playing with ad domains not the windows way
play

Playing with AD Domains (not the Windows Way) - SambaXP 2017 - PowerPoint PPT Presentation

Jan 06, 2023 •546 likes •804 views

Tranquil IT Systems Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon Tranquil IT Systems Tranquil IT Systems IT support company since 2002, in Nantes, FRANCE 15 employees both small (outsourcing)

  1. Tranquil IT Systems Playing with AD Domains (not the Windows Way) - SambaXP 2017 Denis Cardon, Vincent Cardon

  2. Tranquil IT Systems Tranquil IT Systems IT support company since 2002, in Nantes, FRANCE 15 employees both small (outsourcing) and large (contracting) clients

  3. Tranquil IT Systems TIS and SaMBa a long love story 2004 first client on SaMBa3 PDC NT4 2011 first client on SaMBa-AD leading SaMBa-AD integrator in France (it's google.fr that says it :-) SaMBa very popular in France free as in beer syndrom ? free as in speech syndrom ? Général de Gaulle syndrom ?

  4. Tranquil IT Systems some feedback

  5. Tranquil IT Systems Our experience 1/4 Installation and configuration is now soooo easy (IMHO :-) You are doing too much of a good job The main issues for simple deployments basic networking skills → fire the sysadmin basic AD skills → fire the sysadmin basic linux skills → make samba AD run on windows ? → fire the sysadmin

  6. Tranquil IT Systems Our experience 2/4 Bridging Windows and Linux... SaMBa is not only a bridge AD integration for BOTH Windows and Linux SMB protocol from Linux TO Linux no more Nightmare File System basic ldap bind auth NIS… Better identity management

  7. Tranquil IT Systems Our experience 3/4 SaMBa-AD and security Cisco Anyconnect 802.1x OK LAPS : OK Rights delegation : OK Software Restriction Policies (SRP/AppLocker) : OK RODC almost there, 4.7 ? KRB5 encryption type restriction: DCE-RPC port restriction:

  8. Tranquil IT Systems Our experience 4/4 Samba and scalability 5000+ desktops 90 domain controlers Huge performance improvements in 4.6 Even more improvements coming in 4.7… ex. : French Ministry of Culture : almost finished from 170 large and small domains to consolidated 13 domains. 170 sites

  9. Tranquil IT Systems Samba is ready for most domain We need to migrate them

  10. Tranquil IT Systems SaMBa standard migration strategies 1/2 SaMBa classicupgrade great for NT4 to AD Simple and effective scripts Easy to use But Sometime takes to many attributes (arrrgh! mungeddial) 1 shot migration only

  11. Tranquil IT Systems SaMBa standard migration strategies 2/2 MS AD to Samba AD through join Easy to setup But Tricky for win2k / doesn't work for win2k12 Migrate all what you want, AND all the junk accumulated... Cannot rename domain VIPs like rebranding

  12. Tranquil IT Systems need to go further

  13. Tranquil IT Systems Server Side Migration «LDB style» 1/3 Domain rename Domain merge Win2k12 forest level migration clone-dc-database re-inject users ! We cannot use most of Microsoft migration tools

  14. Tranquil IT Systems Server Side Migration «LDB style» 2/3 Samdb and python-ldb are your friends APIs are not hidden Scriptable with python Migration with same SID recreate domain with same SID re-create user inject SID set-nt-hash rejoin / move computers to the new domain

  15. Tranquil IT Systems Server Side Migration «LDB style» 3/3 Merge domB in existing domA recreate users set-ntlm-hash rejoin / move computers migrate user profiles (hardest part) No need for ADMT or SID History

  16. Tranquil IT Systems Client side User profile migration In a fairy land, you'll just have to change ACLs on user profile, ntuser.dat, userclass.dat repoint SID from profileList in HKLM In the depressing reality, you have locking problems organisational problems timing problems Desktop availability is transient, and they have their own life and diversity.

