Managing Active Directory from Linux with adtool
Update Early and Often
Remember, a software update for any project can cause mysterious problems to go away – or to appear. So, if you're experiencing issues with adtool and are confident that your queries and commands are using the proper syntax, and if you are convinced that your LDAP and Active Directory servers are properly configured, you might simply need to use a different version of adtool. As of this writing, the most current version is 1.3.3. Use that version unless you find that using an older version somehow resolves any connection problems you might be having.
So, you now have a good understanding of how to use adtool to administer a Microsoft domain controller. Using adtool across an encrypted connection gives you the ability to use your Linux system as efficiently as a Windows system. adtool is a powerful tool, and you now know many of the commands that will allow you to work and play well with Microsoft systems.
Adtool and Password Complexity
I've noticed over the years that quite a few adtool newbies have problems troubleshooting a new adtool implementation because of password requirements. Systems administrators sometimes use a simple password for a "dummy" user when testing a new application such as adtool.
Make sure you use a sufficiently complex password that Microsoft domain controllers like. Usually, systems expect your password to fulfill three of the following five categories: Uppercase letters, lowercase letters, base 10 digits, non-alphanumeric characters, and unicode characters. For more information about password complexity on Microsoft networks, consult Microsoft's TechNet site .
Reverse DNS and adtool
Authentication issues can get particularly sticky when you are using SSL-enabled connections. Error messages such as the following will often appear in your logs:
Invalid credentials (49) additional info: 720408159: \ LdapErr: DSID-0C090334, \ comment: AcceptSecurityContext error, data 525, vece
In some cases, I've noticed that Microsoft domain controllers sometimes expect valid reverse DNS at login time. So, if you haven't properly set up reverse DNS, you'll run into problems. If you encounter errors that mention an authentication failure and then bind, consider creating or updating reverse DNS in bind. That will most likely solve any problems you have, as long as you are not experiencing a larger authentication issue.
- adtool: http://gp2x.org/adtool/
- Debian "squeeze" admin packages: http://packages.debian.org/squeeze/admin/
- adtool Removed from Testing: http://packages.qa.debian.org/a/adtool/news/20120313T163912Z.html
- Splunk: http://www.splunk.com
- Open LDAP: http://www.openldap.org
- TinyCA: http://www.sm-zone.net
- TechNet on Passwords: http://technet.microsoft.com/en-us/library/cc875814.aspx
Buy this article as PDF
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.