Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central

Michael DePaulo on 6 Nov 2015 12:28:58 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)

From: Michael DePaulo <mikedep333@gmail.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
Date: Fri, 6 Nov 2015 15:28:47 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=rpqj7ZhKFhZ8RIqNxCe8vv7iOZeHArWstG73Q5FPI4o=; b=dpyf/jRsoEqtEEJazkPhzUhge3ymmwwGwXjUGgPQJtXpJFwC5N4MC/CXxvNpDd0/BE q+gPe+aN7tNEkLJW4xaxrK0LHscq06OW1s5zeMjyqMOgcGsc3sTvf8xm/xZu/VXo9rpc 0UPa1EB0qgqF70aUKSIqmqaC5KymJf3AnB3JBxCTHGlxIJkLglkr6tihjFlDwh6afNqd Eww4soCign60iwF7uNtPce0CFuIi/rcnnWaBVu58sQ8UFpu7J3eOXBjUK/8oyckurnhY 4BAoA2SdgFivJwDanAP/+6Ku8E1gVuFZkpKfZ1e+bitL/KFFNblz3nYkkuTricKrsYMN d1HQ==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

Yeah, 3 perfect examples of how AD "Embraced, Extended, and
Extinguished" LDAP and Kerberos, like we were discussing on Wednesday:

1. Replication is not covered by LDAP or Kerberos standards at all. MS
AD has its own way of doing it, just like FreeIPA & 389 Directory Server
have their own ways.

2. The Kerberos PAC
http://blogs.msdn.com/b/openspecification/archive/2009/04/24/understanding-microsoft-kerberos-pac-validation.aspx

In fact, it was so funny when Samba launched 4.0. Experienced Samba
sysadmins were migrating from NT4-style domains to AD-style domains.
Thus they had to learn to log out of their Windows clients and log back
in whenever they added their user accounts to security groups.
Otherwise, the PAC would not be regenerated, and they would get
"permission denied" errors as if they did not belong to the group.

3. The fact that Group Policy (Microsoft's configuration management
since 2000) depends on an SMB client to read the Group Policy Object
(GPO) files. But new domain members (Windows or certain Linux clients)
must read those files in order to apply their security policies as LDAP
and Kerberos clients.

-Mike

On 11/06/2015 02:34 PM, Keith C. Perry wrote:
> Geez, I completely mangled that LOL- Yes, "Embrace, Extend, Extinguish". 
> 
> It's burned into my brain now! 
> 
> 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> Keith C. Perry, MS E.E. 
> Owner, DAO Technologies LLC 
> (O) +1.215.525.4165 x2033 
> (M) +1.215.432.5167 
> www.daotechnologies.com 
> 
> 
> From: "Rich Mingin (PLUG)" <plug@frags.us> 
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> 
> Sent: Friday, November 6, 2015 2:23:27 PM 
> Subject: Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP) 
> 
> It's "Embrace, Extend, Extinguish", Keith. Any Microsoft refugee from the last 20 years should know that one, and have seen it in action at least once. 
> Also, speaking only for myself, I found the WHY to be the most valuable part of the presentation. Not meaning any insult to the rest, but the WHY sections gave valuable background and insight into why IPSec is around, why it's not the premiere/default standard (yet), and also why it should be. Hearing about how VPN/SSH/IPSec all interrelate seems like it'll be valuable in the future as well. 
> 
> I went into last night with an unspoken "Oh, VPN, I know VPN, I guess I'll go anyways" and came out with a desire to setup an IPSec VPN endpoint or three, and to tinker with some certs from external CAs (Let's Encrypt came to mind, there are tons of others like FreeSSL), so I'd say you had a very good balance of background and current info. 
> 
[...]

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: "Paul L. Snyder" <plsnyder@drexel.edu>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: Guo Yixuan <culu.gyx@gmail.com>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: Mike DePaulo <mikedep333@gmail.com>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: "Keith C. Perry" <kperry@daotechnologies.com>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: Chris Norton <chris@nortoninc.info>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: "Rich Mingin (PLUG)" <plug@frags.us>
- Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: Re: [PLUG] Why = history (was Re: ...PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP))
Next by Date: Re: [PLUG] Why = history (was Re: ...PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP))
Previous by thread: Re: [PLUG] [plug-announce] Wed, Nov 4, 2015: PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP)
Next by thread: Re: [PLUG] Why = history (was Re: ...PLUG Central - "OpenVPN" by Keith C. Perry (7pm at USP))
Index(es):
- Date
- Thread