ese
  2. @Peter Randziak This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this. I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made.
  3. @tomasSThat ldapsearch command yields the same problem, it states "Matching credential not found" as it tries for ldap ticket but eventually finds krbtgt ticket. It then tries, and fails, to query non-standard DNS records for Kerberos using and eventually fails. This is after kdestroy. I had a more thorough krb5.conf but it failed to work correctly so I grabbed, and modified, a working one from a working test ESMC VA instance and modified it. [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.t
  4. @janoo Thanks for that, that explains the dependency as we as we're also having issues with Active Directory integration as well.
  5. @MartinK Running ldapsearch with KRB5_TRACE revealed much more information Example: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' Despite kinit being successful and klist indicating valid ticket, ldapsearch with Kerberos tracing reveals the actual problem is "Matching credential not found" from the cache: Getting credentials eset.esmc@TEST.LOCAL -> ldap/ using ccache FILE:/tmp/krb5cc_1000 Retrieving eset.esmc@TEST.LOCAL -> ldap/ from
  6. @MartinK It feels like a hostname mismatch but the hostname of the ESMC linux instance matches the dNSHostName and servicePrincipalName of the Computer object in AD, will keep looking at that angle.
  7. @MartinK libsasl2-modules-gssapi-mit is installed as per Server prerequisites - Linux (7.2) kinit runs successfully but using ldapsearch in the same described in the Synchronization mode - Active Directory / Open Directory LDAP (7.2) documentation triggers the same error. I created a lab environment and setup a WS2019 Domain Controller (ADDS) with ADCS and a test ESMC VA instance was able to connect. Next thing I might look at is GPOs as we apply baselines but I think the issue is more likely the configuration on our ESMC linux instance.
  8. @Peter Randziak I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch. SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) #011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere?
  9. I'm very unhappy with the quality of the documentation and the level of support we're receiving for an enterprise setup, are there plans or products available that give us more than level-1 support?
  10. Where is the documentation for getting Active Directory Integration setup for ESMC on Linux (Non-VA)?
  11. Server prerequisites - Linux (7.2) winbind package is dropped as a dependency in 7.2, compared with 7.0 instructions, but it's still actually required for Active Directory integration.
  12. I forgot to mention an important point regarding the "Repair ESET Agent" step. If you use PowerShell, you can change the "Start in" path to the UNC path of the ESET Agent source files but you'll have to contend with the PowerShell execution policy, script signing, SYSTEM computer object share permissions etc. If you use Command Line, instead of trying to mount the the share or something using script, you could cheat and redundantly package the Agent source files into an SCCM Package that you specify in said Run Command Line step. It's a bit wasteful and redundant, but it works. You m
  13. Attached is a screenshot of the hierarchy in the Task Sequence Editor. The "(P)" in the Uninstall Actions represents it was configured "With Password". This wasn't the one we used in Production, but one for testing and the one I described in the main post.
  • Create New...