Managing Active Directory from Linux with adtool
Update Early and Often
Remember, a software update for any project can cause mysterious problems to go away – or to appear. So, if you're experiencing issues with adtool and are confident that your queries and commands are using the proper syntax, and if you are convinced that your LDAP and Active Directory servers are properly configured, you might simply need to use a different version of adtool. As of this writing, the most current version is 1.3.3. Use that version unless you find that using an older version somehow resolves any connection problems you might be having.
So, you now have a good understanding of how to use adtool to administer a Microsoft domain controller. Using adtool across an encrypted connection gives you the ability to use your Linux system as efficiently as a Windows system. adtool is a powerful tool, and you now know many of the commands that will allow you to work and play well with Microsoft systems.
Adtool and Password Complexity
I've noticed over the years that quite a few adtool newbies have problems troubleshooting a new adtool implementation because of password requirements. Systems administrators sometimes use a simple password for a "dummy" user when testing a new application such as adtool.
Make sure you use a sufficiently complex password that Microsoft domain controllers like. Usually, systems expect your password to fulfill three of the following five categories: Uppercase letters, lowercase letters, base 10 digits, non-alphanumeric characters, and unicode characters. For more information about password complexity on Microsoft networks, consult Microsoft's TechNet site .
Reverse DNS and adtool
Authentication issues can get particularly sticky when you are using SSL-enabled connections. Error messages such as the following will often appear in your logs:
Invalid credentials (49) additional info: 720408159: \ LdapErr: DSID-0C090334, \ comment: AcceptSecurityContext error, data 525, vece
In some cases, I've noticed that Microsoft domain controllers sometimes expect valid reverse DNS at login time. So, if you haven't properly set up reverse DNS, you'll run into problems. If you encounter errors that mention an authentication failure and then bind, consider creating or updating reverse DNS in bind. That will most likely solve any problems you have, as long as you are not experiencing a larger authentication issue.
- adtool: http://gp2x.org/adtool/
- Debian "squeeze" admin packages: http://packages.debian.org/squeeze/admin/
- adtool Removed from Testing: http://packages.qa.debian.org/a/adtool/news/20120313T163912Z.html
- Splunk: http://www.splunk.com
- Open LDAP: http://www.openldap.org
- TinyCA: http://www.sm-zone.net
- TechNet on Passwords: http://technet.microsoft.com/en-us/library/cc875814.aspx
Buy this article as PDF
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm
Report from the X-Force group says attackers are using TOR to hide their crimes
Future Firefox extensions will be compatible with Chrome.
Better read this if you bought your computer before 2011
Users should upgrade to the new version as soon as possible
Xen project announces a privilege escalation problem for Qemu host systems