global samba 4 ad domain tips and tricks disclaimer
play

Global Samba 4 AD Domain Tips and Tricks Disclaimer This - PowerPoint PPT Presentation

Dec 18, 2023 •151 likes •766 views

Global Samba 4 AD Domain Tips and Tricks Disclaimer This presentation, the content and opinions contained within are the authors own and do not reflect the views or opinions of Indeed, Inc. Last years presentation Audio :

  1. Global Samba 4 AD Domain Tips and Tricks

  2. Disclaimer This presentation, the content and opinions contained within are the authors’ own and do not reflect the views or opinions of Indeed, Inc.

  3. Last year’s presentation ● Audio : https://sambaxp.org/archive_data/SambaXP2017-AUDIO /Day3/Is%20Samba%204%20AD%20ready%20for%20Glo bal%20Enterprise.mp3 ● Slides: https://sambaxp.org/archive_data/SambaXP2017-SLIDES /Day3/Is%20Samba%204%20AD%20Ready%20for%20Gl obal%20Enterprise%20-%20Kevin%20Kunkel.pdf

  4. Kevin Kunkel IT Systems, Indeed Inc.

  5. About me (Kevin Kunkel) ● Windows 95 converted me to Linux ● Software Engineering at RIT, BS CS from Mercy College ● 12 years of Systems Administration ○ Linux SysAdmin ○ Windows SysAdmin ○ B2B SMB consulting ● 4 years managing large scale Samba AD

  6. Carlos Gonzalez IT Systems, Indeed Inc.

  7. About Carlos ● Use to be a Mac SysAdmin ● Joined Indeed 2 years ago ● Now manages Indeed’s Samba AD Domain

  8. But really, how about you?

  9. This is for you.

  10. You ● Samba Team ● Samba Developers ● Samba Users ● Enterprises/organizations/governments willing to try Samba

  11. The past year for Samba AD

  12. CVE-2018-1057

  13. Password reset exploitation ● All passwords for all users had been susceptible to a bug that would allow anyone to change another user’s password, since… FOREVER ○ This is Bad

  14. Password reset exploitation ● All passwords for all users had been susceptible to a bug that would allow anyone to change another user’s password, since… FOREVER ○ This is Bad ● Unless logging is set to 10 (full debug) this exploit would not generate any logs and be undetected. (possibly not even) ○ This is Even Worse

  15. Actual impact? ● Truly very little. We have no evidence that this was ever exploited ● but ○ Reinforces a misperception that Samba isn’t “enterprise-grade” ● This is The Worst

  16. The patches ● Patches were dropped at 8am CEST ○ Great for Europe, Asia, Australia, Pacific Islands ○ Horrible time for the Americas (2am CDT for example) ● I’d like to propose a set time of day for important security updates. ● 2pm CEST - Midnight in New Zealand and 5am PDT ○ Fewest possible SysAd sleeping 1am-5am

  17. Samba Bugs #13095 #13328 etc

  18. Linked attribute mishandling/corruption ● Linked attributes have been the bane of Samba AD administrators ● I have too many repressed memories to elaborate on the causes

  19. Theoretical Company ● Acme Global Corp is a large global multinational with over 10,000 employees, contractors and vendors. ● It has 10s of thousands of user objects in AD with 10s of thousands of groups objects. ● Many of these groups are used to facilitate RBAC to gate access to corporate networks and resources

  20. Theoretical Impact ● Acme Global Corp has an “employees” group with over 7,000 members ● As a large multinational, employees come and go every day. Before: After: Alice Alice Bob Bob Charlie Bob ... ... Xavier Bob

  21. Theoretical Impact (continued) ● Large swathes of users “removed” from “large” groups ● These same “large” groups are often used to gate access to standard applications and tools (think employees vs contractors vs vendors) ● Some SAML providers will sync AD membership and provision/delete application’s user accounts. ● Acme Global would have experienced widespread outages to core applications

  22. Don’t put all your eggs in one basket!

  24. So what then? ● Can we have a single source of truth with multiple baskets?

  25. No! Put all your eggs in one basket AND THEN WATCH THAT BASKET! - Andrew Carnegie

  26. Monitoring

  27. Nagios ● Port checks, both local and remotely ○ DNS: 53/tcp 53/udp 5353/tcp 5353/udp ○ Kerberos: 88/tcp 88/udp 464/tcp 464/udp ○ NTP 123/udp ○ SMB/CIFS: 135/tcp 135/udp 139/tcp 445/tcp ○ NETBIOS: 137/udp 138/udp ○ CIFS: 139/tcp ○ LDAP: 389/tcp 389/udp 636/tcp ○ Global Catalogue: 3268/tcp 3269/tcp ○ Dynamic RPC: 1024/tcp OR 49152/tcp

  28. Nagios ● Local: /usr/bin/sudo fuser 1024/tcp || /usr/bin/sudo fuser 49152/tcp ● Remote: echo test > /dev/tcp/$HOST_IP/1024 || echo test > /dev/tcp/$HOST_IP/49152 ● Samba-tool drs showrepl with some awk:

  29. Nagios (check_drs_repl) #!/bin/bash } else if ( $9 !~ /NTTIME/ ){ # Successes (ignoring unattempted) sudo samba-tool drs showrepl -kno|awk ' sub(/^.*@/, "", $9); # get time of success BEGIN { sub(/was.*$/,"",$9); # remove "was successful" FS="\t"; RS="" #Tab field separator, blankline record separator out=out$3" - "$1" - "$9"\n"; # add to output #($1)DC=SAMDOM,DC=EXAMPLE,DC=COM } # ($3)SITENAME\DOMAIN-CONTROLLER via RPC lines = lines + 1; # count output lines # ($6)DSA object GUID: 8974495f-a191-4d8b-84d1-25ff54f0d45a } END { # ($9)Last attempt @ Mon May 30 12:14:32 2016 EDT was successful if ( lines < 5 ) { # ($12)0 consecutive failure(s). print "CRITICAL: Samba4 not running!"; # ($15)Last success @ Mon May 30 12:14:32 2016 EDT exit 2; # } else if ( total > 10 ) { print "WARNING:"errs out; } { exit 1; sub(/ via RPC/, "", $3); # strip off postfix } else { sub(/^.*\\/, "", $3); # strip off site prefix print "OK:\n"errs out; sub(/\./, "", $12); # remove trailing period from failures exit 0; if( $12 ~ /[1-9]/) { # failures > 0 } sub(/^.*@/, "", $15); # get time of success }' sub(/NTTIME.*$/,"always",$15);# remove NTTIME with always errs=errs"\n"$3" has "$12" syncing "$1" since"$15; #reformat sub(/ consecutive.*$/, "", $12);# reduce $12 to error count total = total + $12; # total error count

  30. Example Healthy check_drs_repl output OK: DSA object GUID: ddcda871-524e-48c2-87eb-892234f9f159 - SITE1\DOMAIN-CONTROLLER - - ==== INBOUND NEIGHBORS ==== - SITE2-DC2 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:31 2018 EDT SITE4-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:31 2018 EDT SITE3-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:31 2018 EDT SITE5-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:31 2018 EDT SITE6-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:32 2018 EDT SITE2-DC2 - DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:29 2018 EDT SITE4-DC1 - DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:29 2018 EDT SITE3-DC1 - DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:29 2018 EDT SITE5-DC1 - DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:30 2018 EDT SITE6-DC1 - DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM - Wed Jun 6 10:41:30 2018 EDT

  31. Example Warning check_drs_repl output WARNING: SITE-DC3 has 13 consecutive failure(s) syncing CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM since Sun Jun 3 11:07:40 2018 CDT SITE-DC3 has 13 consecutive failure(s) syncing DC=ForestDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM since Sun Jun 3 11:07:36 2018 CDT SITE-DC3 has 13 consecutive failure(s) syncing DC=SAMDOM,DC=EXAMPLE,DC=COM since Sun Jun 3 11:07:41 2018 CDT SITE-DC3 has 13 consecutive failure(s) syncing DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM since Sun Jun 3 11:07:38 2018 CDT SITE-DC3 has 13 consecutive failure(s) syncing CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM since Sun Jun 3 11:07:43 2018 CDT DSA object GUID: 103d5a2d-5c53-44a8-8f72-a07ad07d9e6b - SITEORP\SITE-DC4 - - ==== INBOUND NEIGHBORS ==== - SITE11-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Sun Jun 3 12:15:09 2018 CDT SITE-DC1 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Sun Jun 3 12:16:51 2018 CDT SITE-DC2 - CN=Schema,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM - Sun Jun 3 12:15:24 2018 CDT

  32. Nagios ● LDAP ○ /usr/lib64/nagios/plugins/check_ldap -H localhost -b "dc=samdom,dc=example,dc=com" -D"dj@samdom.example.com" -P REDACTED ● DNS ○ /usr/lib64/nagios/plugins/check_procs -C named -c1: ○ /usr/lib64/nagios/plugins/check_dns -H host.example.com -w1 -c3

  33. Netdata ● https://github.com/firehol/netdata ● “netdata collects several thousands of metrics per device. All these metrics are collected and visualized in real-time.”

  34. Netdata

  36. Prometheus ● https://prometheus.io/ ● Time series database ● Central repository for netdata data

  37. Grafana ● https://grafana.com/ ● “No matter where your data is, or what kind of database it lives in, you can bring it together with Grafana. Beautifully.” ● Can pull from Zabbix, Prometheus, ElasticSearch ● Calculates Domain Jackedness Factor

  38. Elastic.co ● http://elastic.co ● “ELK” stack ○ Filebeat ○ Logstash ○ Elasticsearch ○ Kibana

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Productivity tips &amp; tricks Productivity tips &amp; tricks for a developer for a developer

Productivity tips &amp; tricks Productivity tips &amp; tricks for a developer for a developer

Productivity tips &amp; tricks Productivity tips &amp; tricks for a developer for a developer Sebastian Witowski Sebastian Witowski 1 2 3 4 5 6 vs. vs. 7 8 dotles dotles .bashrc, .vimrc, .gitcong alias ..=&quot;cd

308 views • 15 slides
HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips &amp; Tricks, Q&amp;A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips &amp; Tricks, Q&amp;A Session May 16,

HSC FCO PRESENTS UNMJobs 2.0 Onboarding, Updates, Tips &amp; Tricks, Q&amp;A Session May 16, 2017 Agenda Onboarding Regular faculty TPTs System Updates New User Interface (update roll outs) Tips &amp; Tricks

643 views • 14 slides
Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/ Talks at SambaXP/SDC 2017 Last year I gave talks

388 views • 27 slides
Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips

Tips and Tricks For Broadcast Engineers and Managers Agenda Overview Jeff Welton, CBRE Tips and Tricks Regional Sales Manager Central U.S. For Engineers For Managers Paul Freeman Tinkle, CRMC, CRSM President and General

1.25k views • 56 slides
Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr

Unpacking tips and tricks Samuel Chevet Presentation Process Unpacking tips and tricks Protector Techniques Conclusion Samuel Chevet w4kfu@lse.epita.fr http://www.lse.epita.fr 12 February 2013 Why this talk ? Unpacking tips and tricks

439 views • 26 slides
SOCIAL MEDIA TIPS AND TRICKS FOR IFS PARTNERS SEPTEMBER 10, 2019 WELCOME INTRODUCTION

SOCIAL MEDIA TIPS AND TRICKS FOR IFS PARTNERS SEPTEMBER 10, 2019 WELCOME INTRODUCTION

SOCIAL MEDIA TIPS AND TRICKS FOR IFS PARTNERS SEPTEMBER 10, 2019 WELCOME INTRODUCTION Speakers: Ellen Jaudon, Global Social Media Analyst Format: Presentation End with Q&amp;A - send questions in the chat Webinar will be

370 views • 26 slides
Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who am I? The Selftest Suite Running tests Writing tests ABOUT ME I'm a Free and Open Source Software developer working on: Samba - The domain

383 views • 25 slides
902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f

902 Grant Disbursements: Ti Tips, Tricks and Troubleshooting for a T i k d T bl h ti f Flawless Submission COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF ENVIRONMENTAL PROTECTION BUREAU OF WASTE MANAGEMENT ACT 101, SECTION 902 MUNICIPAL

635 views • 34 slides
Being the best recorder player you can be Tips and tricks for getting the most out of your

Being the best recorder player you can be Tips and tricks for getting the most out of your

Presentation Flte Alors! Being the best recorder player you can be Tips and tricks for getting the most out of your practice and tackling difficult passages Good morning everyone. My name is Sarah Jeffery, and I am a recorder player living

470 views • 6 slides
Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But

Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But

Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But first... Disclaimer This presentation, the content and opinions contained within are the author's own and do not reflect the views or opinions of

509 views • 46 slides
Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our

GOOD MORNING! THINK BIG, BE GREAT! Tips, tricks, and little bit of fun for engaging with our community Britt Delo &amp; Keegan Aalderink Michigan West Coast Chamber of Commerce ITS ALL ABOUT YOU! Working together to improve the quality

