The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 3:39 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: LDAP question
PostPosted: Wed May 28, 2014 10:05 am 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
Is anybody here an LDAP expert? Specifically, I have a question about port 389 across trusted domains.

I have a Windows 2008 server that is part of domain A. However, I see in the firewall logs that every 5 minutes, the server is trying to open ax connection on port 389 to the domain controllers of a domain B. The server should not know anything about domain B, other than that domain A and domain B have a trust relationship. Oddly though, there is av third domain, domain C, which this server is not trying to talk to.

I'm trying to track down this behavior and determine if the behavior is legitimate, what is causing it, and if it's optional behavior. If I can't so this behavior from occurring, I will need to request the port be opened up on the firewall.

Does anyone know how to troubleshoot this?

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed May 28, 2014 10:20 am 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
I wouldn't call myself an LDAP expert, by any means, but if the server's trying to get information from domain B, it can come up with the addresses of domain B's DC(s) via DNS.

Is your 2008 server a DC for domain A?

Oh, or, more likely.. is there anything trying to access resources on your server that's trying to use credentials from domain B? Could be a service, could be some domain B user trying to access shared files on the server, and so on.

When the domain B credentials are presented to your server, your server says "Yeah, I'm supposed to trust domain B, let me check with domain B to see if those credentials are legit, and what groups they correspond to" -- thus trying to open up an LDAP request to domain B.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re: LDAP question
PostPosted: Wed May 28, 2014 10:48 am 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
I think I figured it out. The server has monitoring software installed, and I had it performing WMI monitoring of some servers on domain B. Apparently, the monitoring software, when doing WMI, wants to query the LDAP of domain B and it is trying to get to its domain controllers. Even though it's failing, the WMI monitoring was working so I didn't make a connection between the two. I did turn off the monitoring just to eliminate variables, and most of the connection attempts stopped, but it was still trying to connect every few minutes. When I uninstalled some patch management software from the same server, the LDAP connection attempts stopped completely.

Now that I know why the server is trying to connect to these domain controllers, I can go to the network admin and request the port be opened.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed May 28, 2014 1:53 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Wait, your network admins require that system and application owners actually know how their systems work before they allow access control changes?

Must be nice...

Around here we get requests like... "YOUR FIREWALL IS CAUSING THE BUSINESS TO FAIL - FIX IT NAO!!!"


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Wed May 28, 2014 2:09 pm 
Offline
I got nothin.
User avatar

Joined: Thu Sep 03, 2009 7:15 pm
Posts: 11160
Location: Arafys, AKA El Müso Guapo!
Midgen wrote:
Wait, your network admins require that system and application owners actually know how their systems work before they allow access control changes?

Must be nice...

Around here we get requests like... "YOUR FIREWALL IS CAUSING THE BUSINESS TO FAIL - FIX IT NAO!!!"


Sounds like our customers. "Your service is terrible! Its garbled and staticky!"

Um... your circuit is a 56k dial up running on an old 3Com ISA modem(Exaggerating slightly). What part of "VOIP is only as good as your broadband connction" didn't you understand when you purchased it?

_________________
Image
Holy shitsnacks!


Top
 Profile  
Reply with quote  
 Post subject: Re: LDAP question
PostPosted: Wed May 28, 2014 2:15 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
I don't know that my network admin requires that knowledge, but I feel it's the right thing to do. I mean, how am I supposed to support something if I don't know how it works?

On topic with the original problem, I had the network admin open port 389, and suddenly the firewall logs started getting bombarded with denied port 88 requests. Like 20 per second. I had to disable my software until he could open that port as well. Now everything is nice and quiet. From my server, at least.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed May 28, 2014 5:56 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
MSDN wrote:
TCP and UDP 88:
User and Computer Authentication, Forest Level Trusts (Kerberos}


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Jun 08, 2014 10:26 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Kerberos bites you, kerberos bites you. You die.

For future reference, I usually use tcpview from the sysinternals suite to debug this kind of thing because the Windows netstat command is bad and should feel bad.

Edit: also, Sysinternals is love. Sysinternals is life.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 89 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group