Heh, I was done with work faster than I expected. You have got to love perl... :op We
seem to have a small issue with multiple user/contact objects having the same proxy
addresses and it is throwing errors on the E2K servers and I had to go find all the
dupes out of some 220k objects with the proxyaddresses attribute... There were 64...
Ok back to the problem at hand; I tested this against one of my W2K3 Test DCs running
in a VPC session... As expected it worked fine.
You might want to get a network trace of the traffic between the DC and the server
trying to talk to the DC, I am curious. If they are indeed using just simple LDAP
calls ala ldap_simple_bind_s you will totally see that traffic nearly in clear text in
NetMon including the password being sent. You will see right where it is failing.
Actually let me get on the podium for a minute on the benefits of network tracing and
your friendly neighborhood LDAP apps... It is good to do to understand what calls the
LDAP is making to see how bad or how good it is. You will find a lot of LDAP apps make
a lot of unnecessary calls (<cough>e2k<cough>)and do a lot of unnecessary
authentications. I would say one of my favorite "screwups" is an app that
authenticates people and the way it does it is it binds with an app ID to do a search
of the user's dn and then unbinds and rebinds with the user's dn... This is great, 2
authentications for every one needed. Anyway, if you can find the time, it is always
good to look at the apps and profile the traffic they generate and the queries they
use so you can catch those stupid objectclass=something queries (<cough>e2k<cough>)
and other inefficient things (<cough>e2k<cough>). You can also do this by cranking up
various debugging on your DC but you usually don't want to do that with a prod box.
NetMON is much lighter...
Just so I don't go away without insulting at least one person.... If you call yourself
an admin and DO NOT know how to use some sort of network analysis/sniffer tool, you
really need to do your job and go learn one. This is invaluable for solving problems
around AD and computers in general. Otherwise when you get that weird issue where some
network switch or router is throwing away UDP packets from the Kerberos authentication
process you will have to have someone who knows how to do the job come in and do it.
It is also very handy for DNS issues.
[Tue 01/27/2004 22:54:00.81]
F:\DEV\cpp\OldCmp>Adfind -h vw2k3a -default -f name=administrator -simple -u
vtest\testuser -up Password1
AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
Using server: VW2K3a.vtest.local
Base DN: DC=vtest,DC=local
dn:CN=Administrator,CN=Users,DC=vtest,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Administrator
>description: Built-in account for administering the computer/domain
>distinguishedName: CN=Administrator,CN=Users,DC=vtest,DC=local
>instanceType: 4
>whenCreated: 20031026153618.0Z
>whenChanged: 20031230164947.0Z
>uSNCreated: 8194
>memberOf: CN=TestUni,CN=Users,DC=vtest,DC=local
>memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vtest,DC=local
>memberOf: CN=Domain Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Enterprise Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Schema Admins,CN=Users,DC=vtest,DC=local
>memberOf: CN=Administrators,CN=Builtin,DC=vtest,DC=local
>uSNChanged: 28711
>name: Administrator
>objectGUID: {AE5284F2-257D-479D-8776-F46BDAE17028}
>userAccountControl: 66048
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 127122886467739888
>lastLogoff: 0
>lastLogon: 127172765879264320
>pwdLastSet: 127115734585121920
>primaryGroupID: 513
>objectSid: S-1-5-21-1851711904-3339057820-1962739558-500
>adminCount: 1
>accountExpires: 9223372036854775807
>logonCount: 32
>sAMAccountName: Administrator
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vtest,DC=local
>isCriticalSystemObject: TRUE
>lastLogonTimestamp: 127172765879264320
1 Objects returned
[Tue 01/27/2004 22:55:04.82]
F:\DEV\cpp\OldCmp>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 27, 2004 10:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
I would have to say no, ldap_bind_s is still fine and dandy. Taking that away would
break nearly every UNIX LDAP app written it would appear as they all like it because
it is simple. It would also break many Windows Apps that were ported from UNIX because
they didn't know better.
