#StackBounty: #active-directory #qnap Cannot join AD domain managed by QNAP NAS

Bounty: 50

On my small network, I setted up a QNAP TS-473 running 4.5.1.1.540 as a Domain Controller for active directory.

I tried to join the domain from multiple Windows 10 Pro PCs but I always get an error saying the semaphore timeout period has expired.

I configured DNS correctly on both PCs, pointing to the NAS IP and the Domain Controller is found without any problem.


Get this bounty!!!

#StackBounty: #sql-server #windows #active-directory gMSA account authentication failure during password rotation

Bounty: 150

When our gMSA accounts are automatically rotated, we see login failures for around 1-10 minutes. This is particularly apparent for gMSA client accounts that connect to MS SQL server, but I think it happens for other gMSA accounts as well. MS SQL server is not running as a gMSA account, but our application uses gMSA to make a client connection to SQL. By default ManagedPasswordIntervalInDays is every 30 days, so we see this every month at the same time.

When I check the domain controller logs, I don’t see any login failures for the gMSA user, but the SQL server logs the following error

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The logon attempt failed [CLIENT: x.x.x.x]

From what I have found, this error usually indicates the wrong username/password combination.

This occurs on multiple clients, and each eventually starts connecting again after anywhere from 1-10 minutes. The clients don’t all start connecting at the same time, but it seems to be randomly within that time window.

Initially I thought it might be related to AD replication of the changed password, so we modified the default inter-site replication interval to USE_NOTIFY to replicate immediately. If replication were the issue, I would expect to see login failures on DC’s and I’m not seeing logon failures on DC’s.
I had also thought that maybe the SQL server is caching the authentication token, but if that were the case, I would expect to see all clients resolve at the same time (ie when the SQL server refreshed)
Being that the clients each start working again at a different time, it doesn’t appear to be on the SQL server side, but more likely something on the client side. Maybe caching the gMSA password or maybe something related to timeout and retry back offs.


Get this bounty!!!

#StackBounty: #windows #active-directory #docker #kerberos Windows gMSA How To Secure Use of CredentialSpec Used By Docker Container En…

Bounty: 50

The gMSA strategy Microsoft recommends for Containers here and here works very well. The general idea is the Container host retrieves the gMSA password from an Active Directory domain controller and gives it to the Container. The Identity configuration is stored in a JSON Credential Spec file, which is expected to live at the location C:\ProgramData\docker\CredentialSpecs on the Container host. This file contains metadata about the gMSA and is ultimately passed to the Docker Engine that runs the containers. Below is an example of doing this via docker run:

docker run --security-opt "credentialspec=file://myspec.json" --hostname myappname -it myimage powershell

The issue with this is if multiple teams use the same Container hosts, how can you protect against one team from using another team’s Credential Spec and thus run their containers with that team’s permissions? For example, if the host has the below CredentialSpecs, Team A could use Team C’s.

C:\ProgramData\docker\CredentialSpecs\TeamA.json
C:\ProgramData\docker\CredentialSpecs\TeamB.json
C:\ProgramData\docker\CredentialSpecs\TeamC.json


Get this bounty!!!

#StackBounty: #ubuntu #active-directory Ubuntu 20.10 Active directory integration not working

Bounty: 50

I’ve just installed Ubuntu 20.10 and I enabled Active Directory integration during setup. It asked me AD user and password, I provided those and the setup showed green thicks and went on.

After completing setup, I tried to login with a domain user (ufficio.lanlucio), but it failed as if the password was incorrect (which was not, I tried several times and I’m sure about my password). I then logged in with the local user I created during setup and checked the machine was effectively joined to the domain:

# realm join -U Administrator ufficio.lan
realm: already joined to this domain

Please note that after trying to login with my AD user, gdm added my real name and surname to the list of available users, so it actually managed to contact my AD server and obtain some information about me. However it didn’t create the home directory, nor it mounted my home directory that the server shares (this would be my final goal) and it didn’t let me in, as described above.

I tried to install Ubuntu 20.10 from scratch again, just in case I made some mistakes the first time, but I got the same results.

The server is a Zentyal Community Edition 6.2 and other Linux computers in the LAN manage to login with AD credentials, but those are old Fedora or Ubuntu 14.04 setups that were manually joined to the AD domain back then, so I can’t just copy /etc/ over and hope for the best: it won’t work.

EDIT after Sturban‘s answer:

Before reinstalling from scratch I had already tried to follow the guide linked in the answer, but it did not solve the problem. It was precisely that guide that, in Step 5, suggested me the command

# realm join -U Administrator ufficio.lan

to check if the system was already joined to the domain. Despite being already joined, I tried following that guide anyway (even from its Step 1), but at the end of Step 5 the id command did not find my domain user and gdm kept refusing my domain login and not creating my home directory.

Anyway, I suspect the point is quite different, and that’s why I did not mention these trials before: Ubuntu 20.10 has AD integration option during setup and it’s a new feature that up to 20.04 included did not exist, so I suspect something different is needed on Ubuntu 20.10, while that guide assumes Ubuntu 20.04.


Get this bounty!!!

#StackBounty: #active-directory #powershell #windows-server-2012 #cluster windows cluster – Service Principle Name but no cluster servi…

Bounty: 50

Hello I used to detect which servers in our big environment are clusters or cluster nodes by checking
get-adcomputer value ServicePrincipalName if there is string MSServerClusterMgmtAPI or MSServerCluster.
However I am not sure if that should mean that there should be ClusSvc Cluster Service running, because now I found some servers without this service, but with such string in ServicePrincipalName in their AD object. So what does it mean? Are these not in cluster or were they before and it was uninstalled, but this value didn’t change?


