| The Glade 4.0 https://gladerebooted.net/ |
|
| LDAP question https://gladerebooted.net/viewtopic.php?f=5&t=10960 |
Page 1 of 1 |
| Author: | Mookhow [ Wed May 28, 2014 10:05 am ] |
| Post subject: | LDAP question |
Is anybody here an LDAP expert? Specifically, I have a question about port 389 across trusted domains. I have a Windows 2008 server that is part of domain A. However, I see in the firewall logs that every 5 minutes, the server is trying to open ax connection on port 389 to the domain controllers of a domain B. The server should not know anything about domain B, other than that domain A and domain B have a trust relationship. Oddly though, there is av third domain, domain C, which this server is not trying to talk to. I'm trying to track down this behavior and determine if the behavior is legitimate, what is causing it, and if it's optional behavior. If I can't so this behavior from occurring, I will need to request the port be opened up on the firewall. Does anyone know how to troubleshoot this? |
|
| Author: | Kaffis Mark V [ Wed May 28, 2014 10:20 am ] |
| Post subject: | |
I wouldn't call myself an LDAP expert, by any means, but if the server's trying to get information from domain B, it can come up with the addresses of domain B's DC(s) via DNS. Is your 2008 server a DC for domain A? Oh, or, more likely.. is there anything trying to access resources on your server that's trying to use credentials from domain B? Could be a service, could be some domain B user trying to access shared files on the server, and so on. When the domain B credentials are presented to your server, your server says "Yeah, I'm supposed to trust domain B, let me check with domain B to see if those credentials are legit, and what groups they correspond to" -- thus trying to open up an LDAP request to domain B. |
|
| Author: | Mookhow [ Wed May 28, 2014 10:48 am ] |
| Post subject: | Re: LDAP question |
I think I figured it out. The server has monitoring software installed, and I had it performing WMI monitoring of some servers on domain B. Apparently, the monitoring software, when doing WMI, wants to query the LDAP of domain B and it is trying to get to its domain controllers. Even though it's failing, the WMI monitoring was working so I didn't make a connection between the two. I did turn off the monitoring just to eliminate variables, and most of the connection attempts stopped, but it was still trying to connect every few minutes. When I uninstalled some patch management software from the same server, the LDAP connection attempts stopped completely. Now that I know why the server is trying to connect to these domain controllers, I can go to the network admin and request the port be opened. |
|
| Author: | Midgen [ Wed May 28, 2014 1:53 pm ] |
| Post subject: | |
Wait, your network admins require that system and application owners actually know how their systems work before they allow access control changes? Must be nice... Around here we get requests like... "YOUR FIREWALL IS CAUSING THE BUSINESS TO FAIL - FIX IT NAO!!!" |
|
| Author: | Müs [ Wed May 28, 2014 2:09 pm ] |
| Post subject: | Re: |
Midgen wrote: Wait, your network admins require that system and application owners actually know how their systems work before they allow access control changes? Must be nice... Around here we get requests like... "YOUR FIREWALL IS CAUSING THE BUSINESS TO FAIL - FIX IT NAO!!!" Sounds like our customers. "Your service is terrible! Its garbled and staticky!" Um... your circuit is a 56k dial up running on an old 3Com ISA modem(Exaggerating slightly). What part of "VOIP is only as good as your broadband connction" didn't you understand when you purchased it? |
|
| Author: | Mookhow [ Wed May 28, 2014 2:15 pm ] |
| Post subject: | Re: LDAP question |
I don't know that my network admin requires that knowledge, but I feel it's the right thing to do. I mean, how am I supposed to support something if I don't know how it works? On topic with the original problem, I had the network admin open port 389, and suddenly the firewall logs started getting bombarded with denied port 88 requests. Like 20 per second. I had to disable my software until he could open that port as well. Now everything is nice and quiet. From my server, at least. |
|
| Author: | Midgen [ Wed May 28, 2014 5:56 pm ] |
| Post subject: | |
MSDN wrote: TCP and UDP 88:
User and Computer Authentication, Forest Level Trusts (Kerberos} |
|
| Author: | Stathol [ Sun Jun 08, 2014 10:26 pm ] |
| Post subject: | |
Kerberos bites you, kerberos bites you. You die. For future reference, I usually use tcpview from the sysinternals suite to debug this kind of thing because the Windows netstat command is bad and should feel bad. Edit: also, Sysinternals is love. Sysinternals is life. |
|
| Page 1 of 1 | All times are UTC - 6 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|