Staj 5 Posted October 29, 2020 Share Posted October 29, 2020 (edited) Where is the documentation for getting Active Directory Integration setup for ESMC on Linux (Non-VA)? Edited October 29, 2020 by Staj Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 30, 2020 ESET Moderators Share Posted October 30, 2020 I found https://help.eset.com/esmc_admin/72/en-US/sg_server_tasks_ad.html https://support.eset.com/en/kb6900-synchronize-eset-security-management-center-with-active-directory-7x Peter Link to comment Share on other sites More sharing options...
Staj 5 Posted November 6, 2020 Author Share Posted November 6, 2020 @Peter Randziak I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch. SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) #011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted November 6, 2020 ESET Staff Share Posted November 6, 2020 2 hours ago, Staj said: @Peter Randziak I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch. SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) #011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation. Could you please check whether there are some SASL packages available for your distribution? This error might indicate that required "plugin" is not installed and thus failing. Required authentication mechanisms will depend also on your infrastructure. Also it might be a good idea to test ldapsearch manually from terminal. Link to comment Share on other sites More sharing options...
Staj 5 Posted November 6, 2020 Author Share Posted November 6, 2020 @MartinK libsasl2-modules-gssapi-mit is installed as per Server prerequisites - Linux (7.2) kinit runs successfully but using ldapsearch in the same described in the Synchronization mode - Active Directory / Open Directory LDAP (7.2) documentation triggers the same error. I created a lab environment and setup a WS2019 Domain Controller (ADDS) with ADCS and a test ESMC VA instance was able to connect. Next thing I might look at is GPOs as we apply baselines but I think the issue is more likely the configuration on our ESMC linux instance. Link to comment Share on other sites More sharing options...
Staj 5 Posted November 6, 2020 Author Share Posted November 6, 2020 @MartinK It feels like a hostname mismatch but the hostname of the ESMC linux instance matches the dNSHostName and servicePrincipalName of the Computer object in AD, will keep looking at that angle. Link to comment Share on other sites More sharing options...
Staj 5 Posted November 6, 2020 Author Share Posted November 6, 2020 (edited) @MartinK Running ldapsearch with KRB5_TRACE revealed much more information Example: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' Despite kinit being successful and klist indicating valid ticket, ldapsearch with Kerberos tracing reveals the actual problem is "Matching credential not found" from the cache: Getting credentials eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ using ccache FILE:/tmp/krb5cc_1000 Retrieving eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000) klist $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: eset.esmc@TEST.LOCAL Valid starting Expires Service principal 06/11/20 18:51:47 07/11/20 04:51:47 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 07/11/20 18:51:43 I've redacted/replaced identifying information in logs. Edited November 6, 2020 by Staj Link to comment Share on other sites More sharing options...
ESET Support tomasS 5 Posted November 6, 2020 ESET Support Share Posted November 6, 2020 Hello, could you please try to clear the Kerberos cache by "kdestroy". Afterwards, please try to obtain the TGT(by "kinit") and use the same command just replace the "ldaphost" with the IP: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h 10.123.123.1 -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' Is there any chance to provide us with the "krb5.conf" and settings of user "eset.esmc" from the AD >> I mean "Account options" from "AD Users and Computers" >> particular user >> "Properties" >> "Account" Peter Randziak 1 Link to comment Share on other sites More sharing options...
Staj 5 Posted November 6, 2020 Author Share Posted November 6, 2020 (edited) @tomasSThat ldapsearch command yields the same problem, it states "Matching credential not found" as it tries for ldap ticket but eventually finds krbtgt ticket. It then tries, and fails, to query non-standard DNS records for Kerberos using and eventually fails. This is after kdestroy. I had a more thorough krb5.conf but it failed to work correctly so I grabbed, and modified, a working one from a working test ESMC VA instance and modified it. [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL It's a lot more minimal then we usually do but it's more or less the same as my working test ESMC instance against a test WS2019 DC. As for the user: UPN: eset.esmc@test.local NetBIOS Domain: TEST SAM Username: eset.esmc Account Options: User cannot change password Password never expires Account expires: Never We have security groups to minimise permissions of such users but I've tried it as nothing more than a member of Domain Users and even Domain Admins, ensuring to kdestroy between each test, so I don't think that's related. Also, I'm currently redacting information (search/replace), if there is a way to do this privately I can provide unredacted information. Edited November 6, 2020 by Staj Link to comment Share on other sites More sharing options...
ESET Support tomasS 5 Posted November 6, 2020 ESET Support Share Posted November 6, 2020 Hello, Hmm, thank you very much for sharing this info and test. If you are still willing to continue I would like to kindly ask you for the following procedure(as I assume some of the previous outputs have been cropped and the important information might be there). So if possible: 1. please execute the "kdestroy" 2. execute the kinit "KRB5_TRACE=/dev/stdout kinit eset.esmc" 3. please execute the "klist -f" there should be visible only one TGT with flags 4. please execute ldapsearch "KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'" 5. please execute again "klist -f" If possible please provide us with full ouput all of these commands Link to comment Share on other sites More sharing options...
Staj 5 Posted November 7, 2020 Author Share Posted November 7, 2020 @tomasSWill sent unredacted log to you via direct message. Peter Randziak 1 Link to comment Share on other sites More sharing options...
Staj 5 Posted November 11, 2020 Author Share Posted November 11, 2020 @Peter Randziak This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this. I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made. Peter Randziak 1 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted November 11, 2020 ESET Moderators Share Posted November 11, 2020 Hello @Staj glad it got resolved, thank you for keeping us posted. On top of that I think the mentioned How to may be very useful for other admins in the future. Peter Link to comment Share on other sites More sharing options...
Recommended Posts