If you haven't already...
Set up an
Affiliate Account
or Set up a
Small Business account.

Can only Access Share Using Host Name

Posted on April 30, 2019 by admin under Kerberos, windows
Leave a comment

Problem:

After having firewall ports opened to access a UNC path, I ran into an issue where I could not access the share using the fully qualified domain name. When accessing the site, I received the below error.

Cannot_Service_Authentication_Request

My initial thought was that the name was not resolving, but the error would seem to indicate a connection was being made. I decided to remove host name resolution by adding the entry to the hosts file on the client system. When I tried the connection again, I received the same message.

Diagnosis:

At this point, I decided to look at what was occurring, so I fired up WireShark. I used the following following filter to view only what I thought interesting.

  • ip.addr == x.x.x.x || dns || kerberos || cldap

Where x.x.x.x is the ip of the server where the share was created.

Now, I won’t list the packet data here, I don’t want to leak any information :-), however, below is a screenshot of the protocols and a bit of the information. Take a look and we will go through it below.

Wireshark_Auth_Data

Wireshark_Auth_Data

  • The first three packets are the TCP handshake between my client and the server hosting the share.
  • Following are two SMB protocol packets where the client and server are determining the authentication mechanisms supported and negotiating which to use.
  • Then comes the KRB5 packets. There are 10 of them.
    • the first 4 are obtaining a TGT from the KDC and are not relevant to the issue here, just know that I was able to obtain a TGT from the KDC.
    • The remaining 6 KRB5 packets are three request response pairs. The response is the important part. Each one adds a piece of the servers windows domain. In my case I have a domain of company.com and two subdomain. So to determine the domain to which i need to authenticate, it takes three passes each returning more of the domain.
      • company.com
      • subdomain.company.com
      • sub1.subdomain.com
    • once we have the domain to which we need to authenticate, we look it up via DNS. The 6 DNS packets are the traversal of the Microsoft DNS tree determining a domain controller in the servers domain for authentication purposes.
    • After resolving the DNS name of the DC in the servers domain, we issue a RootDSE query for the Netlogon attribute.

I blocked out irrelevant packets and if you look at the bottom of the graphic, you will notice that there are three (3) RootDSE query requests.

If you were not aware, most applications will try a request three times before abandoning the connection. This means the likely culprit in this case is that the CLDAP protocol UDP port 389 needs to be opened between my client pc and the domain controllers for sub1.subdomain.com.

 

Solution:

Open port 389 between the source computer and the domain controllers in the domain to which the destination server resides.

Video Test

Posted on August 13, 2018 by Andrew under Uncategorized
Leave a comment

Logon to the Quantum Leaps Web Site

This video provides instructions for logging onto the Quantum Leaps site.

systemd: Started Session of user root.

Posted on July 20, 2018 by admin under CentOS
Leave a comment

If you see an entry of…

systemd: Started Session XXXX of user root.

where XXXX is the process id, in your var/log messages.

 

It is due to cron execution.

ISPConfig — Add Database

Posted on November 26, 2017 by admin under Uncategorized
6 Comments

This procedure will illustrate how to add a database using the ISPConfig3 interface. Although this can, and sometimes must, be done using phpMyAdmin, or a console client, I use the ISPConfig3 interface first if possible.

  1. Logon to the ISPConfig3 admin interface.
  2. Select the Sites tab.
  3. Select Databases from the menu on the left.
  4. Select the Add new Database button.
  5. Select the Site from the dropdown.
    • This is the site for which the database is being created.
  6. Enter the Database name.
    • Note that the Database name field is prefixed with c[CLIENTID]d[DOMAINID] making each one uniq and allowing for the remaining portion of the name to be the same.
  7. Select the Database user from the dropdown.
    • If you do not have a database user, once can be assigned later. Until then only admin will be able to access the database. To create one now, follow the ISPConfig — Add Database User procedure.
  8. Select the Save button.

 

ISPConfig — Add Database User

Posted on by admin under ISPConfig, Uncategorized
Leave a comment

When database access is desired, database users are created. These users are then considered the owner’s of the databases they create.

  1. Logon to the ISPConfig3 admin interface.
  2. Select the Sites tab
  3. Select Database Users from the menu on the left.
  4. Select the Add new User button.
  5. Select the appropriate client from the Client dropdown.
  6. Enter the Database user name in the field.
    • Note the c[CLIENTID] portion ofthe database user field? This ensures each client has a uniq name. As one database user can own multiple databases, for multiple sites, you do not need to create a uniq id for each domain.
  7. Enter the Password for the user, or select the Generate Password button.
  8. Confirm the password by entering it again in the Repeat Password area.
  9. Select the Save button.

 

ISPConfig — Build and Configure

Posted on November 23, 2017 by admin under ISPConfig
Leave a comment

Purpose

I have been “playing around” with ISPConfig3 for a while now, learning some of the in’s and out’s, and now it is time to build my first production, hopefully, system.

This document illustrate the process, mainly to keep track of what is being done.

I am essentially following the documents on HowtoForge for a CentOS 7.3 Minimal Server and The Perfect Server for the ISPConfig3 portion. By default, these documents build everything on one server and we won’t change that either.

Read More

ISPConfig3 — Add new FTP-User

Posted on by admin under ISPConfig
Leave a comment

This is the procedure for adding a new site ftp user account.

  1. Log onto your ISPConfig3 admin interface.
  2. Select the Sites tab.
  3. Select FTP-Accounts from the menu on the left.
  4. Select the Add new FTP-User button.
  5. From the Website dropdown, select the appropriate site.
  6. Enter the user id in the Username field.
  7. Enter the password in the Password field, or select the Generate Password button.
  8. Confirm the password by entering it in the Repeat Password field.
  9. Ensure the Active checkbox is selected.
  10. Select the Save button.

ISPConfig3 — Aamavisd –Can’t open PEM file

Posted on by admin under ISPConfig
Leave a comment

The full error on my system was;

ispconfig3 amavisd: Error in config file “/etc/amavisd/amavisd.conf”: Error in config file “/etc/amavisd/60-dkim”: Can’t open PEM file /var/lib/amavis/dkim/quantumleaps.com.private: Permission denied at /usr/sbin/amavisd line 637.

 

I ran into this issue a couple of times, so i figured I would write it down.

Read More

Validate Email is Working Properly

Posted on by admin under General
Leave a comment

This post is a procedure for testing the email services at quantumleaps.com.

The same process should work for your system, just change the domain name as needed.

Read More

ISPConfig — Add new Mailbox

Posted on by admin under ISPConfig
Leave a comment

This post illustrates how to create a new mailbox for an existing mail domain. If you haven’t created an email domain, see ISPConfig — Setup Email Domain and then return.

Read More