Monday, 22 February 2010

Legacy group membership

Once you update the forest to 2003FFL, linked-value replication (LVR) comes into play.
However, this doesn't affect existing group membership entries.

This can be seen through repadmin:
repadmin /showobjmeta DC_Name Dn_of_group

Distinguished Name =============================
ABSENT member 2010-02-19 18:02:53 US\Server1
205479704 205479704 2
PRESENT member 2010-02-22 10:21:05 UK\Server2
208940639 143787850 1

ABSENT - LVR enabled member. This is similar to a tombstoned object - it records a membership that has been removed. This will be garbage collected after the tombstone lifetime has expired.
PRESENT - LVR enabled member.
LEGACY - legacy membership. LVR will not take affect for this member.

These can apply to members and also to "managed by" properties.

LVR enabled basically means that there is additional metadata associated with the membership, stored in msDS-ReplValueMetaData attribute for the group.
If you compare an entry for this attribute before and after a membership is LVR-enabled, you see something like this:

LEGACY member:




Updated PRESENT member:


CN=NTDS Settings,CN=Server1,CN=Servers,CN=UK,CN=Sites,CN=Configuration,DC=test,DC=com

Updating Legacy Memberships
In order to update all memberships and managed-by's to be LVR-enabled, you need to remove that membership and re-add it. This updates the metadata.

I'll try and paste some Powershell to do this later on as a response to this post.

Thursday, 4 February 2010

Old password still valid for an hour

Not sure why I haven't blogged this one before.

With Windows Server 2003 Sp1, MS decided to modify NTLM authentication behaviour (this also affects LDAP authentication) so that a user can use their old password for an hour to access the network after it has changed.
This is to allow things like service accounts to still be able to login while the new password propagates.
However, I've never been convinced that the case is there (why does kerberos not need it?).

To disable this feature, you need to modify HKLM\System\CurrentControlSet\Control\LSA\OldPasswordAllowedPeriod. This is a DWORD value.
Setting it to 0 means that you disable the use of old passwords.
If this value is not in the registry the default of 60 minutes is used.

See kb906305 for further details.

Wednesday, 3 February 2010

Using Winbind in Linux to authenticate to AD

Linux has Pluggable Authentication Modules (PAM) to provide a common set of authentication of APIs.
Also has Name Server Switch (NSS) APIs for looking up user information.
This resides on each linux machine.

AD authentication method 1
Have PAM and NSS communicate directly with AD using LDAP. However, LDAP authentication passes in clear text (so would need to use LDAPS). Also need to specify DC.

AD authentication method 2
Get PAM to use Kerberos and NSS to do group membership lookup via LDAP. More secure but still has problem where have to specify DC. Also doesn't manage passwords well.

AD authentication method 3
Use Samba.
Samba has a Winbind daemon that interprets PAM and NSS calls and interprets them into AD calls, using either Kerberos, LDAP or RPC, depending upon which is appropriate.
Winbind can also replicate the DC locator mechanism to find the best DC using SRV records.

Winbind parameters
Winbind domain: Netbios name of AD domain.
Security model: ADS.
Winbind ADS realm: DNS name of domain.
Winbind domain controllers: name of DC or * to get Winbind to use its DC locator mechanism.

ID mapping
NIS is used in Linux often to ensure that a Linux UID is unique on machines.

Can therefore have a mechanism to do a 1:1 mapping of AD users and groups to Linux UIDs. This is a big admin overhead.

Easier method is to get Winbind to extract the RID from the SID when the user logs in and use the RID as the UID.
This has zero admin overhead but won't work in a multi domain environment in case the RID is repeated.

Implementing mapping
To implement mapping, edit etc/samba/smb.conf
AD mapping: add "idmap backend = ad"
RID mapping: add "idmap backend = rid"