Documentation: Active Directory Integration on Linux for ESMC (Non-VA)

Staj · October 29, 2020

Where is the documentation for getting Active Directory Integration setup for ESMC on Linux (Non-VA)?

Edited October 29, 2020 by Staj

Peter Randziak · October 30, 2020

I found

https://help.eset.com/esmc_admin/72/en-US/sg_server_tasks_ad.html

https://support.eset.com/en/kb6900-synchronize-eset-security-management-center-with-active-directory-7x

Peter

Staj · November 6, 2020

@Peter Randziak

I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch.

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
#011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation.

MartinK · November 6, 2020

2 hours ago, Staj said:
@Peter Randziak

I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch.
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
#011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation.

Could you please check whether there are some SASL packages available for your distribution? This error might indicate that required "plugin" is not installed and thus failing. Required authentication mechanisms will depend also on your infrastructure.
Also it might be a good idea to test ldapsearch manually from terminal.

Staj · November 6, 2020

@MartinK

libsasl2-modules-gssapi-mit is installed as per Server prerequisites - Linux (7.2)

kinit runs successfully but using ldapsearch in the same described in the Synchronization mode - Active Directory / Open Directory LDAP (7.2) documentation triggers the same error.

I created a lab environment and setup a WS2019 Domain Controller (ADDS) with ADCS and a test ESMC VA instance was able to connect. Next thing I might look at is GPOs as we apply baselines but I think the issue is more likely the configuration on our ESMC linux instance.

Staj · November 6, 2020

@MartinK

It feels like a hostname mismatch but the hostname of the ESMC linux instance matches the dNSHostName and servicePrincipalName of the Computer object in AD, will keep looking at that angle.

Staj · November 6, 2020

@MartinK

Running ldapsearch with KRB5_TRACE revealed much more information

Example: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'

Despite kinit being successful and klist indicating valid ticket, ldapsearch with Kerberos tracing reveals the actual problem is "Matching credential not found" from the cache:

Getting credentials eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ using ccache FILE:/tmp/krb5cc_1000
Retrieving eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000)

klist

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: eset.esmc@TEST.LOCAL

Valid starting     Expires            Service principal
06/11/20 18:51:47  07/11/20 04:51:47  krbtgt/TEST.LOCAL@TEST.LOCAL
        renew until 07/11/20 18:51:43

I've redacted/replaced identifying information in logs.

Edited November 6, 2020 by Staj

tomasS · November 6, 2020

Hello, could you please try to clear the Kerberos cache by "kdestroy". Afterwards, please try to obtain the TGT(by "kinit") and use the same command just replace the "ldaphost" with the IP:

KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h 10.123.123.1 -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'

Is there any chance to provide us with the "krb5.conf" and settings of user "eset.esmc" from the AD >> I mean "Account options" from "AD Users and Computers" >> particular user >> "Properties" >> "Account"

Staj · November 6, 2020

@tomasSThat ldapsearch command yields the same problem, it states "Matching credential not found" as it tries for ldap ticket but eventually finds krbtgt ticket. It then tries, and fails, to query non-standard DNS records for Kerberos using and eventually fails. This is after kdestroy.

I had a more thorough krb5.conf but it failed to work correctly so I grabbed, and modified, a working one from a working test ESMC VA instance and modified it.

[libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = true

[realms]
TEST.LOCAL = {
   kdc = dc.test.local
}

[domain_realm]
        .test.local = TEST.LOCAL

It's a lot more minimal then we usually do but it's more or less the same as my working test ESMC instance against a test WS2019 DC.

As for the user:

UPN: eset.esmc@test.local
NetBIOS Domain: TEST
SAM Username: eset.esmc
Account Options:
- User cannot change password
- Password never expires
Account expires: Never

We have security groups to minimise permissions of such users but I've tried it as nothing more than a member of Domain Users and even Domain Admins, ensuring to kdestroy between each test, so I don't think that's related.

Also, I'm currently redacting information (search/replace), if there is a way to do this privately I can provide unredacted information.

Edited November 6, 2020 by Staj

tomasS · November 6, 2020

Hello,

Hmm, thank you very much for sharing this info and test. If you are still willing to continue I would like to kindly ask you for the following procedure(as I assume some of the previous outputs have been cropped and the important information might be there).

So if possible:

1. please execute the "kdestroy"
2. execute the kinit "KRB5_TRACE=/dev/stdout kinit eset.esmc"
3. please execute the "klist -f" there should be visible only one TGT with flags
4. please execute ldapsearch "KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'"
5. please execute again "klist -f"

If possible please provide us with full ouput all of these commands

Staj · November 7, 2020

@tomasSWill sent unredacted log to you via direct message.

Staj · November 11, 2020

@Peter Randziak

This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this.

I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made.

Peter Randziak · November 11, 2020

Hello @Staj

glad it got resolved, thank you for keeping us posted.

On top of that I think the mentioned How to may be very useful for other admins in the future.

Peter

Sign In

Documentation: Active Directory Integration on Linux for ESMC (Non-VA)

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics