Category: Unix-Linux


Technet article: https://technet.microsoft.com/en-us/library/cc978014.aspx

” Explanation:

When a requested object exists in the directory but is not present on the contacted domain controller, name resolution depends on that domain controller’s knowledge of how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller.

An LDAP referral is a domain controller’s way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251. ”

Atlassian KB article: https://confluence.atlassian.com/confkb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-612959323.html

 

 

Web article:

https://technet.microsoft.com/en-us/library/cc784450(v=ws.10).aspx

 

How to test SSL/TLS:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( http://nmap.org ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (172.19.133.64)
Host is up (0.025s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
| TLS_RSA_WITH_AES_128_CBC_SHA – strong

 

Suricata IDS: https://suricata-ids.org/

Snort IDS: https://www.snort.org/

Vulnerability mgmt:

https://www.rapid7.com/

https://www.tenable.com/products/nessus-vulnerability-scanner

 

 

 

 

Reference: https://blogs.technet.microsoft.com/askds/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious/

https://www.microsoft.com/en-US/download/details.aspx?id=53314

How Domain and Forest trusts work: https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx

EMC ISILON SID translation errors: https://community.emc.com/thread/177333?tstart=0

 

Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Administrators
Authenticated Users
Everyone

During the hard exercise to recruit an IT Pros, you are obliged to ask questions, here are links to some Q&A:

http://www.techiebird.com/sendmail.html

https://www.brentozar.com/archive/2009/07/top-10-interview-questions-for-windows-sysadmins/

http://www.01world.in/p/windows.html

http://resources.intenseschool.com/top-interview-questions-for-system-administrators-microsoft/

https://www.toptal.com/sql/interview-questions

https://dwbi.org/database/sql/72-top-20-sql-interview-questions-with-answers

http://www.indiabix.com/technical/sql-server-common-questions/

https://www.linux.com/blog/10-job-interview-questions-linux-system-administrators

http://computernetworkingnotes.com/rhce-interview-questions/linux-interview-questions-for-experienced.html

 

 

Bash on Windows 10:

https://blogs.msdn.microsoft.com/powershell/2016/04/01/bash-for-windows-why-its-awesome-and-what-it-means-for-powershell/

OpenSSH:

https://github.com/PowerShell/Win32-OpenSSH/wiki

https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH

Other videos:

http://www.youtube.com/watch?v=DHAEsUL6rsw

 

List of command line tools used by all network/system administrators:

ping

tracert

psping, tcpview, psexec, autoruns, sysmon (www.microsoft.com/sysinternals)

rpcping

telnet

pathping

fport (www.foundstone.com)

netstat

nslookup

dig   (part of bind package)

portqry

test-netconnection (powershell cmdlet only available for Win 8.1 or greater)

Endpoint Protection Client for Mac Computers and Linux Servers:
https://social.technet.microsoft.com/forums/en-US/4525c9e1-24f1-4fd3-97b2-d5817bbbbacd/scep-on-mac-and-linux

To request a certificate for MAC and Linux:
– SCEP ===> MAC compatible. linux: problem: client SCEP ?
or
– request a certificate from Linux, MAC using openssl

Principle:

1) prepare the certificate request:

http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr

2) submit the certificate request to https://serverweb.mydomain.local/certsrv or using certutil windows command from a jump server (request manual approval or automatic approval; depending of the Windows certificate template settings

3) install the certificate issued with the full key chain (format .p7b) on Linux (Ubuntu):

https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

To view the certificates chain:

openssl pkcs7 -in certnew.p7b -print_certs

To extract the .cer view the certificates chain:

openssl pkcs7 –print_certs –in certnew.p7b –out cert.cer

To convert a .cer into a .pfx:

openssl pkcs12 –export –out cert.pfx –inkey privatekey.key –in cert.cer –certfile cert.crt

Copy the .crt under /usr/share/ca-certificates

Sudo cp cert.crt /usr/share/ca-certificates/cert.crt

Update the certificate store (requires a .crt file, else it cannot pick up):

update-ca-certificates is a program that updates   the   directory /etc/ssl/certs to hold SSL certificates and generates certificates.crt,a concatenated single-file list of certificates. It reads the file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted. Lines that begin with “#” are comment lines and thus ignored. Lines that begin with “!” are deselected, causing the deactivation of the CA certificate in question. Furthermore   all   certificates   found   below   /usr/local/share/ca-certificates are also included as implicitly trusted.

Sudo update-ca-certificates

 

for MAC: http://apple.stackexchange.com/questions/80623/import-certificates-into-system-keychain-via-the-command-line

Other resources:

http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

http://www.whitneytechnologies.com/?p=218

http://www.unix.com/shell-programming-and-scripting/107305-shell-script-provide-answers-ssl-cert-request.html

 

Additionally: transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

Cent OS authentication with AD but no kerberos (certificate only): http://htfdidt.blogspot.fr/2014/06/centos-6-with-active-directory.html