|
Yeah, if you could find out, that would be
nice. I haven’t been able to find the easy, kerberized way that Solaris
10 “supposedly” integrates with AD. I really thought this was one
of the big initiatives that MS and Sun was working on. Thanks everyone for your replies about
Ethereal. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman I know I said it earlier, but I’ll
say it again here…..Solaris 9/10 have (I’m told) a much nicer
Kerberos client that is very AD savvy. So if you’re using one of them,
you might be getting a lot of advice for a well baked scenario that Sun was
kind enough to try out for you already. I can find out a bit more if you have no
idea what I’m talking about, I just don’t remember off hand. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Ignore this. I just did a little FAQ
reading, and it looks like this is by design on a switched network. _______________________________________________________________________ Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. Just saw my first password in ethereal
(over a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon Thanks for your comments all From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Two things: "As far as REQs Al……. 1.
FREE 2. Add
little complexity" These two are sometimes [1] not
complimentary to one another. Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication!!!!!
Arrrrgghhhhhhh. There, I feel better about that. :) As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion. In other words, you can capture traffic to and from the
server itself and that's about it. SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for. In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others. You do want to also check the destination port that the client is
sending traffic to. That may indicate if it's even trying to use some
sort of secure traffic mechanism. If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading.
Sometimes doesn't do it justice. Often would be a better term here. Kerberos
is not simple when you get beyond one or two machines. Even then, it
takes a bit of work. That work typically has a cost associated with
it. That cost/benefit analysis might make it worth it to use a commercial
product aimed at this problem vs. rolling your own solution. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the thing (which I
am about 99% positive is the problem). Do any of you have the quick and dirty
steps to do this? Or a link to a good tutorial (which I can’t seem to
find)? As far as REQs Al……. 1.
FREE 2. Add
little complexity Looks like I will either just use SFU, or
keep the user repositories separate. I was just hoping that something free had
come along since the last time that I looked that was worth doing. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick The directions you reference on the sunone
site make it look to me like it's an LDAP bind. Best way to know for sure
would be to trace it on the network to see what is passed. If ldap bind,
be sure to use some sort of encryption such as SSL. I'm curious what the requirement here
is? If just to allow solaris to authenticate via kerb with AD and allow
AD users to login to solaris workstations, have you considered a product such
as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements
are though. The docs you referenced indicate a configuration that would be a
PITA to manage in terms of reliability and effort IMHO. Al From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman I know someone doing auth from Solaris 9
and 10 against AD via Kerberos in production. I don’t know how they are
populating /etc/passwd but can find out. I’ve never used NIS against AD so
couldn’t say what’s going on here. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Anyone know if this is passed in plain text? If so, i dont see any
advantage to this versus the NIS server in SFU. Seems that the *nix community is
making no progress in the secure authentication arena if this is the case. Any
ideas or thoughts? |
Title: RE: [ActiveDir] Ocra
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication beads
- RE: [ActiveDir] Solaris authentication Al Mulnick
- RE: [ActiveDir] Solaris authentication al_maurer
