|
Are you on a switched network?
If so, you can see packets on a switched network like that.
That is why someone previously mentioned mirror port on the switch. I say forget
the mirror port (the network people tend to not let you have that access for
good reason) and just hook up a hub and run both your machines through the hub
and then hook to the switch with the uplink.
Switched networks help secure the network a little better,
it locks down who has full access to see all traffic. However if you sniff from
the server side, you tend to get all sorts of goodies because lots of people are
connecting to them.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Getting more used to
this Ethereal thing now. Found a cool little article that helped out a bit. Now
I am trying to figure out why I can’t sniff the packets of another machine on
the same subnet as me (I thought that was the point of promiscuous mode). I have
it set to promiscuous mode, and it still sees nothing. I am just trying to get
some ammo for persuade management that we really need to get a tool that uses
ssh instead of telnet for one of our applications. Any
ideas? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Douglas M.
Long I totally agree with
the time cost of the issue, and am at least looking into the cost before I throw
the idea out the window. And I also agree with the ldap bind scenario. I just
don’t like it. Just saw my first
password in ethereal (over a telnet connection), but am now reading up on how to
customize the view (filters) to show me that more easily. If I didn’t know that
it was the password (since it was my telnet connection), I would have never
known that those letters where my password. I will also take a look at
netmon Thanks for your
comments all From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al
Mulnick Two
things: "As far as REQs Al…….
1. FREE 2. Add
little complexity" These two are sometimes
[1] not complimentary to one another. Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication!!!!!
Arrrrgghhhhhhh. There, I feel better
about that. :) As for the network
trace, your servers come with netmon by default which you can use to capture
network traces in a limited fashion. In other words, you can capture
traffic to and from the server itself and that's about it. SMS comes with
a more full featured network trace utility. There's also Ethereal and a
host of other products that are free and downloadable, but Ethereal and Netmon
tend to be my preferred. Critter of habit I
guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for. In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others. You do want to also check the destination port that the client is
sending traffic to. That may indicate if it's even trying to use some sort
of secure traffic mechanism. If it's destination is tcp 389, then the data
protection would need to be handled at a different layer such as TLS or IPSec
type of protection. -ajm [1] Ok, that's a litlte
misleading. Sometimes doesn't do it justice. Often would be a better
term here. Kerberos is not simple when you get beyond one or two machines.
Even then, it takes a bit of work. That work typically has a cost
associated with it. That cost/benefit analysis might make it worth it to
use a commercial product aimed at this problem vs. rolling your own
solution. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Douglas M.
Long I may sounds like an
idiot, but you guys are always talking about tracing stuff on the network to see
if it is in plain text, and I have no clue how to do it. This is something I
would really like to know how to do (as I think it would really help me
understand some things….along with lessen the load of me asking these questions
to you guysJ). I have tried using
ethereal to do this, but either it doesn’t do it, or I just don’t know how to
use the thing (which I am about 99% positive is the problem).
Do any of you have the
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t
seem to find)? As far as REQs Al……. 1.
FREE 2. Add
little complexity Looks like I will
either just use SFU, or keep the user repositories separate. I was just hoping
that something free had come along since the last time that I looked that was
worth doing. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al
Mulnick The directions you
reference on the sunone site make it look to me like it's an LDAP bind.
Best way to know for sure would be to trace it on the network to see what is
passed. If ldap bind, be sure to use some sort of encryption such as SSL.
I'm curious what the
requirement here is? If just to allow solaris to authenticate via kerb
with AD and allow AD users to login to solaris workstations, have you considered
a product such as Centrify? www.centrify.com Far cry better and
easier to implement. I'm interested in
hearing what the requirements are though. The docs you referenced indicate a
configuration that would be a PITA to manage in terms of reliability and effort
IMHO. Al From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Eric
Fleischman I know someone doing
auth from Solaris 9 and 10 against AD via Kerberos in production. I don’t know
how they are populating /etc/passwd but can find
out. I’ve never used NIS
against AD so couldn’t say what’s going on here. ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Douglas M.
Long Anyone know if this is passed in plain text? If so, i
dont see any advantage to this versus the NIS server in SFU. Seems that the *nix
community is making no progress in the secure authentication arena if this is
the case. Any ideas or thoughts? |
Title: RE: [ActiveDir] Ocra
- RE: [ActiveDir] Solaris authentication joe
- Re: [ActiveDir] Solaris authentication Phil Renouf
- RE: [ActiveDir] Solaris authentication Free, Bob
- RE: [ActiveDir] Solaris authentication Al Mulnick
- RE: [ActiveDir] Solaris authentication Eric Fleischman
- RE: [ActiveDir] Solaris authentication Douglas M. Long
- RE: [ActiveDir] Solaris authentication beads
- RE: [ActiveDir] Solaris authentication Al Mulnick
- RE: [ActiveDir] Solaris authentication al_maurer
