Managing Active Directory from Linux with adtool
Update Early and Often
Remember, a software update for any project can cause mysterious problems to go away – or to appear. So, if you're experiencing issues with adtool and are confident that your queries and commands are using the proper syntax, and if you are convinced that your LDAP and Active Directory servers are properly configured, you might simply need to use a different version of adtool. As of this writing, the most current version is 1.3.3. Use that version unless you find that using an older version somehow resolves any connection problems you might be having.
So, you now have a good understanding of how to use adtool to administer a Microsoft domain controller. Using adtool across an encrypted connection gives you the ability to use your Linux system as efficiently as a Windows system. adtool is a powerful tool, and you now know many of the commands that will allow you to work and play well with Microsoft systems.
Adtool and Password Complexity
I've noticed over the years that quite a few adtool newbies have problems troubleshooting a new adtool implementation because of password requirements. Systems administrators sometimes use a simple password for a "dummy" user when testing a new application such as adtool.
Make sure you use a sufficiently complex password that Microsoft domain controllers like. Usually, systems expect your password to fulfill three of the following five categories: Uppercase letters, lowercase letters, base 10 digits, non-alphanumeric characters, and unicode characters. For more information about password complexity on Microsoft networks, consult Microsoft's TechNet site .
Reverse DNS and adtool
Authentication issues can get particularly sticky when you are using SSL-enabled connections. Error messages such as the following will often appear in your logs:
Invalid credentials (49) additional info: 720408159: \ LdapErr: DSID-0C090334, \ comment: AcceptSecurityContext error, data 525, vece
In some cases, I've noticed that Microsoft domain controllers sometimes expect valid reverse DNS at login time. So, if you haven't properly set up reverse DNS, you'll run into problems. If you encounter errors that mention an authentication failure and then bind, consider creating or updating reverse DNS in bind. That will most likely solve any problems you have, as long as you are not experiencing a larger authentication issue.
- adtool: http://gp2x.org/adtool/
- Debian "squeeze" admin packages: http://packages.debian.org/squeeze/admin/
- adtool Removed from Testing: http://packages.qa.debian.org/a/adtool/news/20120313T163912Z.html
- Splunk: http://www.splunk.com
- Open LDAP: http://www.openldap.org
- TinyCA: http://www.sm-zone.net
- TechNet on Passwords: http://technet.microsoft.com/en-us/library/cc875814.aspx
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.