Category: Unix-Linux

Technet article:

” Explanation:

When a requested object exists in the directory but is not present on the contacted domain controller, name resolution depends on that domain controller’s knowledge of how the directory is partitioned. In a partitioned directory, by definition, the entire directory is not always available on any one domain controller.

An LDAP referral is a domain controller’s way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the referred-to domain controller to generate yet another referral, although it usually does not take long to discover that the object does not exist and to inform the client. Active Directory returns referrals in accordance with RFC 2251. ”

Atlassian KB article:



Web article:


How to test SSL/TLS:

You can easily see what SSL protocol a server supports (and even grab the certificate from there) example below with openSSL:

openssl s_client -connect myserver.mydomain.local:636 -ssl3
openssl s_client -connect myserver.mydomain.local:636 -tls1
openssl s_client -connect myserver.mydomain.local:636 -tls1_1
openssl s_client -connect myserver.mydomain.local:636 -tls1_2

All those reports successfull connection SSL handshake and present the proper server certificate.

And it is very easy anyway for a client to get supported SSL protocols on a remote server, it is how client <==> server handshake works to
select an agreed protocol supported on both sides.

I suggest you check on application side …

# nmap –script ssl-enum-ciphers -p 636 myserver.mydomain.local

Starting Nmap 6.46 ( ) at 2017-02-16 18:22 CET
Nmap scan report for myserver.mydomain.local (
Host is up (0.025s latency).
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_RC4_128_MD5 – strong
| TLS_RSA_WITH_RC4_128_SHA – strong
| compressors:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA – strong


Suricata IDS:

Snort IDS:

Vulnerability mgmt:






How Domain and Forest trusts work:

EMC ISILON SID translation errors:


Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Authenticated Users

During the hard exercise to recruit an IT Pros, you are obliged to ask questions, here are links to some Q&A:



Bash on Windows 10:


Other videos:


List of command line tools used by all network/system administrators:



psping, tcpview, psexec, autoruns, sysmon (




fport (



dig   (part of bind package)


test-netconnection (powershell cmdlet only available for Win 8.1 or greater)

Endpoint Protection Client for Mac Computers and Linux Servers:

To request a certificate for MAC and Linux:
– SCEP ===> MAC compatible. linux: problem: client SCEP ?
– request a certificate from Linux, MAC using openssl


1) prepare the certificate request:

2) submit the certificate request to https://serverweb.mydomain.local/certsrv or using certutil windows command from a jump server (request manual approval or automatic approval; depending of the Windows certificate template settings

3) install the certificate issued with the full key chain (format .p7b) on Linux (Ubuntu):

To view the certificates chain:

openssl pkcs7 -in certnew.p7b -print_certs

To extract the .cer view the certificates chain:

openssl pkcs7 –print_certs –in certnew.p7b –out cert.cer

To convert a .cer into a .pfx:

openssl pkcs12 –export –out cert.pfx –inkey privatekey.key –in cert.cer –certfile cert.crt

Copy the .crt under /usr/share/ca-certificates

Sudo cp cert.crt /usr/share/ca-certificates/cert.crt

Update the certificate store (requires a .crt file, else it cannot pick up):

update-ca-certificates is a program that updates   the   directory /etc/ssl/certs to hold SSL certificates and generates certificates.crt,a concatenated single-file list of certificates. It reads the file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted. Lines that begin with “#” are comment lines and thus ignored. Lines that begin with “!” are deselected, causing the deactivation of the CA certificate in question. Furthermore   all   certificates   found   below   /usr/local/share/ca-certificates are also included as implicitly trusted.

Sudo update-ca-certificates


for MAC:

Other resources:


Additionally: transforming .cer to .pem or vice-versa:

Cent OS authentication with AD but no kerberos (certificate only):