Michael DePaulo on 6 Nov 2015 12:28:58 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)

Yeah, 3 perfect examples of how AD "Embraced, Extended, and
Extinguished" LDAP and Kerberos, like we were discussing on Wednesday:

1. Replication is not covered by LDAP or Kerberos standards at all. MS
AD has its own way of doing it, just like FreeIPA & 389 Directory Server
have their own ways.

2. The Kerberos PAC

In fact, it was so funny when Samba launched 4.0. Experienced Samba
sysadmins were migrating from NT4-style domains to AD-style domains.
Thus they had to learn to log out of their Windows clients and log back
in whenever they added their user accounts to security groups.
Otherwise, the PAC would not be regenerated, and they would get
"permission denied" errors as if they did not belong to the group.

3. The fact that Group Policy (Microsoft's configuration management
since 2000) depends on an SMB client to read the Group Policy Object
(GPO) files. But new domain members (Windows or certain Linux clients)
must read those files in order to apply their security policies as LDAP
and Kerberos clients.


On 11/06/2015 02:34 PM, Keith C. Perry wrote:
> Geez, I completely mangled that LOL- Yes, "Embrace, Extend, Extinguish". 
> It's burned into my brain now! 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> Keith C. Perry, MS E.E. 
> Owner, DAO Technologies LLC 
> (O) +1.215.525.4165 x2033 
> (M) +1.215.432.5167 
> www.daotechnologies.com 
> From: "Rich Mingin (PLUG)" <plug@frags.us> 
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> 
> Sent: Friday, November 6, 2015 2:23:27 PM 
> Subject: Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP) 
> It's "Embrace, Extend, Extinguish", Keith. Any Microsoft refugee from the last 20 years should know that one, and have seen it in action at least once. 
> Also, speaking only for myself, I found the WHY to be the most valuable part of the presentation. Not meaning any insult to the rest, but the WHY sections gave valuable background and insight into why IPSec is around, why it's not the premiere/default standard (yet), and also why it should be. Hearing about how VPN/SSH/IPSec all interrelate seems like it'll be valuable in the future as well. 
> I went into last night with an unspoken "Oh, VPN, I know VPN, I guess I'll go anyways" and came out with a desire to setup an IPSec VPN endpoint or three, and to tinker with some certs from external CAs (Let's Encrypt came to mind, there are tons of others like FreeSSL), so I'd say you had a very good balance of background and current info. 

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug