If your clock skew is too great to join the domain you want, adjust it to that domain by...
russ@taliesin:~> sudo vastool -u administrator timesync -d domain
How I created a computer one day:
russ@taliesin:~> sudo vastool -u administrator -w test123 create computer poo-poo-annie Successfully created computer "cn=poo-poo-annie,cn=Computers,dc=a,dc=vas".
Creating a user in Active Directory won’t make it show up when listed out using vastool list users because it’s not a VAS (or *nix) user. Here’s how to create one:
russ@taliesin:~> sudo vastool -u administrator create -p Test1234 -x user poopola Password: (on host) Password for administrator@ZUT.DEV: Test1234 Successfully created user poopola.
The -x option makes it so the user need not change his or her password upon first login.
If the user is created with the -o option, then it’s a purely Active Directory user (just as if created on the server). This is a little obscure.
russ@taliesin:~> vastool -u administrator create -p Test1234 -x -o user finklestein Password: (on host) Password for administrator@ZUT.DEV: Test1234 Successfully created user finkelstein.
The fact is, if you don’t supply the *nix information using the -i option, it’s not going to be a valid *nix user whether you specified -o or not:
russ@taliesin:~> sudo vastool -u administrator create -p Test1234 -x \ -i "foouser1:x:99999:1999:Foo User:/home/foouser1:/bin/bash" user foouser1
Whereupon, we can get this list...
russ@taliesin:~> vastool list users foouser1@ZUT.DEV:VAS:99999:1999:Foo User:/home/foouser1:/bin/bash
Creating a group in Active Directory. This also demonstrates listing users into a file, then attempting to us that file to add them to a group—doesn’t work since vastool group add barfs on anything beyond the name (must delete @ and everything after). The exercise is instructive. I apologize for the mildly scatalogical names chosen in lieu of everyone else’s foo, foobar, etc. The latter don’t have a particularly shining pedigree either (in fact, they’re arguably worse).
Nota bene: To save a little space here, assume use of sudo and that all vastool commands below are supplied with the following options:
-u administrator -w Test1234
russ@taliesin:~/vas/src/vastool-v3> ./vastool-site list users foouser1@ZUT.DEV:VAS:99999:1999:Foo User:/home/foouser1:/bin/bash russ@taliesin:~/vas/src/vastool-v3> ./vastool-site list users > user-list russ@taliesin:~/vas/src/vastool-v3> cat user-list foouser1@ZUT.DEV:VAS:99999:1999:Foo User:/home/foouser1:/bin/bash russ@taliesin:~/vas/src/vastool-v3> ./vastool-site group -f ./user-list bungwad add ERROR: Group not found: bungwad russ@taliesin:~/vas/src/vastool-v3> ./vastool-site create group bungwad Group bungwad created russ@taliesin:~/vas/src/vastool-v3> ./vastool-site group -f ./user-list bungwad add ERROR: Could not add members to group: bungwad russ@taliesin:~/vas/src/vastool-v3> vi user-list # (to remove @+...) russ@taliesin:~/vas/src/vastool-v3> cat user-list foouser1 russ@taliesin:~/vas/src/vastool-v3> ./vastool-site group -f ./user-list bungwad add 1 user added to group bungwad russ@taliesin:~/vas/src/vastool-v3> ./vastool-site create -p asdf -x user crapola ERROR: Failed to create user crapola, err = VAS_ERR_FAILURE: at user.c:884 in libvasadmin_user_create Could not set password Caused by: VAS_ERR_INVALID_PARAM: at passwd.c:526 in _passwd_generate_good_error New password does not meet your the domain password policy requirements. Contact your Administrator for information on the minimum password length, complexity, and password history requirements. Caused by: KPASSWD_SOFTERROR: Soft error ERROR: VAS_ERR_FAILURE: at user.c:884 in libvasadmin_user_create Could not set password Caused by: VAS_ERR_INVALID_PARAM: at passwd.c:526 in _passwd_generate_good_error New password does not meet your the domain password policy requirements. Contact your Administrator for information on the minimum password length, complexity, and password history requirements. Caused by: KPASSWD_SOFTERROR: Soft error russ@taliesin:~/vas/src/vastool-v3> ./vastool-site create -p Hootchie3254 -x user crapola Successfully created user crapola. russ@taliesin:~/vas/src/vastool-v3> vi user-list # (to change to new, multiple list) russ@taliesin:~/vas/src/vastool-v3> cat user-list # (Note: comments NOT in file) poopola # (already a user) Germann Finklestein # (already a user) crapola # (the new one just created) russ@taliesin:~/vas/src/vastool-v3> ./vastool-site group -f ./user-list bungwad add ERROR: Could not add members to group: bungwad # (probably because of space) russ@taliesin:~/vas/src/vastool-v3> vi user-list # (to change to remove Finkelstein) russ@taliesin:~/vas/src/vastool-v3> ./vastool-site group -f ./user-list bungwad add 2 users added to group bungwad # (Ah.... success!)
We can look in detail at anything in Active Directory by performing an LDAP search for it:
russ@taliesin:~> vastool -u administrator search "(objectCategory=Person)" Password for administrator@ZUT.DEV: Test1234 dn: CN=Administrator,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain distinguishedName: CN=Administrator,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726165315.0Z whenChanged: 20060726171024.0Z uSNCreated: 8194 memberOf: CN=Group Policy Creator Owners,CN=Users,DC=zut,DC=dev memberOf: CN=Domain Admins,CN=Users,DC=zut,DC=dev memberOf: CN=Enterprise Admins,CN=Users,DC=zut,DC=dev memberOf: CN=Schema Admins,CN=Users,DC=zut,DC=dev memberOf: CN=Administrators,CN=Builtin,DC=zut,DC=dev uSNChanged: 13948 name: Administrator objectGUID: ymoQpVIO2E+tNT31rYukDg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 127984269111875000 pwdLastSet: 127984017939998750 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlW9AEAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 22 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev isCriticalSystemObject: TRUE dn: CN=Guest,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Guest description: Built-in account for guest access to the computer/domain distinguishedName: CN=Guest,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726165315.0Z whenChanged: 20060726165315.0Z uSNCreated: 8195 memberOf: CN=Guests,CN=Builtin,DC=zut,DC=dev uSNChanged: 8195 name: Guest objectGUID: i6vRlsc0fkGinFTZwjAqtQ== userAccountControl: 66082 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 0 primaryGroupID: 514 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlW9QEAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: Guest sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev isCriticalSystemObject: TRUE dn: CN=SUPPORT_388945a0,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: SUPPORT_388945a0 description: This is a vendor’s account for the Help and Support Service distinguishedName: CN=SUPPORT_388945a0,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726165315.0Z whenChanged: 20060726165315.0Z displayName: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US uSNCreated: 8196 memberOf: CN=HelpServicesGroup,CN=Users,DC=zut,DC=dev uSNChanged: 8196 name: SUPPORT_388945a0 objectGUID: J32mRvsVM0uPrG+NcdaEIA== userAccountControl: 66050 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984025823275000 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlW6QMAAA== accountExpires: 0 logonCount: 0 sAMAccountName: SUPPORT_388945a0 sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev dn: CN=krbtgt,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: krbtgt description: Key Distribution Center Service Account distinguishedName: CN=krbtgt,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726165513.0Z whenChanged: 20060726171024.0Z uSNCreated: 12320 uSNChanged: 13955 showInAdvancedViewOnly: TRUE name: krbtgt objectGUID: 9JOv4JKqqUaTPwB/fOibKw== userAccountControl: 514 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984065135000000 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlW9gEAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: krbtgt sAMAccountType: 805306368 servicePrincipalName: kadmin/changepw objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev isCriticalSystemObject: TRUE dn: CN=Adelberto Farklebert,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Adelberto Farklebert sn: Farklebert description: Farkelbert, go get coffee. givenName: farklebert distinguishedName: CN=Adelberto Farklebert,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726211835.0Z whenChanged: 20060726212343.0Z displayName: Adelberto Farklebert uSNCreated: 16431 uSNChanged: 16456 name: Adelberto Farklebert objectGUID: mpKTooi24kmm2ImTtfeYrQ== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984223158125000 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlWVQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: farklebert sAMAccountType: 805306368 userPrincipalName: farklebert@zut.dev objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev dn: CN=Germann Finkelstein,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Germann Finkelstein sn: Finkelstein description: Finkelstein, you suck! givenName: Germann distinguishedName: CN=Germann Finkelstein,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726212142.0Z whenChanged: 20060726212323.0Z displayName: Germann Finkelstein uSNCreated: 16439 uSNChanged: 16455 name: Germann Finkelstein objectGUID: szePL3thLEaklNErS8C35g== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984225029531250 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlWVgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: finklestein sAMAccountType: 805306368 userPrincipalName: finklestein@zut.dev objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev dn: CN=Monsieur Du Con,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Monsieur Du Con sn: Du Con description: Monsieur est bien con ! givenName: Monsieur distinguishedName: CN=Monsieur Du Con,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726212244.0Z whenChanged: 20060726212309.0Z displayName: Monsieur Du Con uSNCreated: 16447 uSNChanged: 16454 name: Monsieur Du Con objectGUID: KbCXF6bwcE2VHsgG+ioEKg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984225646250000 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlWVwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: ducon sAMAccountType: 805306368 userPrincipalName: ducon@zut.dev objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev dn: CN=poopola,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: poopola description: Created by vastool create user distinguishedName: CN=poopola,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726213013.0Z whenChanged: 20060726214608.0Z displayName: poopola uSNCreated: 16459 uSNChanged: 16464 name: poopola objectGUID: H/o0TMxUvU+R+WqTkF9YsA== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984230133906250 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlWWAQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: poopola sAMAccountType: 805306368 userPrincipalName: poopola@ZUT.DEV objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev dn: CN=foouser1,CN=Users,DC=zut,DC=dev objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: foouser1 description: Created by vastool create user -i ... distinguishedName: CN=foouser1,CN=Users,DC=zut,DC=dev instanceType: 4 whenCreated: 20060726221207.0Z whenChanged: 20060726222644.0Z displayName: foouser1 uSNCreated: 16483 uSNChanged: 16491 name: foouser1 objectGUID: fFhCxq5LUEiUTFBHTpmnkA== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 127984255281875000 primaryGroupID: 513 objectSid: AQUAAAAAAAUVAAAAs59DyqCILbTp6QlWWQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: foouser1 sAMAccountType: 805306368 userPrincipalName: foouser1@ZUT.DEV objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zut,DC=dev uidNumber: 99999 gidNumber: 1999 gecos: Foo User unixHomeDirectory: /home/foouser1 loginShell: /bin/bash
Query Active Directory for users without a UPN. How to search for an empty field?
russ@taliesin:~> vastool -u administrator search '(&(objectclass=user)(!(userPrincipalName=*)))' dn
Couldn’t find that computer using rdesktop because was looking through wrong controller. Here it is:
russ@taliesin:~> vastool -u administrator -w test123 search "(objectCategory=Computer)" | grep annie dn: CN=poo-poo-annie,CN=Computers,DC=a,DC=vas cn: poo-poo-annie distinguishedName: CN=poo-poo-annie,CN=Computers,DC=a,DC=vas name: poo-poo-annie dNSHostName: poo-poo-annie.a.vas userPrincipalName: host/poo-poo-annie.a.vas@A.VAS servicePrincipalName: host/poo-poo-annie.a.vas
Delete, for example, computer objects you’ve created in testing...
russ@taliesin:~> sudo vastool -u russellb delete -d computer \ cn=myhostname,cn=computers,dc=vintela,dc=com Successfully deleted computer "cn=myhostname,cn=computers,dc=vintela,dc=com". russ@taliesin:~> sudo vastool -u administrator -w test123 delete computer \ cn=poo-poo-annie,cn=Computers,dc=a,dc=vas Successfully deleted computer "cn=poo-poo-annie,cn=Computers,dc=a,dc=vas".
Too many users or groups and you wait forever at the “Loading users cache...”, etc. prompt?
russ@taliesin:~> sudo vastool -u administrator join -f -u cn=Users,dc=a,dc=vas \ -g cn=Users,dc=a,dc=vas a.vas
Another option is to specify the site if you think that you’re getting the a.vas in Australia, for example.
russ@taliesin:~> sudo vastool -u administrator join -f -s site1
Can you authenticate your host?
russ@taliesin:~> sudo vastool -u host/ auth -S host/ TALIESIN$@A.VAS was successfully authenticate to TALIESIN$@A.VAS.
When this works...
domain vintela.com nameserver 10.5.33.1 nameserver 10.5.33.2 russ@taliesin:~> sudo vastool -u russellb join -f vintela.com Checking whether computer is already joined to a domain ... no Password for russellb@VINTELA.COM: Configuring forest root ... vintela.com ... OK Configuring site ... Headquarters ... OK Selecting server to use for join ... dunk.vintela.com ... OK Joining computer to the domain as host/taliesin.vintela.com ... Failed Joined using computer object "CN=taliesin,CN=Computers,DC=vintela,DC=com" ... OK WARNING: Your computer was joined to the domain successfully, however, some optional attributes could not be set. This is normal if you have only been delegated rights to join computers to a domain and not full access to modify computer attributes Writing vas.conf ... OK Populating misc cache ... OK Detecting Schema Configuration ... OK Loading users cache: .... OK Loading groups cache: .... OK Loading Domain Info cache: ... OK Configuring Name Service Switch ... Shutting down Name Service Cache Daemon..done Starting Name Service Cache Daemon..done OK Configuring PAM Authentication ... OK Starting VAS client daemon: vasd ... OK
But, host zut no longer works...