Get this bounty!!!

#StackBounty: #windows #windows-server-2008 #active-directory #windows-server-2008-r2 Multiple domain controller and SQL Login Failed w…

Bounty: 100

I have a domain test.local with 4 domain controller.

I have a SQL Server, sometime when rebooting one of my domain controller I got these error :

Description: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has
occurred. Error code: 0x80004005.
An OLE DB record is available. Source: “Microsoft SQL Server Native Client 11.0” Hresult: 0x80004005 Description: “Login failed.
The login is from an untrusted domain and cannot be used with Windows
authentication.”.

Why authentication is not done on the other 3 DC? Normally there is load balancing when there are multiple domain controllers.

Thanks for your help


Get this bounty!!!

#StackBounty: #active-directory #openldap #ldap-translucent Slapd translucent proxy and AD override

Bounty: 50

We try to set up an OpenLdap server (slapd) on Ubuntu 18.04 to reach this goal: Create custom group in the slapd server with members from the ActiveDirectory (AD).

Now we set up a translucent proxy (because seems it’s doing what we want) as following:

/etc/ldap# cat slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# Include schemas
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
#include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/ad.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

modulepath /usr/lib/ldap
moduleload back_meta
moduleload back_mdb
moduleload back_ldap
moduleload back_hdb
moduleload rwm
moduleload translucent
#moduleload memberof
moduleload pcache

# Enable TLS
#TLSCACertificateFile /etc/ldap/ca.pem
#TLSCertificateFile /etc/ldap/cert.pem
#TLSCertificateKeyFile /etc/ldap/key.pem

# Log level
loglevel 4095

#######################################################################
# database definitions
#######################################################################
database mdb
suffix "dc=xxx,dc=yyy,dc=net"
rootdn "cn=admin,dc=xxx,dc=yyy,dc=net"
rootpw "SupeSecretSecret"
directory /etc/ldap/mdb

#index objectClass eq
overlay translucent
translucent_local carLicense

tls ldaps       tls_reqcert=allow
uri ldaps://AD1.xxx.yyy.net:636
lastmod off
acl-bind binddn="cn=BindUSer,ou=zzz,ou=Users,ou=bbb,dc=xxx,dc=yyy,dc=net" credentials="AnotherSuperSecretSecret"

Now, we are able to perform ldapsearch through the LDAP to the AD, but we have to use a bind user in the ldapsearch, like the bind user defined in the configuration are ignored.

What I’m not understanding is how I can create a Group on local LDAP DB and insert users from the remote AD.

What I missing?


Get this bounty!!!

#StackBounty: #windows #active-directory #permissions #windows-server-2019 #roaming-profile Active Directory roaming profile permission…

Bounty: 50

I have a problem with one specific folder while user profiles are synced at logon. Let me explain the situation:

I have:

  • A user account (MYDOMAINaccountname)
  • Security group ‘Access to WADUP_RW’
  • A SMB share (\my-smbWADUP)
  • A pc with Windows 10 pro installed (Up-to-date) and joined into MYDOMAIN

Permissions on the WADUP folder on \my-smb:

  • ‘Access to WADUP_RW’ has read and write access
  • Domain Admins and Enterprise Admins groups have read and write access

Configuration for the user account:

  • Profile path: \my-smbWADUPaccountname

The problem I’m having:

  1. Log in accountname on the pc.
  2. \my-smbWADUPaccountname folder is created. (Owner is accountname)
  3. Log out accountname on the pc.
  4. All data in user profile is being saved to the \my-smbWADUPaccountname
  5. So far so good
  6. Now I log in accountname on the pc again
  7. I get the error ‘There was a problem with your roaming profile. You have been logged on with your previously saved local profile. Please see the event log for details or contact your administrator.’
  8. I check the event log, which says that \?UNCmy-smbWADUPaccountnameAppDataRoamingMicrosoftInstaller can’t be copied to \?C:UsersaccountnameAppDataRoamingMicrosoftInstaller with DETAIL – Access is denied
  9. I check the folder C:UsersaccountnameAppDataRoamingMicrosoftInstaller permissions, which are:
    • Everyone: Read
    • System: Full control
    • Administrators (PCAdministrators) Full control

What I’ve tried:

  • Changed SMB server, made no difference.
  • Manually changed the folder permissions to everyone: Read and write. Though the permissions reset whenever I logged out.
  • All Pc’s do it but they are the same windows version.


Get this bounty!!!

#StackBounty: #active-directory #kerberos Is there a way to force active directory group assignation without logoff/login?

Bounty: 50

as stated here and there, it looks like there is no way to avoid a user logoff/login in order to activate a new group assignation for this user (my use case was : activate an access to a shared folder by adding a user in a group).

Is there still no way to force the user group mapping assignation (without ending the session) with latest versions of Windows/Active directory ?

Thanks !


Get this bounty!!!

#StackBounty: #sql-server #migration #active-directory SQL Server 20002005 compatibility with Active Directory 2016

Bounty: 50

We are currently using Active Directory 2008R2 and will be upgrading to AD 2016. I’m trying to determine if there is any known compatibility issues when running older versions of SQL Server (2000 and 2005) when upgrading to AD 2016. Has anyone been through this process? Most of our db servers are using SQL 2008 > 2016, but a few still runs with 2000/2005. Thanks


Get this bounty!!!