Set Up LDAP to Authenticate Avamar with Windows Active Directory

Question

What is the difference between the ldap configuration set up in accordance with the Server Software Installation Guide (300-007-037 Rev A02) page 65 and the System Administration Guide (300-008-314 Rev A03) page 459 which uses the avldap tool?

Which method should we be using? Do they really accomplish the same thing?

Also, after we implement ldap for authenticating to active directory, what happens to the local passwords set when we established users/roles in the Avamar Administrator v5.0.3.29? Is there a password file I can delete these from? Due to security reasons we shouldn't be able access or even see each users password and are assuiming these are clear text in some Avamar file somewhere.

Sameer_Khan · Answer

Use avldap tool preferred over manual method. avldap –configure avldap --test Thanks and Regards, Sameer Khan

kcurry61 · Answer

Thanks. In the avldap tool it will prompt for a User name and password that is authorized to read the directory service's database. Is this an administrator account and is entered just for this one time set up, or should we build a permanent account in AD just for purposes of communication between Avamar and AD?

What we don't want is to use an admin account that is permanently used by Avamar and a few years later that account is disabled because the user leaves the company; and then causing problems with authentication from Avamar because we forgot that account is used for that purpose.

Mark_Bellows · Answer

EBuser,

The process I have used in the past is to use a "service" account for a process like this. This account is used ONLY for situations where automatic log in is performed, such as is done by some services.

It is my recommendation that you use a service account for your environment.

Mark

kcurry61 · Answer

Thank you

kcurry61 · Answer

Can someone take a look at the below? After using the avldap tool I ran the test but the Kerberos authentication failed. I suspect I the problem lies with the user (e.g., service) account I created in AD. Does this account need to be a member of the Domain Administrators group? Does the account need to be typed in differently (e.g., avsadmin@nnpp.gov)? The server ebsydc04 is one of our two domain controllers runnng AD

krb5.conf:

[libdefaults]

default_tgs_enctypes = des-cbc-shalkd des-cbc-crc des-cbc-md5

default_tkt_enctypes = des-cbc-shalkd des-cbc-crc des-cbc-md5

[domain_realm]

ebsy.nnpp.gov = EBSY.NNPP.GOV

.ebsy.nnpp.gov = EBSY.NNPP.GOV

[realms]

EBSY.NNPP.GOV = {

default_domain = EBSY.NNPP.GOV

kpasswd_server = ebsydc04.ebsy.nnpp.gov:464

admin_server = ebsydc04.ebsy.nnpp.gov:88

kdc = ebsydc04.ebsy.nnpp.gov:88

}

ldap.properties:

ldap.qualified-name-default=ebsy.nnpp.gov

ldap.url.ebsy.nnpp.gov=ldap://ebsydc04.ebsy.nnpp.gov:389

Test Results:

Enter the Fully Qualified Domain Name and press

ebsy.nnpp.gov

Enter the User Name and press

avsadmin

Enter the password

******************************************************************************************************

Kerberos Authentication and LDAP query verification using krb5.conf and ldap.properties

******************************************************************************************************

SUCCESS: Parsing the configuration for domain ebsy.nnpp.gov in ldap.properties was successful.

INFO: Verifying Kerberos authentication and LDAP query.

ERROR: Pre-authentication information was invalid (24)

ERROR: Kerberos authentication is unsuccessful.

INFO: The configuration of ldap.properties and kbr5.conf are incorrect for the specified domain component.

Thanks,

Ken

Sameer_Khan · Answer

Run below command on DC and post the results

set u

Domain Admin permissions not required. Just the user which has rights to pull info from AD is required.

Can you remove existing ldap.properties and krb5.conf files and re-run avldap –configure as root user. Once its done, comment out below lines for ENCRYPTION support in krb5.conf

default_tgs_enctypes = des-cbc-shalkd des-cbc-crc des-cbc-md5

default_tkt_enctypes = des-cbc-shalkd des-cbc-crc des-cbc-md5

Thanks and Regards,

Sameer Khan

AGARCIA-TNET · Answer

Someone you know about this error? 'ERROR: KDC has no support for encryption type (14)' root@avamar01:~/#: avldap --configure Enter the Fully Qualified Domain Name and press nhelios.com.mx Enter the User Name and press avamaruser Enter the password Do you wish to configure domain nhelios.com.mx as default domain (y/n)?yINFO: Configuring krb5.conf and ldap.properties. INFO: The configuration file changes need a restart of dtlt and ems services. Do you wish to restart dtlt and ems services (y/n)?yINFO: Restarting DTLT and EMS so that configurations can be used for accessing DTLT and AAM UI. Identity added: /home/dpn/.ssh/dpnid (/home/dpn/.ssh/dpnid)dpnctl: INFO: Shutting down dtlt...dpnctl: INFO: dtlt shut down.dpnctl: INFO: Starting dtlt...dpnctl: INFO: dtlt started.dpnctl: INFO: Shutting down EMS...dpnctl: INFO: EMS shut down.dpnctl: INFO: Starting EMS...dpnctl: INFO: To monitor progress, run in another window: tail -f /tmp/dpnctl-ems-start-output-10815dpnctl: INFO: EMS started.SUCCESS: Configuration of krb5.conf and ldap.properties is successful. INFO: Verifying Kerberos authentication and LDAP query for the configured domain. ERROR: KDC has no support for encryption type (14) ERROR: Kerberos authentication is unsuccessful. INFO: The configuration of ldap.properties and krb5.conf are incorrect for the specified domain component.

Avamar

Set Up LDAP to Authenticate Avamar with Windows Active Directory

Was this post helpful?