524 views • 15 slides
Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet

Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet

Present And Future File Serving With Samba LinuxCon Europe 2014 Michael Adam Samba Team / SerNet October 14, 2014 Samba... Michael Adam SambaFS (2/40) Short History 1.9.17: 1996/08 2.0: 1999/01: domain-member, +SWAT 2.2: 2001/04:

553 views • 40 slides
Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
A journey from 170 Samba3-NT4 domains to 1 unified Samba-AD domain with 8000 users Denis

A journey from 170 Samba3-NT4 domains to 1 unified Samba-AD domain with 8000 users Denis

A journey from 170 Samba3-NT4 domains to 1 unified Samba-AD domain with 8000 users Denis Cardon, 6th June 2016 They did not know it was impossible so they did it - Mark TWAIN T ranquil IT IT company in Nantes, France, since 2002

601 views • 30 slides
gran and d tr tran ansmis smission sion pr proje oject cts s an and d th the st e

gran and d tr tran ansmis smission sion pr proje oject cts s an and d th the st e

Workshop TGEG19 Compar Comparison ison betw between een ear early y electrifi electrifica cation tion gran and d tr tran ansmis smission sion pr proje oject cts s an and d th the st e stud udy y of of CIGRE CIGRE

689 views • 27 slides
What is Computing? Grading Tues/Thurs 4-5:30 pm in Park 349 7 Assignments 42% 6

What is Computing? Grading Tues/Thurs 4-5:30 pm in Park 349 7 Assignments 42% 6

CMSC B110: Introduction to Computing Spring 2012 Section 1 Mark F. Russo, Ph.D. Email: mfrusso@brynmawr.edu Email: russomf@gmail.com Lectures What is Computing? Grading Tues/Thurs 4-5:30 pm in Park 349 7 Assignments 42% 6

299 views • 9 slides
DeforaOS &amp; pkgsrc FOSDEM 2014 Brussels, Belgium Pierre Pronchery (khorben@) Saturday,

DeforaOS &amp; pkgsrc FOSDEM 2014 Brussels, Belgium Pierre Pronchery (khorben@) Saturday,

DeforaOS &amp; pkgsrc FOSDEM 2014 Brussels, Belgium Pierre Pronchery (khorben@) Saturday, February 1 st 2014 Summary 1.Introduction 2.Some slides in no particular order 3.Demo effect all over the place 4.Where to complain about the show

361 views • 32 slides
Basel Convention Technical Guidelines on the Environmentally Sound Management of Used Tires

Basel Convention Technical Guidelines on the Environmentally Sound Management of Used Tires

Basel Convention Technical Guidelines on the Environmentally Sound Management of Used Tires Patti Whiting U.S. EPA March 25, 2009 Basel Convention Background The Basel Convention is a multi-lateral environmental agreement (treaty)

211 views • 9 slides
1 2 MHT

1 2 MHT

1 2 MHT 2 + 2 min 2 + 2 min

1.05k views • 36 slides
XL2B: Excel2013: Model Trendline Multi 4/05/2019 V0P XL2B: V0P Excel2013 Model Trendline Multi

XL2B: Excel2013: Model Trendline Multi 4/05/2019 V0P XL2B: V0P Excel2013 Model Trendline Multi

XL2B: Excel2013: Model Trendline Multi 4/05/2019 V0P XL2B: V0P Excel2013 Model Trendline Multi 1 XL2B: V0P Excel2013 Model Trendline Multi 2 Model Using Trendline Assignment: Multiple Models in Excel 2013 1. Goal: Generate six charts. Use

477 views • 14 slides
Multiple-Choice Item Design 1. The purpose of the stam is to remove the a. octal b. stam bar

Multiple-Choice Item Design 1. The purpose of the stam is to remove the a. octal b. stam bar

Multiple-Choice Item Design 1. The purpose of the stam is to remove the a. octal b. stam bar c. denton d. rotator 1 2. Which of the following pairs has won the greatest number of Abby awards? a. Williams and Jones b. Jones and Richards

308 views • 10 slides
Lecture 28: spaced, single column, 11pt recommended; submission through Compass) No extensions

Lecture 28: spaced, single column, 11pt recommended; submission through Compass) No extensions

CS447: Natural Language Processing Projects and Literature Reviews http://courses.engr.illinois.edu/cs447 Final report due Friday, Dec 14, 11:59 PM (PDF written in LaTeX; no length restrictions, but 810 pages single Lecture 28: spaced,

280 views • 6 slides

More recommend