Open-AudIT

Hi people;

I need help to integrate, OpenAudiT 1.2.1 (Ubuntu version) with Windows Active Directory.

Look my problem:

The username “teste.openaudit” is a valid user at AD, when I click on login and I go to capture the all packets output to port 389, I get the response below.

root@vm-openaudith01:~# tcpdump -ni eth0 src host 172.16.20.54 and dst host 10.1.1.2 and port 389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:48:54.665458 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [S], seq 3091563126, win 14600, options [mss 1460,sackOK,TS val 88898464 ecr 0,nop,wscale 4], length 0
13:48:54.666310 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [.], ack 3465381985, win 913, options [nop,nop,TS val 88898465 ecr 196324077], length 0
13:48:54.666416 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [P.], seq 0:57, ack 1, win 913, options [nop,nop,TS val 88898465 ecr 196324077], length 57
13:48:54.673770 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [.], ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 0
13:48:54.676293 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [P.], seq 57:64, ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 7
13:48:54.676396 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [F.], seq 64, ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 0

So, I concluded the follow:

1º - Exist communication between OpenAudiT and AD;
2º – The username, password are correct. Nevertheless, I can't login.

When I put the same username with wrong password. I get the message “Incorrect credentials”.

I do not got error in apache file “error.log for example” or any other file.

The open-audit.log displays the following message.

root@vm-openaudith01:~# tail -f /usr/local/open-audit/other/open-audit.log
Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet SMBClient copy of audit_domain.vbs to 10.1.1.2 has succeeded.
Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet SMBClient copy of audit_windows.vbs to 10.1.1.2 has succeeded.
Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet Attempt to run audit_domain.vbs on 10.1.1.2 has succeeded.
Apr 30 16:06:08 vm-openaudith01 13061 C:discovery F:discover_active_directory U:Administrator Discovery AD submitted for mt.transportes.gov.br.
Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet SMBClient copy of audit_domain.vbs to 10.1.1.2 has succeeded.
Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet SMBClient copy of audit_windows.vbs to 10.1.1.2 has succeeded.
Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet Attempt to run audit_domain.vbs on 10.1.1.2 has succeeded.

That version wasn't installed on the same place where was the last one. This machine is completely new. Was created only to comport that application. I still have the last version totally funcional in another place. I do not put error message here because look, I not have that. I saw all logs files but nothing. I followed all step necessary, exactly how described on OpenAudit page. I would like to know if there are something I need do in another config file. This application needs authentication in Windows Active Directory (2008).

I installed the OpenAudiT version 1.0 for linux(ubuntu) and do not had this problem, but now with that new version, my god I'm very confused.

If you do not have the teste.openaudit user created in OpenAudit but the user exists in AD and you attempt to log on to OpenAudit as teste.openaudit you won't be able to log on and you will not get the "Invalid Credentials" message. So make sure teste.openaudit is created in OpenAudit (Admin->Users->Add a User) with a random password.

Sorry my friend, I'm too embarrassed because this, but you are correct. Thank you.