Hi people;
I need help to integrate, OpenAudiT 1.2.1 (Ubuntu version) with Windows Active Directory.
Look my problem:
The username “teste.openaudit†is a valid user at AD, when I click on login and I go to capture the all packets output to port 389, I get the response below.
root@vm-openaudith01:~# tcpdump -ni eth0 src host 172.16.20.54 and dst host 10.1.1.2 and port 389 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:48:54.665458 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [S], seq 3091563126, win 14600, options [mss 1460,sackOK,TS val 88898464 ecr 0,nop,wscale 4], length 0 13:48:54.666310 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [.], ack 3465381985, win 913, options [nop,nop,TS val 88898465 ecr 196324077], length 0 13:48:54.666416 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [P.], seq 0:57, ack 1, win 913, options [nop,nop,TS val 88898465 ecr 196324077], length 57 13:48:54.673770 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [.], ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 0 13:48:54.676293 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [P.], seq 57:64, ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 7 13:48:54.676396 IP 172.16.20.54.57775 > 10.1.1.2.389: Flags [F.], seq 64, ack 111, win 913, options [nop,nop,TS val 88898467 ecr 196324077], length 0
So, I concluded the follow:
1º - Exist communication between OpenAudiT and AD; 2º – The username, password are correct. Nevertheless, I can't login.
When I put the same username with wrong password. I get the message “Incorrect credentialsâ€.
I do not got error in apache file “error.log for example†or any other file.
The open-audit.log displays the following message.
root@vm-openaudith01:~# tail -f /usr/local/open-audit/other/open-audit.log Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet SMBClient copy of audit_domain.vbs to 10.1.1.2 has succeeded. Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet SMBClient copy of audit_windows.vbs to 10.1.1.2 has succeeded. Apr 30 16:04:00 vm-openaudith01 13064 C:discovery F:process_subnet Attempt to run audit_domain.vbs on 10.1.1.2 has succeeded. Apr 30 16:06:08 vm-openaudith01 13061 C:discovery F:discover_active_directory U:Administrator Discovery AD submitted for mt.transportes.gov.br. Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet SMBClient copy of audit_domain.vbs to 10.1.1.2 has succeeded. Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet SMBClient copy of audit_windows.vbs to 10.1.1.2 has succeeded. Apr 30 16:06:09 vm-openaudith01 13061 C:discovery F:process_subnet Attempt to run audit_domain.vbs on 10.1.1.2 has succeeded.
That version wasn't installed on the same place where was the last one. This machine is completely new. Was created only to comport that application. I still have the last version totally funcional in another place. I do not put error message here because look, I not have that. I saw all logs files but nothing. I followed all step necessary, exactly how described on OpenAudit page. I would like to know if there are something I need do in another config file. This application needs authentication in Windows Active Directory (2008).
I installed the OpenAudiT version 1.0 for linux(ubuntu) and do not had this problem, but now with that new version, my god I'm very confused.
|