Jump to content

Search the Community

Showing results for tags 'active directory'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

Found 6 results

  1. Hi all, I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an @ symbol; Get-ADGroup -Filter 'name -like "@*"' | Remove-ADGroupMember -Members $UserID It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird! I suspect it's to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with @), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time? Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single @ group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas? Thank you.
  2. Hello Hak5 Forums, I am new to the forums but am not new to the show, I am a current subscriber and watch almost every video that is uploaded. I had an interesting idea and wanted to see if it was to possible so I signed up here to find out. I'm trying to see if a linux server, with something like LDAP can also handle all users and permissions for multiple clients so when I go from computer to computer I use the same username and credentials and have the same permissions when accessing network drives. The problem that I am seeing is that for the windows side it would require Windows Server, and that is something I would rather not have to deal with. Eventually if it is possible to do this, I would like to deploy this on a central virtualization server and have all my computer both windows and linux already configured with my credentials and my network shares mapped and ready to use. Thanks in Advance, Levi
  3. Hi all, I'm using... Get-ADuser $UserID -property MemberOf | % {$_.MemberOf | Get-ADGroup | select Name | sort name} ...to nicely list all the of the Active Directory groups that a user is a member of, in an easy-to-read format. I'm trying to only list the groups that begin with an @ sign. So instead of... @Group 1 @Group 2 Group 3 Group 4 ...I would get just... @Group 1 @Group 2 I'm then looking to remove these groups from the user's account. So, in summary; Get only the MemberOf groups beginning with @, for a user remove user from these groups How would I go about this? I've been playing for a while, but have got no further than the script above. Thank you,
  4. Hi all, Here's a nice script, entirely in a batch file, that ; Prompts for input of a user's Full Name and Email Address Sets their password to a random string of uppercase, lowercase and numerical characters. Generates an email to send to them, with their new password. Notes; Length of the password can be set using the line Set _RNDLength= Whether user has to reset their password on logging in can be set with -mustchpwd Amend OU= and DC= for your own companie's domain. @echo off :Start endlocal echo. echo This script will reset the password for a user, using their Full Name, echo and then generate the email to be sent to them. echo. echo Passwords are automatically set as 10 digits, using lowercase, echo uppercase and numbers. echo. echo. echo. set /p "DisplayName= Full Name : %=%" echo. echo. set /p "EmailAddress= Email : %=%" cls Setlocal EnableDelayedExpansion Set _RNDLength=10 Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 Set _Str=%_Alphanumeric%987654321 :_LenLoop IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop SET _tmp=%_Str:~9,1% SET /A _Len=_Len+_tmp SET _count=0 SET _RndAlphaNum= :_loop SET /a _count+=1 SET _RND=%Random% SET /A _RND=_RND%%%_Len% SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1! If !_count! lss %_RNDLength% goto _loop dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no IF ERRORLEVEL 0 ( GOTO SendEmail ) ELSE ( echo. echo Failed. echo. Pause GOTO Start ) :SendEmail start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name" cls GOTO Start Email generated looks like this; Hello, Your AD password has been reset to kD5Xjfd8A6 Kind Regards, Your Name This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes.
  5. Configuring Active Directory Accounts For Linux You may have followed our previous article detailing step by step how to integrate your RHEL 6 box into a Windows Active Directory environment Being able to authenticate users and services to active directory from linux is a big plus but it’s not where this journey ends. We need to setup users default home directories and default shells before we can really allow users to login and start using your server. There are two ways to accomplish this, if you have Unix Identity Management Services installed on your domain controller you will have an easy way to set these configuration inside active directory. From Windows Inside server manager select your Active Directory Domain Services, right click to Add Role Services. Make sure these roles are installed. Once you have installed these Role Services we can continue. If you want to administer active directory from your workstation, make sure you have the correct AD Administrative tools installed. Make sure you have local admin rights on your workstation. Once you have the correct tools installed open up Active Directory Users and Computers. Find a “test” user and open their properties. You will now see a new tab called UNIX Attributes. Specify Linux configs from Active Directory From here you can specify the UID(which will be assigned upon logging into linux), Login Shell, Home Directory, and Primary Group. We aren’t going to go into detail on NIS domain because this is only important for older configuration of SSSD and ldap, krb5 etc. Let’s run a getent and see what Linux pulls from Active Directory [root@server tmp]# getent passwd test test:*:940001114:940000513:test:/home/test@YOURDOMAIN.COM:/bin/bash Doesn’t match what’s in Active Directory? Read the linux part of this article to find out why. From Linux Remember that thing called SSSD? If not please go back and read this. Let’s add a few lines to our sssd.conf override_homedir = /home/%f override_shell = /bin/bash **Must restart SSSD to take effect** service sssd restartOnly add these lines if you desire this functionality, either way is fine, however if you have a more complex AD environment it sometimes is easier inside SSSD to implicitly imply what configurations you want for your users. In this example we have told SSSD that each AD user that logs in home directory is /home/username(will be created by oddjob) and that we want their default shell to be /bin/bash. Most Linux users will expect this to be their default environment. There you have it. Go forth and shell with your active directory accounts.
  6. Red Hat Linux Active Directory Integration Can Linux boxes exist in a Windows Active Directory domain? The answer has been yes for a long time. However until very recently this has been a very painful and tedious process. Exporting certifications, trial and error config files, changing security settings on domain controller, a major headache. Thankfully RedHat has actually realized this was a problem. It’s funny that while Server 2012 is already released RedHat just not added a simple method to integrate authentication with a Windows Active Directory domain. We are a release behind, better now than ever. The real OS of choice. NOTE: All Sample Configs are located at the bottom of this page. To start this article ONLY applied to: Red Hat Enterprise Linux 6.4 CENTOS 6.4 You can find out your verion by using cat /etc/system-release (CENTOS)cat/etc/redhat-release (Red Hat) If you are not familiar with SSSD(System Security Services Daemon) then I suggest you do some reading before you dive into this article. Also this is more gear towards Linux admins and not Windows admins. With these new changes you won’t have access your windows admin for anything, well unless you need that domain admin access of course. BEFORE WE DO ANYTHING ALWAYS BACKUP YOUR CONFIGS authconfig --savebackup=mybackup First to get started let’s check what version of SSSD you have installed on your box. NOTE: If a domain name is in CAPS it is on purpose. This was not done for show. rpm -q sssd You will need at least SSSD 1.9.2 for this. Let’s go ahead and setup all of the nessesary nss and pam config files. authconfig --enablesssd --ldapserver=ldap://dc1.youdomain.com --ldapbasedn="dc=YOURDOMAIN,dc=COM" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.youdomain.com --krb5realm=YOURDOMAIN.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateallvi /etc/krb5.conf[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = YOURDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true#These encryption types are required for ntvlmi and krb5i(packet signing)default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms] YOURDOMAIN.COM = { kdc = domaincontroller.yourdomain.com:88 admin_server = domaincontroller.yourdomain.com:749 default_domain = yourdomain.com }[domain_realm] .yourdomain.com = YOURDOMAIN.COM yourdomain.com = YOURDOMAIN.COM Next vi /etc/samba/smb.conf[global] workgroup = YOURDOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = YOURDOMAIN.COM security = adsvi /etc/sssd/sssd.conf[sssd] config_file_version = 2 services = nss, pam domains = YOURDOMAIN.COM[nss] nss_filter_groups = root nss_filter_users = root nss_entry_cache_timeout = 30 nss_enum_cache_timeout = 30 [domain/YOURDOMAIN.COM]id_provider = ad ad_server=domaincontroller.yourdomain.com ad_domain=yourdomain.com Now you will need a active directory account with administrator privledges to add a machines to the domain. Before you run kinit make sure you update your time with a domain controller. ntpdate dc1.youdomain.com Once Time is synced continue with.. kinit administrator Type your password. Confirm that you have received a kerberos ticket but using klist If you do not see any tickets please refer to your logs. SSSD is some what helpful inside /var/log/messages Now we have a ticket we need to add this machine to the domain. net ads join -k If you receive a success message your new linux box should be inside active directory inside the default Computers Group. Verify with an Active Directory Admin to make sure your server object was created. Let’s run: service sssd restart If you did not receive any warning messages inside /var/log/messages we should be good to go. Test by running id yourusernamead and getent passwd yourusernamead You should be able to look up accounts at this point. Now the best part of this. Let’s setup Putty and SSHD to use your kerberos key to authenticate into your linux box. As you noted inside our sssd.conf we have added root accounts not to use AD authentication. First let’s make some changes to our SSHD configs. vi /etc/ssh/sshd_conf Make sure you have this line un commented GSSAPIAuthentication yesvi /etc/ssh/ssh_confGSSAPIAuthentication yes GSSAPIDelegateCredentials yes Also before trying to use Putty make sure you have a newer release and make sure your authentication settings are setup as follows: Make sure this is enabled. Now open a new session to your linux box. Type in your active directory username and press enter. If kerberos negotiation is successful you will NOT be prompted for a password. Happy Shelling Sample Config Files krb5.conf sssd.conf ssh_conf sshd_conf If you are a RedHat subscriber you can read their article on this subject here.
  • Create New...