Jump to content

Staj

Members
  • Posts

    63
  • Joined

  • Last visited

  • Days Won

    1

Kudos

  1. Upvote
    Staj received kudos from tomasS in How To: Setup Active Directory Integration for ESMC (Linux Component Install)   
    I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required.
    Let's assume we have the following environment:
    ESMC Linux Distribution: Ubuntu Server 18.04
    ESMC Hostname: esmc
    ESMC FQDN: esmc.test.local
    ESMC IP Address: 10.123.1.2
    Active Directory Domain: test.local
    NetBIOS Domain: TEST
    Domain Controller: dc.test.local (10.123.1.1)
    ESET ESMC AD User Account: eset.esmc@test.local (eset.esmc)
    Ensure the required Server prerequisites (v7.2) are installed. sudo apt-get install krb5-user ldap-utils libsasl2-modules-gssapi-mit samba  
    Configure Samba at /etc/samba/smb.conf
    Ensure you change workgroup to the NetBIOS Domain, netbios name to the ESMC Hostname and realm to the Active Directory Domain.
    The following configuration is based on one found in ESMC VA v7.2
    [global] workgroup = TEST netbios name = esmc server string = Samba Server Version %v security = ads realm = test.local domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client max protocol = SMB3 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes client ipc signing = auto Configure Kerberos at /etc/krb5.conf
    Ensure you change default_realm to Active Directory Domain (Must be capitalised) and the realm definition Active Directory Domain (Must be capitalised). Ensure you specify your Domain Controller as a kdc under the realm definition for your Active Directory Domain, if you have multiple Domain Controllers, specify multiple kdc's. Ensure you map Active Directory Domain (prefixed with ".") to the realm name (Your Active Directory Domain but capitalised) under domain_realm.
    The following configuration is based on one found in ESMC VA v7.2 [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL  
    Configure DNS Resolution.
    systemd-resolved can cause issues with Kerberos, it can probably be worked around but disabling it as follows also works. sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved Configure /etc/resolv.conf
    Specify your Domain Controller as a nameserver, create additional nameserver definitions for each Domain Controller. Specify Active Directory Domain for search nameserver 10.123.1.1 search test.local Ensure Hostname is set correctly
    If you need to change your hostname, you can use: sudo hostnamectl set-hostname esmc.test.local  
    Configure /etc/hosts
    Add your ESMC and your Domain Controllers to the hosts file. Take note of the ordering of FQDN and aliases after the IP Address as net join will use the first defined alias for your host as SPNs etc. when joining the system to the domain. All values are tab separated. 127.0.0.1 localhost 10.123.1.2 esmc.test.local esmc 10.123.1.1 dc.test.local dc Configure Time Synchronisation
    By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos Key Distribution Center (KDC; in our case, the Domain Controller) to operate correctly. If ESMC is in a VM, you may already be using a Hypervisor with some VM Agent that handles this but, if not, then systemd-timesyncd should suffice or you can use ntpd. Let's assume you use systemd-timesyncd: Configure /etc/systemd/timesyncd.conf
    NTP Server addresses are separated by spaces. specify each of  your Domain Controllers [Time] NTP=10.123.1.1 Ensure systemd-timesyncd is set to sync and force it to resync. You should see a log entry that it "Sychronized to time server 10.123.1.123" as per your configuration. sudo timedatectl set-ntp on sudo timedatectl status sudo systemctl restart systemd-timesyncd.service systemctl status systemd-timesyncd.service  
    Join System to Domain If you have Webmin you can use Rejoin Domain (VA v7.2) but it more or less just runs the following command (Replace Administrator with an authorised AD User that can join systems to the domain): sudo net join ads join -U Administrator This relies on a correctly configured /etc/smb.conf
    You will probably want to move the resulting Computer object this creates in your domain from the default Computers OU to a more relevant OU given your OU hierarchy design in your domain.
    Setup Mapped Domain Security Groups under Access Rights in ESMC Configure Active Directory under Advanced Settings in Server Settings (v7.2) Map Domain Security Groups and assign Permission Setting
    Map Domain Security Group users (v7.2) Setup a Static Group Synchronization Server Task in ESMC
    Synchronization mode - Active Directory / Open Directory / LDAP (v7.2) Setup a User Synchronization Server Task in ESMC
    User Synchronization (v7.2) Troubleshooting
    The following can be used to test Kerberos login and LDAP GSSAPI whilst showing debug information, useful for troubleshooting. It destroys and existing Kerberos tickets for your user, obtains a Kerberos ticket for the specified AD user, lists obtained Kerberos tickets then performs LDAP Search by authenticating with GSSAPI.
    When troubleshooting Kerberos, you should always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default).
    Replace eset.esmc with the AD User Account that ESET ESMC will connect under. Replace dc.test.local with your Domain Controller. Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects of. kdestroy KRB5_TRACE=/dev/stdout kinit eset.esmc klist -f KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' @tomasS @Peter Randziak
  2. Upvote
    Staj received kudos from Peter Randziak in How To: Setup Active Directory Integration for ESMC (Linux Component Install)   
    I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required.
    Let's assume we have the following environment:
    ESMC Linux Distribution: Ubuntu Server 18.04
    ESMC Hostname: esmc
    ESMC FQDN: esmc.test.local
    ESMC IP Address: 10.123.1.2
    Active Directory Domain: test.local
    NetBIOS Domain: TEST
    Domain Controller: dc.test.local (10.123.1.1)
    ESET ESMC AD User Account: eset.esmc@test.local (eset.esmc)
    Ensure the required Server prerequisites (v7.2) are installed. sudo apt-get install krb5-user ldap-utils libsasl2-modules-gssapi-mit samba  
    Configure Samba at /etc/samba/smb.conf
    Ensure you change workgroup to the NetBIOS Domain, netbios name to the ESMC Hostname and realm to the Active Directory Domain.
    The following configuration is based on one found in ESMC VA v7.2
    [global] workgroup = TEST netbios name = esmc server string = Samba Server Version %v security = ads realm = test.local domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client max protocol = SMB3 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes client ipc signing = auto Configure Kerberos at /etc/krb5.conf
    Ensure you change default_realm to Active Directory Domain (Must be capitalised) and the realm definition Active Directory Domain (Must be capitalised). Ensure you specify your Domain Controller as a kdc under the realm definition for your Active Directory Domain, if you have multiple Domain Controllers, specify multiple kdc's. Ensure you map Active Directory Domain (prefixed with ".") to the realm name (Your Active Directory Domain but capitalised) under domain_realm.
    The following configuration is based on one found in ESMC VA v7.2 [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL  
    Configure DNS Resolution.
    systemd-resolved can cause issues with Kerberos, it can probably be worked around but disabling it as follows also works. sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved Configure /etc/resolv.conf
    Specify your Domain Controller as a nameserver, create additional nameserver definitions for each Domain Controller. Specify Active Directory Domain for search nameserver 10.123.1.1 search test.local Ensure Hostname is set correctly
    If you need to change your hostname, you can use: sudo hostnamectl set-hostname esmc.test.local  
    Configure /etc/hosts
    Add your ESMC and your Domain Controllers to the hosts file. Take note of the ordering of FQDN and aliases after the IP Address as net join will use the first defined alias for your host as SPNs etc. when joining the system to the domain. All values are tab separated. 127.0.0.1 localhost 10.123.1.2 esmc.test.local esmc 10.123.1.1 dc.test.local dc Configure Time Synchronisation
    By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos Key Distribution Center (KDC; in our case, the Domain Controller) to operate correctly. If ESMC is in a VM, you may already be using a Hypervisor with some VM Agent that handles this but, if not, then systemd-timesyncd should suffice or you can use ntpd. Let's assume you use systemd-timesyncd: Configure /etc/systemd/timesyncd.conf
    NTP Server addresses are separated by spaces. specify each of  your Domain Controllers [Time] NTP=10.123.1.1 Ensure systemd-timesyncd is set to sync and force it to resync. You should see a log entry that it "Sychronized to time server 10.123.1.123" as per your configuration. sudo timedatectl set-ntp on sudo timedatectl status sudo systemctl restart systemd-timesyncd.service systemctl status systemd-timesyncd.service  
    Join System to Domain If you have Webmin you can use Rejoin Domain (VA v7.2) but it more or less just runs the following command (Replace Administrator with an authorised AD User that can join systems to the domain): sudo net join ads join -U Administrator This relies on a correctly configured /etc/smb.conf
    You will probably want to move the resulting Computer object this creates in your domain from the default Computers OU to a more relevant OU given your OU hierarchy design in your domain.
    Setup Mapped Domain Security Groups under Access Rights in ESMC Configure Active Directory under Advanced Settings in Server Settings (v7.2) Map Domain Security Groups and assign Permission Setting
    Map Domain Security Group users (v7.2) Setup a Static Group Synchronization Server Task in ESMC
    Synchronization mode - Active Directory / Open Directory / LDAP (v7.2) Setup a User Synchronization Server Task in ESMC
    User Synchronization (v7.2) Troubleshooting
    The following can be used to test Kerberos login and LDAP GSSAPI whilst showing debug information, useful for troubleshooting. It destroys and existing Kerberos tickets for your user, obtains a Kerberos ticket for the specified AD user, lists obtained Kerberos tickets then performs LDAP Search by authenticating with GSSAPI.
    When troubleshooting Kerberos, you should always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default).
    Replace eset.esmc with the AD User Account that ESET ESMC will connect under. Replace dc.test.local with your Domain Controller. Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects of. kdestroy KRB5_TRACE=/dev/stdout kinit eset.esmc klist -f KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' @tomasS @Peter Randziak
  3. Upvote
    Staj received kudos from Peter Randziak in Documentation: Active Directory Integration on Linux for ESMC (Non-VA)   
    @Peter Randziak
    This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this.
    I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made.
  4. Upvote
    Staj received kudos from Peter Randziak in Documentation: Active Directory Integration on Linux for ESMC (Non-VA)   
    @tomasSWill sent unredacted log to you via direct message.
  5. Upvote
    Staj gave kudos to tbsky in Future changes to ESET PROTECT (formerly ESET Security Management Center / ESET Remote Administrator)   
    It had been discussed again and again. but I still want to say: with endpoint 8.0, Please give up stupid MySQL and use MariaDB. check current system requirement it is really funny:
    MySQL ODBC driver versions 5.3.11 and later, 8.0.0 – 8.0.15 and 8.0.18 and later are not supported.
×
×
  • Create New...