If you want to do a simple test, grab adfind and do this
Adfind -h domaincontroller -default -f name=someobjectname -simple -u domain\user -up
userpassword
Ex:
[Tue 01/27/2004 22:41:29.41]
F:\DEV\cpp\OldCmp>Adfind -h w2kasdc1 -default -f name=joe -simple -u joehome\joebob
-up test
AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
Using server: w2kasdc1.joehome.com
Base DN: DC=joehome,DC=com
dn:CN=joe,CN=Users,DC=joehome,DC=com
>directReports: CN=$$jricha34,CN=Users,DC=joehome,DC=com
>managedObjects: CN=_DIST_TestGroup,OU=Test,DC=joehome,DC=com
>accountExpires: 127193976000000000
>badPasswordTime: 127182179962809320
>badPwdCount: 0
>codePage: 0
>cn: joe
>countryCode: 0
>instanceType: 4
>lastLogoff: 0
>lastLogon: 127193024241243522
>lockoutTime: 0
>logonCount: 91
>logonHours: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF
>msNPAllowDialin: TRUE
>distinguishedName: CN=joe,CN=Users,DC=joehome,DC=com
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joehome,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectGUID: {DF6AC5DC-3EBA-41FD-8893-E1ED7FAA5929}
>objectSid: S-1-5-21-1275210071-789336058-1957994488-218285
>primaryGroupID: 513
>pwdLastSet: 127189408129723189
>name: joe
>sAMAccountName: joe
>sAMAccountType: 805306368
>telephoneNumber: 555
>userAccountControl: 512
>userParameters: m: d
>uSNChanged: 1257854
>uSNCreated: 1163453
>whenChanged: 20040123043244.0Z
>whenCreated: 20021022040334.0Z
1 Objects returned
[Tue 01/27/2004 22:42:19.51]
F:\DEV\cpp\OldCmp>
I am looking at a work issue right now, if I get done soon I will spin up my W2K3 test
environment and test it, but again I would be shocked to death if it didn't work.
joe
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, January 27, 2004 10:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
The application does indeed use LDAP.
It _appears_ that the issue is the API ldap_simple_bind_s.
MSDN documentation says that nothing Microsoft supplies uses that API in Windows XP.
One may reasonably extrapolate that to include Windows 2003. But I can't find anything
that states that the API was deprecated between Windows 2000 and Windows 2003. Or
between windows 2000 sp3 to sp4 (although there are minor hints).
I've turned on auditing (hours ago) and almost nothing shows -- either success or
failure. I don't know what it takes to trigger an audit event, but a simple ldap query
doesn't seem to do it, or a failed ldap_simple_bind_s.
I've suggested (requested) a change to ldap_bind_s but is there documentation
somewhere that I am missing that says ldap_simple_bind_s will no longer work properly?
Thanks for your hint, it got me headed down the proper path.
Michael
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Tuesday, January 27, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Change in A/D security between 2k and 2k3
yes, there are various security changes in Win2k3, incl. different default ACLs on
various objects.
But as you've created a special account for the app, you shouldn't need to enable
anonymous LDAP operations on your Win2k3 DCs => however, the app needs to leverage the
credentials correctly to bind to the LDAP server (the DC).
The real question is: what does the app really do? Do they even perform LDAP queries
or do they use some NT4 APIs to read data from AD (I've seen this too many times,
although the vendor swore they were not).
You need to understand what the App does, before you can apply the correct security -
as you've mentioned, often you don't require to change anything if all the app
requires is to list user accounts or groups etc.
A good place to start to help figure out this issue is AUDITING: go to your Default DC
policy and enable "Audit directory service access" for success and failure
(preferrably in a lab, ofcourse). Then start up your mis-behaving Application, wait
for it to fail and take some time to wade through the security Eventlogs => often you
can find a particular AD object (incl. the DN) which an app tries to access when it
fails. This gives you new options to check out the permissions really required by the
app (or to tell the vendor how to correct a problem in their application).
/Guido
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Dienstag, 27. Januar 2004 16:51
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Change in A/D security between 2k and 2k3
I run an application (ModusGate by Vircom, if anyone cares) that requires "read
access" (their phrasing) to A/D for LDAP queries.
In Windows 2000, this was easily done in ADU&C -- create a user,
View->Advanced, properties on the domain, Security tab, add the user and
grant "READ".
I can do exactly the same thing in Windows 2003, but it doesn't work anymore (and, in
fact, the way I read the permissions I shouldn't even need to do it with the change in
the default permissions). The ONLY account that works is the Administrator account. I
can create an account, add it to domain admins, enterprise admins, blah blah blah --
so it looks just like Administrator and it still fails. So, I presumed it was User
Rights -- so I add this account and give it the same everything there too (in Domain
Controller Policy and Domain Policy). Still no joy.
Applied change suggested in KB 326690. Still no joy.
Vircom is baffled as well, they say.
Any hints or suggestions for me?
Thanks.
.+-wÈi0g-í+YbémP�iæ0æ-í+bíÚ�f.+-j!ç�0j!åoræyØIíV+v*
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
. .+-j! �0j! or yïíIãV+v*
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
