joeware - never stop exploring... :)

As you have have noticed, today is catchup day in joe’s personal life. I am trying to get various things done that I haven’t been able to previously. While going through the mailbag I ran into the following email…

Subject: -binenc question

I am trying to use the following to return the samAccountName from a SID:

adfind -b -binenc  dc=xyz,dc=com  -f (objectSID={{SID:S-1-5-21-33307682-239368645-1341851483-1055}}) sAMAccountName

The transformed filter result is

Transformed Filter: (objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\22\3C\FC\01\C5yD\0E\5B\07\FBO\1F\04\00\00)

Error ——————————————————————————————————————-^———————-^———————-

And the result fails. The transformed filter does not appear to be outputting correctly.

Copying the contents of objectSID and converting it manually and then inserting it into the query works

adfind -b dc=xyz,dc=com  -f (objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\22\3c\fc\01\c5\79\44\0e\5b\07\fb\4f\1f\04\00\00) sAMAccountName

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: server.xyz.com:389

Directory: Windows Server 2003

dn:CN=User\, Some,OU=Parent,DC=ctsnet,DC=com

>sAMAccountName: Someu

1 Objects returned

Is there a different way I should be approaching this?

Thank you for making these tools available.

 

Right off I knew that the formatting that AdFind used for the binary encoding of the filters is ok and long time readers will recall a post on this functionality from several years ago, that post being http://blog.joeware.net/2005/12/17/173/.

Admittedly though I was confused at first. Then I saw the ordering of the parameters on the command line. This is actually pretty common and I am unsure how I can help with this (don’t say it Bwandon…). I think it is due to people not being truly sure about what they are sticking on the command line. I have watched people use the command line before and they view it as a foreign language at best. They really don’t logically put together what is happening when you put the switches down and don’t realize that the switches can have their own parameters and those have to follow the switch.

Anyway, here is my response.

 

Subject: RE: -binenc question

That encoded format is perfectly fine and acceptable to Active Directory. Your query isn’t failing because of that, it is failing due to a typo in the command you typed.

The encoding is all controlled by the ldap_escape_filter_element function which is what AdFind uses… See http://blog.joeware.net/2005/12/17/173/ for a little bit of discussion about it.

The issue with your command is that the ordering of the switches is mixed up… Many of the switches take an additional parameter and that parameter needs to follow the switch itself. In this specific case, the -b switch requires the actual Base DN to follow it. In your command below you insert the -binenc switch right smack between the -b switch and its parameter.

So you have

-b -binenc dc=xyz,dc=com

When it should be more like

-binenc -b dc=xyz,dc=com

Your command was telling AD to search at the root of the directory which you can’t do on the LDAP port unless you specify the phantom root switch. In fact, you probably got an error of “No Such Object” (best match of: ‘’) instead of “0 Objects returned” which would be expected if the base were correct but no object matched the filter.

You could actually make your command work with the incorrect sequencing of the parameters and switches by adding -pr (the phantom root enabling switch) or -gc (use a GC) which redirects the query to the GC port and allows “invalid” bases so you can search disjointed forests.

So you ask… what happens to the base parameter specified when it is preceded by the –b switch? It is interpreted simply as an attribute parameter… So your query, if you looked at it in a network sniffer would have been a query for the given objectsid and requesting the dc=xyz,dc=com attribute.

   joe

 

Back to discussion on how I could solve this. Off the top of my head I can think of two mechanisms, neither of which I like.

1. Change the switch system so that if a parameter is needed for a given switch, it is specified after some delimiter in the switch… Such as –b:dc=test,dc=loc. I don’t like doing switches that way because I think it makes the commands less readable and more prone to mistakes.

2. Read the schema from the DC and look at all the arguments (i.e. parameters that aren’t prefixed by a switch that takes additional data) and flag out any that don’t match the schema. I don’t like this because it is slower and because not all attributes you can ask for are in the schema… look at the rootdse for some examples such as validFSMOs.

