Ignore this. I just did a little FAQ
reading, and it looks like this is by design on a switched network. _______________________________________________________________________ Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. Just saw my first password in ethereal (over
a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon Thanks for your comments all From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Two things: "As far as REQs Al……. 1.
FREE 2. Add
little complexity" These two are sometimes [1] not
complimentary to one another. Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication!!!!!
Arrrrgghhhhhhh. There, I feel better about that. :) As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion. In other words, you can capture traffic to and from the
server itself and that's about it. SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for. In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others. You do want to also check the destination port that the client is
sending traffic to. That may indicate if it's even trying to use some
sort of secure traffic mechanism. If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading.
Sometimes doesn't do it justice. Often would be a better term here.
Kerberos is not simple when you get beyond one or two machines. Even
then, it takes a bit of work. That work typically has a cost associated
with it. That cost/benefit analysis might make it worth it to use a
commercial product aimed at this problem vs. rolling your own solution. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the thing (which I
am about 99% positive is the problem). Do any of you have the quick and dirty
steps to do this? Or a link to a good tutorial (which I can’t seem to
find)? As far as REQs Al……. 1.
FREE 2. Add
little complexity Looks like I will either just use SFU, or
keep the user repositories separate. I was just hoping that something free had
come along since the last time that I looked that was worth doing. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick The directions you reference on the sunone
site make it look to me like it's an LDAP bind. Best way to know for sure
would be to trace it on the network to see what is passed. If ldap bind,
be sure to use some sort of encryption such as SSL. I'm curious what the requirement here
is? If just to allow solaris to authenticate via kerb with AD and allow AD
users to login to solaris workstations, have you considered a product such as
Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the
requirements are though. The docs you referenced indicate a configuration that
would be a PITA to manage in terms of reliability and effort IMHO. Al From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman I know someone doing auth from Solaris 9
and 10 against AD via Kerberos in production. I don’t know how they are
populating /etc/passwd but can find out. I’ve never used NIS against AD so
couldn’t say what’s going on here. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Anyone know if this is passed in plain text? If so, i dont see any
advantage to this versus the NIS server in SFU. Seems that the *nix community
is making no progress in the secure authentication arena if this is the case.
Any ideas or thoughts? |
Title: RE: [ActiveDir] Ocra
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication joe
- RE: [ActiveDir] Solaris authentication joe
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication joe
- RE: [ActiveDir] Solaris authentication joe
- RE: [ActiveDir] Solaris authentication Free, Bob
- RE: [ActiveDir] Solaris authentication Al Mulnick
- RE: [ActiveDir] Solaris authentication Eric Fleischman
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication Al Mulnick
- RE: [ActiveDir] Solaris authentication al_maurer