Share via


Το Active Directory έχει bug! (network tracing παντού)

????? ??? e????e? t? replication se pe??ß????? AD µe 450+ Domain Controllers ?p?? ?p?????? µ????p??ß??µata ???? ??aµµ?? se ??p??a ?p??atast?µata. ?µfa???eta? ???p?? ??p???? developer ? ?p???? pa?ap????ta? ?t? ?????ta? t? ?d?? ldap query se 2 d?af??et????? DCs pa???e? d?af??et??? ap??t?s?! ?e ??? a????eta? e?d?af???? a??? s??? µ?? ?s??e? ??t? t?t???.

????? aµ?s?? e????? t? replication st??? 2 ?p?pt??? DCs µe t?? e?t???

repadmin /replsum <server name>

?p?? d?ap?st??? p?? de? ?p???e? ?a???a ap???t?? p??ß??µa replication. ?pa?t? ???p?? st? s???de?f? p?? de? ?p???e? ??p??? p??ß??µa a??? a?t?? ep?µ??e? p?? s?????a ?p???e? ??µa.

G?a ?a ß?????µe µ?a ???? ??t?? ?a µ??? t? e??a? a?t? p?? ??t?e? µ?s? t?? ldap query ?a? pa???e? d?af??et???? apa?t?se??. ? ap??t?s? p?? ????e? ??a t? group membership e??? ???st? ?a? ap? t?? dcA ß??pe? 6 groups e?? ap? t?? dcB µ??? 1.

???spa???ta? ?a d?ap?st?s? ta pa?ap??? d??? t?? e?t???

dsquery * –s dcA “cn=user,ou=somewhere,dc=root,dc=gr” –attr memberOf

dsquery * –s dcB “cn=user,ou=somewhere,dc=root,dc=gr” –attr memberOf

St?? ??s?a µe t?? pa?ap??? e?t???? e?te?? ldap query ?p?? ??t?? ap? t??? DC/ldap servers ?a µ?? ep?st?????? t?? t?µ? t?? attribute memberOf ?p?? ??ate?ta? t? group membership ??a t? ???st?. ???s??te t? ???s? t?? Distinguished Names ?p?? e??a? ? default t??p?? st?? e?t???? dsquery, dsget dsmod etc. ?a??µ??a e?t??? e??a? ?

dsget user –s dcA “cn=user,ou=somewhere,dc=root,dc=gr” –memberOf

Se ??e? t?? pe??pt?se?? ? ap??t?s? e??a? ?d?a (6 groups) ??a t??? DCs p?? t? custom utility ap?t?????e? ?a p??e? ????? ap?te??sµata. ?p?te st?? ep?µ??? t?? te?e?ta??? de ß??p? ???? ??s? ap? t? ?a ??t?s? t? tool p?? ???s?µ?p??e? ?ste ?a t? d?e?e???s? ap? p??t? ????.

??te?? ???p?? t? utility ?a? pa??????a ???? network trace ?ste ?a d? ta ldap queries p?? p?a?µat?p?????ta?. ?? p??t?????? ldap a? de? ???s?µ?p??e? ssl (ldaps –> port 636) e??a? clear text ?a? µp????µe ?a d??µe ta pe??e??µe?a ????? d?s????a ?????ta? ???s? t?? display fitler tcp.port==389.

??s? t?? custom ldap tool ??t?? t? group membership t?? e? ???? ???st? ap? t??? 2 DCs ?a? ??t?? pa???? d?af??et??? ap?te??sµata!

?? ????ta? pe?ste? ?e??? p?? ? ap??t?s? ???eta? s?st? ap? t??? DCs a??? ??a ??p??? ???? t? ldap tool de? t? eµfa???e?. ?p?te ??????a e????? t? µ??e??? t?? te????? ap??t?s?? st?? 2 e??t?se??.

?d? µe pe??µ??e? ? p??t? ??p???? ?p?? fa??eta? ?a? pa?a??t?:

?p? t?? 1? DC ? ap??t?s? ??e? µ??e??? 1004bytes, e?? ap? t?? 2?

? ap??t?s? ??e? µ??e??? 446bytes!!