  17. Tranquil IT Systems We need a tool for migrating users profiles

  18. Tranquil IT Systems GPO are nice, but not good for everything People switching from NT4 to AD have big hopes about GPOs GPO concepts date back to the 90's Microsoft added SCCM : software deploiement / configuration management GPO still useful for security features (SRP, etc.) We need a tool to complement GPO...

  19. Tranquil IT Systems WAPT Distribute, update and remove software applications and configurations WAPT is a powerful ingredient to manipulating AD domains on client side Python scripting like on SaMBa AD

  20. Tranquil IT Systems DEMO

  21. Tranquil IT Systems At last there is competition ! not so much evolution in AD since 2000 Times change, AD creativity booming ADinternals -> MSAD has NTLM hash injection too (albeit not officially) Mimikatz : lsass.exe inception, pass the hash/over pass the hash attack, golden ticket People using samba4 for security auditing Microsoft does great software. Sometimes some competition helps :-)

  22. Tranquil IT Systems Whishlist 1/2 DNS consistancy checker. AD DNS registering still has some black magic GPO manipulation (import/export) sysvolsync part of the project (people mess up when reading the wiki) smbd downgrade to ntlm auth if krb5 auth fails

  23. Tranquil IT Systems whishlist 2/2 Make /etc/krb5.conf site aware (easily) Commercial SaMBa/CUPS driver support from copier vendors Improve bind-DLZ integration (or internal DNS :-) human friendly « samba-tool ntacl get » Smaller smbd footprint on DCs SaMBa DC process state checker

  24. Tranquil IT Systems And tomorrow? larger domains, tdb 64bits inter domain trust kerberos everywhere why keep kerberos on the LAN? make SaMBa be the innovator

  25. Tranquil IT Systems Questions ?

Recommend

Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &

443 views • 28 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

497 views • 34 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and

Todays Class Game Playing Game playing AI Class 8 Ch. 5.1-5.3, 5.4.1, 5.5 State of the art and resources Framework Weve seen multi-agent Game trees systems, and search problems Minimax where another agents moved

234 views • 6 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of Doma of Warfar are Lan and Se Sea Joint M ultinational Combined Arms Live-Fire Exercise Camp Grayling-Alpena CRTC 2010-2018 NORTHERN

310 views • 4 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti

Playing with Time and Playing in Time Valentin Goranko Stockholm University Joint work with Antti Kuusisto and Raine Rnnholm Lauri Hella 60 Fest Murikanranta, July 6, 2018 V Goranko 1 of 38 10 sec trailer Two main story lines: 1. Playing

614 views • 38 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel

Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel

Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel October 21, 2008 Warning: These Notes contain the contents of my Talk at Domains IX. There may be mistakes. References are incomplete. Comments are

142 views • 11 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System Requirements A PC running MS Windows 2000, or Windows XP Matlab (6.5, 2007a/b or 2008a/b) Python 2.5 Download the Windows installer from

288 views • 10 slides
Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass partitions | Stainless steel handrails Windows Windows , that reflect your style Window systems AWS 65 AWS 70.HI

215 views • 19 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
The Dataflow Model Problem How can we process unbounded data? Example: track user activity

The Dataflow Model Problem How can we process unbounded data? Example: track user activity

The Dataflow Model Problem How can we process unbounded data? Example: track user activity on a website Key ideas Windowing Fixed windows Sliding windows Sessions Time domains Event time Processing time

842 views • 26 slides
Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of

Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of

Playing for Keeps INJURY PREVENTION FOR MUSICIANS Content of Agenda Playing for Keeps Scope of the Problem Types of Injuries Causes Solutions Tools How big is the Problem? What do we know from research? 60% of professional orchestra

612 views • 22 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows Written Hat-make Library-fied some Hat tools Written Hat-Gui Hat Windows Port Works reasonably well Windows dislikes:

280 views • 14 slides
Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why upgrade to Windows 10 rather than staying with Windows 7 or 8.1? a. Windows 7 is over 5 years old. There will be no new features . b. Windows 8.1 is

432 views • 6 slides
SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell Server Setup BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) WINDOWS (1985) WINDOWS 3.1 (1992) Windows 95 (1995) Windows ME

725 views • 43 slides

More recommend