0

I'm trying to implement a hardware UTM (Firewall) to use SSO. The SSO Server that I configured for this purpose uses the Active Directory (DC) security event logs. These logs tell the SSO system which domain users are logged in/active/membered to which groups/logged off etc.

Our domain environment has a majority of Windows clients. But about %20 of the machines are Linux (Debian) based. The Linux computers are joined and configured to the AD via sssd.

I've gotten the Windows machines to work fine. Meaning all the security event logs are gathered and pulled successfully. On the other hand the Linux machines are having various issues. After days of research I pinned it to the values in some security event logs.

Windows Security Event 4768:

Account Information:

  Account Name: [username]
  User ID: [username]

The fields specified for the above event log has "domain user names" within them for Windows clients. But the Linux clients fill it with their computer name with a $ sign at the end.

This seems to be the reason why the SSO agent can't read the current user status on these computers. I've checked all the files I can on the Linux side without success. I need help on where needs to be touched so that the events coming from Linux computers show the username in its "TargetUserName" field (instead of "hostname$").

Update: Still looking for a solution. When I run "klist -k" it displays

2 [email protected]
2 [email protected]
2 [email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]
2 RestrictedKrbHost/[email protected]

The first three entries is what shows in the events (MYCLIENT$). This had me thinking that if I can the username within this keytab it might work. I still haven't figured out a way to do this though because running the kadmin command gives me an error:

kadmin client "myuser/[email protected]" not found in kerberos database while initializing kadmin interface
shafuq
  • 103
  • 4
  • Which events is your system looking for? The same 4768 event is supposed to show up for both user accounts _and_ machine accounts (as it tracks authentications, not logins). – u1686_grawity Oct 11 '22 at 12:03
  • 4624, 4768, 4769, 4770, 4634, 4661, 4623. All these events are used by the SSO Agent. I checked the logs on multiple machines. The Linux Clients sends (%98) all of their logs with machine names in them.Only 1-2 per day have a user name. The only exception is event id 4776. This event shows up every 15-20 minutes with the user name. But this event ID isn't a part of the monitored events (by SSO agent). The Windows Clients on the other hand almost all have user names within these logs. – shafuq Oct 12 '22 at 08:10

0 Answers0