Pelican Parts Forums - View Single Post

RKDinOKC · RKDinOKC's Garage

Yep, Kerberos.
Background. A user ran a sniffer on the private network that made an excel of everyone's login and password. The powers that be decided to fix this we need to go to 90 day password change/rotation. NO systems have be set up to authenticate to AD.

I am in charge of the Macs/Mac Servers, Exchange, and Fortinet Firewall. Was pretty simple, just bind them to AD and re-create some security groups in AD and assign the groups server rights on the servers.

This all worked great until the AS400/security consultants were brought in to bind the users on our AS400 to AD. They had a horrible time and finally gave up. After they left not only did the AS400 not authenticate users using AD, but something they did killed the PC SMB/Samba access to my mac servers, and the AD lookup of the Firewall for VPN users and Wireless access. In fact, several MS servers started having authentication problems. And still are.

Interesting is all the Mac services except SMB access authenticated to AD fine.

I don't know what the AS400 guys changed or where, but I found that each computer/device has security settings for each AD group when bound to AD. One of those settings is "Allow Authentication." Turned that on for in the settings for each of the devices I am responsible for. Now they all authenticate without any problems. My devices haven't had any problems since, but the other pc servers/services are having random outages where users cannot login then suddenly can again. My guess is that Samba and the Fortinet are respecting the "computers" security settings.

Don't know if I should tell them what they are overlooking (they treat me like I am and idiot because I am a Mac guy), anonymously fix the security settings so their servers and services stop having authentication problems (just to make them wonder), or let them figure it out for themselves and just say hey the stuff I'm responsible works fine.

I think the sniffer problem won't be helped by forcing pw changes as long as they aren't forcing encrypted secure login and lock down directory lookups, but hey...I'm just that stupid mac guy.