Jump to content

Documentation: Active Directory Integration on Linux for ESMC (Non-VA)


Recommended Posts

  • Staj changed the title to Documentation: Active Directory Integration on Linux for ESMC (Non-VA)

@Peter Randziak

I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch.

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
#011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation.

Link to post
Share on other sites
  • ESET Staff
2 hours ago, Staj said:

@Peter Randziak

I have Mapped Domain Security Groups working but I'm having issues configuring a Static Group Sync Server Task but it fails when doing ldapsearch.


SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
#011additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

Normally I'd suspect a keytab or SPN issue with this but I've been reverse engineering the ESMC VA to see how it has it configured and I don't actually see a keytab anywhere? This would be a lot easier with better documentation.

Could you please check whether there are some SASL packages available for your distribution? This error might indicate that required "plugin" is not installed and thus failing. Required authentication mechanisms will depend also on your infrastructure.
Also it might be a good idea to test ldapsearch manually from terminal.

Link to post
Share on other sites

@MartinK

libsasl2-modules-gssapi-mit is installed as per Server prerequisites - Linux (7.2)

kinit runs successfully but using ldapsearch in the same described in the Synchronization mode - Active Directory / Open Directory LDAP (7.2) documentation triggers the same error.

I created a lab environment and setup a WS2019 Domain Controller (ADDS) with ADCS and a test ESMC VA instance was able to connect. Next thing I might look at is GPOs as we apply baselines but I think the issue is more likely the configuration on our ESMC linux instance.

Link to post
Share on other sites

@MartinK

It feels like a hostname mismatch but the hostname of the ESMC linux instance matches the dNSHostName and servicePrincipalName of the Computer object in AD, will keep looking at that angle.

Link to post
Share on other sites

@MartinK

Running ldapsearch with KRB5_TRACE revealed much more information

Example: KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'

Despite kinit being successful and klist indicating valid ticket, ldapsearch with Kerberos tracing reveals the actual problem is "Matching credential not found" from the cache:

Getting credentials eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ using ccache FILE:/tmp/krb5cc_1000
Retrieving eset.esmc@TEST.LOCAL -> ldap/10.123.123.1@ from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000)

klist

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: eset.esmc@TEST.LOCAL

Valid starting     Expires            Service principal
06/11/20 18:51:47  07/11/20 04:51:47  krbtgt/TEST.LOCAL@TEST.LOCAL
        renew until 07/11/20 18:51:43

I've redacted/replaced identifying information in logs.

Edited by Staj
Link to post
Share on other sites
  • ESET Support

Hello, could you please try to clear the Kerberos cache by "kdestroy". Afterwards, please try to obtain the TGT(by "kinit") and use the same command just replace the "ldaphost" with the IP:

KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h 10.123.123.1 -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'

Is there any chance to provide us with the "krb5.conf" and settings of user "eset.esmc" from the AD >> I mean "Account options" from "AD Users and Computers" >> particular user >> "Properties" >> "Account"

Link to post
Share on other sites

@tomasSThat ldapsearch command yields the same problem, it states "Matching credential not found" as it tries for ldap ticket but eventually finds krbtgt ticket. It then tries, and fails, to query non-standard DNS records for Kerberos using and eventually fails. This is after kdestroy.

I had a more thorough krb5.conf but it failed to work correctly so I grabbed, and modified, a working one from a working test ESMC VA instance and modified it.

[libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = true

[realms]
TEST.LOCAL = {
   kdc = dc.test.local
}

[domain_realm]
        .test.local = TEST.LOCAL

It's a lot more minimal then we usually do but it's more or less the same as my working test ESMC instance against a test WS2019 DC.

As for the user:

  • UPN: eset.esmc@test.local
  • NetBIOS Domain: TEST
  • SAM Username: eset.esmc
  • Account Options:
    • User cannot change password
    • Password never expires
  • Account expires: Never

We have security groups to minimise permissions of such users but I've tried it as nothing more than a member of Domain Users and even Domain Admins, ensuring to kdestroy between each test, so I don't think that's related.

Also, I'm currently redacting information (search/replace), if there is a way to do this privately I can provide unredacted information.

 

Edited by Staj
Link to post
Share on other sites
  • ESET Support

Hello,

Hmm, thank you very much for sharing this info and test. If you are still willing to continue I would like to kindly ask you for the following procedure(as I assume some of the previous outputs have been cropped and the important information might be there).

So if possible:

1. please execute the "kdestroy"
2. execute the kinit "KRB5_TRACE=/dev/stdout kinit eset.esmc"
3. please execute the "klist -f" there should be visible only one TGT with flags
4. please execute ldapsearch "KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'"
5. please execute again "klist -f"

If possible please provide us with full ouput all of these commands

 

Link to post
Share on other sites

@Peter Randziak

This appears to be resolved, turns out I missed out on some configuration in the hosts file. Thank you to @tomasS for the one-on-one assistance with this.

I'll try to write-up a How To soon on how I configured this all so if anyone else is configuring this on a Linux component (non-VA) install, they'll avoid some of the mistakes I've made.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...