 

???? pe??e??a p???µata ?p?te p??a??? ?a e????? ta pe??e??µe?a t?? 2 s???e???µ???? pa??t?? (packet details). ?d? µe pe??µ??e? ? de?te?? ??p????:

? 1?? DC ep?st??fe? 6 groups (memberOf) e?? a?t??eta ? 2??

µ??? 1!!
?e???? ?p?????? fa?t?sµata de? µp??e? ?a e?????e? a?????! ? developer t?? ldap tool ??e? d????.

?p???e? BUG st? Active Directory!!!

?p??a??pt???a

??ta? d?sp?st?? s??e???? t? d?e?e???s? t?? ???? ldap query p?? ????e ap? t? tool, t? ?p??? e?te?e? ta ß?µata ?? e???:

???p? ???p?? µ?s? t?? network trace p?? e?te?e? µ?a se??? ap? ß?µata – ldap queries.

?????? d??eta? t? username (samAccountName) ?? input ?a? a?a??t? µe a?t? t? cn (canonicalName) t?? ???st?. ???ad? d????µe user01 ?a? ????e? ??a t? cn p.?. Ge?????? ?. ??sta?t??a.

?e??e??? p?? ? p????aµµat?st?? ap?f?s?se ?a t? ?e???ste? ?ts? a??? a? p?µe pa?a??t? ?a d??µe t? s?µßa??e?.

O? ap??t?s? ???p??, ?aµß??e? t? ???µatep???µ? t?? ???st? (xxxxxx ?. ???sta?t??a) ?p?te t? ldap tool s??e???e? a?a??t??ta? t? group membership t?? ???st? µe a?t? t? ???µatep???µ? (CN).

?? cn ap?st???eta? st??? 2 d?af??et????? DCs ?a? pe??µ??e? ?a de? t? attribute memberOf (group membership).

 

A?t? p?? s?µßa??e? e??a? p?? ?p???e? s?????µ?a, ?p?????? d??ad? 2 “xxxxxx ?. ???sta?t??a” ?a? ?? 2 a?t?? ???ste? de? a?????? sta ?d?a groups

??t? fa??eta? ?e???a?a ap? t? Distinguished Name t?? 2 users p?? ?a? µe? ????? t? ?d?? ???µa CN a??? p???e?ta? ??a d?af??et????? ?p?te ?a? a?????? se ???a OUs.

CN=user01,OU=Users,OU=GrandsUsers,OU=InteractiveUsers,OU=AllUsers,DC=axyz,DC=root,DC=abc12,DC=gr

CN=user01,OU=TemporaryUsersPool,OU=GrandsUsers,OU=InteractiveUsers,OU=AllUsers,DC=axyz,DC=root,DC=abc12,DC=gr

?? pa?ap??? ep?ßeßa?????e ep?s?? ?a? µ?sa ap? t?? ???s??a “Active Directory Users & Computers”

??e????ta?..

F????e ???p?? p?? ? s?ed?asµ?? t?? efa?µ???? ?d???se se esfa?µ??a s?µpe??sµata ßas???µe??? st? ?????? ?t? ? efa?µ??? (ldap query tool) e??a? ?a?’ ??a s?st? ?a? s?????a t? p??ß??µa e?t?p??eta? st?? µe??? t?? Active Directory. ?? p??ß??µa ?a e??e ap?fe???e? a? e??a? ep??e??e? a?t? t?? CN t? Distinguished Name (cn=user01,ou=…,dc=..) ? t? samAccountName.

????? ??a ?a d?s? ??a a?t?st???? pa??de??µa se ?s??? p??a??? µp??de?a, t? pa?ap??? e??a? sa? ?a pa???aµe t???f??? st?? p????f???e? ?ata????? ?a? ?a ??t??saµe t? t???f???? t?? “?apad?p????? ??sta” ????? ?a d??aµe ?aµ?a ep?p???? p????f???a (d?e????s?, t?, ep???e?µa ??p)!

??sa d?af??et??? ap?te??sµata ?a µa?e?aµe; ?ts? a???ß?? ?e?t??????? ?? ?at?????? e?te e??a? t??ef?????? e?te ldap. Smile

Comments

  • Anonymous
    January 01, 2003
    ¨Ετσι είναι φίλε Κώστα, αλλά τι να πεις!

  • Anonymous
    December 10, 2010
    άρα δεν έχει bug το AD, αλλά το ldap tool.