search zut.dev vas vintela.com nameserver 10.5.38.126 nameserver 10.5.33.1 nameserver 10.5.33.2 russ@taliesin:~> sudo vastool -d 3 -u administrator join -f zut.dev Checking whether computer is already joined to a domain ... 2007-03-15 10:31:06: _name_unknown_to_principal: Getting principal name for "host/" using _name_unknown_to_principal 2007-03-15 10:31:06: _name_service_to_principal: Getting principal name for "host/" using _name_service_to_principal 2007-03-15 10:31:06: _name_service_to_principal: Could not get principal name. 2007-03-15 10:31:06: libvas_srvinfo_detect_our_site_and_forest_root: Begin 2007-03-15 10:31:46: libvas_srvinfo_detect_our_site_and_forest_root: End returning 13 2007-03-15 10:31:46: _ctx_init_site_and_forest_root: checking rootDSE (anonymously) for forest root 2007-03-15 10:32:26: _name_unknown_to_principal: Getting principal name for "administrator" using _name_unknown_to_principal 2007-03-15 10:32:26: _name_user_to_principal: Getting principal name for "administrator" 2007-03-15 10:32:26: _name_user_to_principal: Returning principal name "administrator@ZUT.DEV" from _name_user_to_principal. Password for administrator@ZUT.DEV: 2007-03-15 10:32:32: _ctx_init_site_and_forest_root: The forest_root is not set in the misc cache. Resorting to MSCLDAP ping. 2007-03-15 10:32:32: libvas_srvinfo_detect_our_site_and_forest_root: Begin 2007-03-15 10:33:12: libvas_srvinfo_detect_our_site_and_forest_root: End returning 13 2007-03-15 10:33:12: _ctx_init_site_and_forest_root: checking rootDSE (anonymously) for forest root ERROR: Could not authenticate as administrator. VAS_ERR_KRB5: at ticket.c:77 in _ticket_generate_good_error Failed to obtain credentials. Client: administrator@ZUT.DEV, Service: krbtgt/ZUT.DEV@ZUT.DEV, Server: (null) Caused by: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm Reason: unable to reach any KDC in realm ZUT.DEV ERROR: Could not join to the domain No error message available 2007-03-15 10:34:32: vastool command: vastool -d 3 -u administrator join -f ZUT.DEV
It’s a pretty simple problem: you probably can’t ping zut.dev either, so if it’s up and running, then its address changed.
Here’s how to see what’s in the keytab file. See bug #9719 for juicy details.
russ@taliesin:~> sudo vastool ktutil list /etc/opt/quest/vas/host.keytab: Vno Type Principal 1 arcfour-hmac-md5 host/taliesin.vintela.com@VINTELA.COM 1 arcfour-hmac-md5 TALIESIN$@VINTELA.COM 1 arcfour-hmac-md5 cifs/taliesin.vintela.com@VINTELA.COM 1 arcfour-hmac-md5 host/TALIESIN@VINTELA.COM
Rids all the PAM files (or file) of VAS.
If VAS can’t find the KDC (Kerberos key-distribution center), that means the environment needs some tweaking.
Most likely DNS isn’t set up for the DCs. Next most likely is some form of firewalling, stopping either DNS or communication with Active Directory.
If there are no DNS entries for the domain, or heavy firewalling keeping the *nix host from receiving the information it needs, there is still hope.
What is really needed is ports 88, 389, and 484 (TCP-open) to the Active Directory Server, and the ethereal ports comming back.
Here is an example setup:
Modify /etc/hosts adding the entry:
192.168.0.45 dc01.example.com dc01 example.com
This makes it so the host doesn’t need DNS; both the domain and the domain controller will resolve to the proper IP address.
Use iptables to block network calls:
iptables -A output -j accept -p tcp --dport 88 -d dc01.example.com iptables -A output -j accept -p tcp --dport 389 -d dc01.example.com iptables -A output -j accept -p tcp --dport 464 -d dc01.example.com iptables -A OUTPUT -j DROP
This is trying to simulate a DMZ with only the absolute essentials open.
Then...
vastool configure vas libvas use-tcp-only true
This makes VAS only use TCP for Kerberos calls.
Join like this:
vastool -u ... join ... example.com dc01.example.com
This joins to a specific domain controller.
In that scenerio, the join is successful and users can log in locally.