After updating my blog software I thought I would go through and look over some of the settings, etc to see if there was anything new to turn on to tighten up security, etc etc ad nauseum whatever…

I went to the Akismet SPAM stats and was pleasantly shocked to note that SPAM substantially dropped as of August. It makes me wonder if one of the WordPress updates I applied back in the Aug/Sept time frame closed up some security holes that spammers were using. For September I was in the triple digit SPAM load range, that is fantastic. So far this month I am double digit. Of course I guess it could mean that the SPAMmers don’t feel I am important enough to SPAM anymore… Or better that my readers are too smart to be duped by the SPAM. 🙂

 

 

Just got an email that Symantec is now reporting ChangePW as being infected with a virus. Sure enough, went to Jotti and did the online testing and found that several scanners are reporting changepw has a virus. Like all the other times this occurred, if you got the file directly from my website, this is a false positive.

 

I am not going to go too deep into why this happens. The quick version is that most AV programs use what are called “signatures” to detect viruses. They don’t actually run the program and see the virus doing something bad. Using signatures like this is a form of profiling (yeah just like racial profiling). They build a signature out of a set of computer instructions that are present in the actual virus, and then scan the files looking for any occurrence of those same set of instructions. It is akin to saying… we know a bomber is coming through the airport and he has brown hair and brown eyes and a blue jacket and is 6’ tall… Now every 6’ tall male coming through the airport with brown hair and eyes and a blue jacket is considered a bomber. The code identification for Anti-virus is the same way and has the same chance of false positives. The more generic the signature, the more likely you will get false positives.

It surprises me but this is still a pretty popular question I get in email. I realize that the usage help for adfind and admod are substantial, but the info on this is in the basic help…

Anyway, I got another email on this and decided I would blog it.

 

 

The basic format of AdFind is fairly simple as it is at its core simply a wrapper around the LDAP API. Sure it does some extra decoding that is specific to AD, but it is still a basic LDAP API wrapper and as such functions like many other LDAP tools.

For any LDAP query you need to specify the host, scope, searchbase, filter, credentials, and attributes you want to have returned.

By default if you don’t specify a host, AdFind uses the default DC for the machine you are on. If the machine is not joined to a domain or is joined to an NT4 domain, this is obviously not going to work very well and you will need to specify a machine or possibly a domain name. If you are attempting to connect to ADAM, there is no such default, you need to specify the host directly.

By default if you don’t specify a scope, AdFind uses SUBTREE. The exception is if you are piping DN’s into AdFind, then it will default to a search base of BASE. Yes I know that is a bit annoying, it was a bit annoying also defaulting to SUBTREE in that situation as well, I had no good answer for what it should do but BASE seemed to be the best.

By default if you don’t specify a search base, AdFind uses the default NC of the host specified (or default host if no host specified).

By default if you don’t specify a filter, AdFind uses objectclass=*. This means return every object that you have permissions to see.

By default if you don’t specify credentials, AdFind uses the credentials of the process that spawned it. So if I am logged on as joe and open a command prompt and run AdFind without –u xxx, it will use my joe credentials to connect (or fail). If I am logged on as as joe, but open a command prompt as $joe (via runas or cpau) and run AdFind without –u xxx, it will use my $joe credentials to connect.

By default if you don’t specify a list of attributes, it uses * which tells Active Directory to return the default attribute set. Note that this doesn’t necessarily mean return every attribute that is populated on the object, in fact, by default nTSecurityDescriptor isn’t returned unless you explicitly ask for it. Also constructed attributes aren’t returned if you don’t explicitly request them as well. If you want specific attributes, you specify them as a space delimited list on the command line… attrib1 attrib2 attrib3, etc.

The exception to all of the above is that if you don’t specify anything it will display the basic usage help.

 

Here is an example command to use the user’s cn (or name) attribute to find their NT Style userid (i.e. sAMAccountName).

adfind -gcb -f name=”somename” samaccountname

This is a pretty basic command and here is the breakdown…

* No host is specified so it will use the default DC for the machine running the command.

