bill's blog

Just another WordPress weblog

Browsing Posts tagged OpenDirectory

It truly is amazing how one of the most basic of protocols is the foundation of the Internet. DNS is a service/protocol that is essential to traffic out on the Internet AND in many cases MORE important on internal networks. Humans, by nature, aren’t really adept at remembering long strings of numbers. Hell, most of us can’t remember a name five minutes after you tell it to us! And while IPv4 addresses are broken down into four octets separated by decimals (or dot-decimal notation), it’s still longer than most phone numbers. Servers (or hosts) are not usually referred to by their IP address but rather their hostname (www) followed by the domain’s name (yahoo.com). Enter DNS (or the Domain Name System). It takes a domain name (such as weblog.randomdog.net) and converts it to an associated IP address for that domain (such as 69.0.94.158). It also does the reverse (converting IPs to domain names). DNS is a hierarchical naming system meaning that there are a few top-level domains (.com, .net, .org, .gov, etc) that pass requests to authoritative name servers for each domain, and in turn pass request authoritative name servers for their sub-domains.

Today DNS has expanded beyond its humble roots! It supplies the name of the administrator for the domain and the IP address of the mails servers for that domain. Additionally, DNS has also been expanded to provide listings of where services can be found out on a network, as in the case of SRV records. These SRV records inform systems as to where on the network certain resources (LDAP, AD, mail) can be located. Many other services rely on a properly functioning DNS system. In fact, Microsoft’s Active Directory and Apple’s OpenDirectory will break without a properly functioning DNS.

SO what if DNS breaks?

Well that’s a problem. DNS was not designed with security in mind. It actually grew out of a shared file. Before DNS, people passed host files around. The thought of actually tampering with the associations between host and address was not likely. People wanted to be able to reach the host they were looking for. Times have changed and there’s money at stake. DNS cache poisoning is a very real problem. If I were able to redirect your web browser to a ‘fake’ banking site, I could collect your credentials and make unauthorized withdrawals against your account. In March of 2008, Dan Kaminsky met with various software vendors than provide DNS solutions to discuss a vulnerability he had discovered. The consequences of this discovery were of such concern that all vendors present agreed to release a software patch that would fix the vulnerability on the same day. In very simple terms, Kaminsky’s vulnerability centered on the possibility of a “man in the middle” cause by the lack of true randomization of transaction IDs possible with only 65,000 values available. A DNS look-up query is assigned a random translation ID, but Kaminsky observed that when a vulnerable DNS server is able to perform recursive DNS queries, it was possible to guess the transaction ID and redirect the results (Vamosi, 2008).

Enter DNSSEC!

DNSSEC (short for DNS Security Extensions) adds a layer of security to DNS. Its aim is to minimize threats against the Domain Name System. These threats include the following:

1. DNS Cache Poisoning
2. DNS Amplification Attacks
3. DNS Man-in-the-Middle Attack
4. DNS Spoofing Attacks

The US government has already deployed DNSSEC on the root servers for the .gov and .mil domains. Unfortunately, as of today DNSSEC has not been deployed for the root server of the .com, .net and .org top-level domains.

Resources:

Vamosi, R., (2008, July 9), Massive, coordinated DNS patch released, Retrieved on May 27th, 2009 from http://www.zdnet.com.au/news/security/soa/Massive-coordinated-DNS-patch-released/0,130061744,339290456,00.htm

So last night I was trying to stand up a new replica against my OpenDirectory Master but it kept erroring out with a 1077 error. It was complaining about my credentials being incorrect. At first I though I must have fat fingered it… but after entering in the password one character at a time it still didn’t take. Looking through the slapconfig.log file (located in Library/Logs), I got the following error:


2009-02-09 22:08:02 +0800 - slapconfig -setmacosxodpolicy
2009-02-09 22:08:02 +0800 - slapconfig -createreplica
2009-02-09 22:08:02 +0800 - command: ssh root@192.168.171.10 /usr/sbin/slapconfig -checkmaster diradmin 0 4 4
2009-02-09 22:08:13 +0800 - ssh command failed with status 77
2009-02-09 22:08:13 +0800 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
(error = 77)

Everything was correct. I could ssh into the server using the root account. I could modify the directory (add/delete/modify accounts) using the diradmin account. But I still couldn’t bind the server. Turns out there is a bug that doesn’t allow you to bind the replica if the diradmin password contains anything but alpha-numerics. Change the password to something simple the replica binds without issue. So much for strong passwords!

Well today is the start of everything that I’ve taken this trip for. We’ll be updating the servers in Hong Kong today.

conair_hk

Setting up DNS, OpenDirectory, AFP shares and then migrating the user accounts over. Hopefully if all goes well we’ll be done by 10PM… hopefully!


bill_hk will_hk

6:15PM – Start Time
6:30PM – Got all users off server
7:30PM – Finally got the machine to boot from DVD
7:45PM – Got McDonald’s for dinner
8:00PM – Config’d host
9:10PM – Finally got DNS working… Hate DNS!
9:15PM – Started patching machine
9:30PM – Still waiting for the updates to download… Moving user data!
9:40PM – Downloads are done… Let’s bind to OpenDirectory!
10:00PM – Anyone know what a 1077 error is?
10:25PM – This network sucks…
10:40PM – Oh hey let’s test the Riverbed Device…
11:09PM – Strong passwords? Why bother?
11:34PM – Setting up Network Homes!
11:36PM – Oh wait… the directory doesn’t like diradmin any more.
12:19AM – Finished patching server
12:40AM – Fixed a few login issues
1:10AM – Tested all logins… They work.. I’m out of here!