* No scope is specified so it will be SUBTREE scope.

* The search base is provided in the –gcb switch, which tells it both to use the Global Catalog port and to use a NULL Base for the query – I.E. Look at the whole directory.

* The filter is name=”somename” which should be self explanatory.

* No credentials are specified so whatever credentials are in effect for the command prompt window running this command are also in effect for the connection to AD.

* There is an attribute list provided and it contains a single value – samaccountname so that will be the only attribute returned.

 

   joe

Some people still don’t know this even after all of these years… But Exchange can change your non-security enabled groups (sometimes mistakenly called DL’s[1]) into security enabled groups. This is done automagically anytime someone applies a “DL” to security in Exchange, such as on a folder in a mailbox or on public folder or something. For example, say you have a non-security enabled group in the domain called “Active Directory People” which is your distribution list to send email out to your Active Directory people. Someone says (and I mean any someone, even some low level no one who shouldn’t be allowed to change anything at all) “Hey, I also want to give those people access to something in my mailbox, say like the calendar…” Outlook says that is cool, adds the SID for the non-security enabled group to the ACL for the calendar on the mailbox and then Exchange looks at the group and says, well “Crikey mate… that group isn’t security enabled which means the users won’t get the SID in their token so the security delegation just made will never work so let me fix that in AD for you…”[2] and wham bam thank you ma’am… the group is now security enabled.

In the meanwhile someone somewhere else is seeing a “DL” that is now all of a sudden security enabled and saying… “HEY! Who did that, that wasn’t supposed to be done.” and they change it back. And then eventually Exchange changes it back again. And on and on… Of course Microsoft doesn’t give any mechanism to find what ACL on what folder on what mailbox is causing this issue so you have no clue.

At least now they have given a mechanism to STOP the auto security enablement from occurring. I still think it would be great if something told you where the SID was in the ACLs that was causing it.

See

Stop Automatic Conversion of Universal Distribution Groups to Universal Security Groups

 

Thanks to my friend BrianD for sending me the link on this as it is something we have discussed in the past a few times. I heard they were going to do it, didn’t hear that hey actually did do it though. Good to know they did.

   joe

 

[1] A DL is a distribution list and it can be security enabled or not. Not being security enabled doesn’t mean it is automatically only used for email. In fact it could be non-security enabled and still not used for email.

[2] Not sure why Exchange suddenly became Aussie but I am sure my Aussie friends will be suitably impressed insulted. 😉

Thank goodness!  🙂

My freshly loaded PC, previously SFMXP32, now SFMWIN764[1] has been running great. However I have been a bit lax in fully setting it up because I haven’t activated the license yet and think, who knows, maybe I will reload it again for some odd reason… Well that means I haven’t joined it to my home domain yet and I haven’t added any other additional IDs… So what happens, I restart the computer and when it comes back up it doesn’t recognize my password. No I didn’t forget it. No I didn’t typo it. I also didn’t make the little reset your password USB key either. So I am sitting there going, great, I don’t have time to figure out how to hack Windows 7, let’s hope the offline password editor still works…

I went out and downloaded the latest ISO from http://home.eunet.no/pnordahl/ntpasswd/ and burned the CD and voila, 3 minutes later I was up and running again. Have no clue what happened to my old password but it was annoying to have happen though it was in a way good because I now know that Win7 can be broken into the same way as my previous machines could be if I needed to. ;o)

 

    joe

 

[1] Sure sure, it isn’t really a Super Fast Mofo of a machine anymore, heck it can’t even run Hyper-V the chip and board are so old… But I don’t want to hurt its feelings… And yes, computers have feelings…

Saw this in a security list and thought it was worth posting. It is a CD/DVD you can burn to test a machine while the main OS isn’t running so any real bad virus type critters on the machine can’t block the check. Best part is that it is free. It is Linux based but that is fine for scanning your Windows machine’s disks.

 

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html