ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier + Active Directory Authentication

    Scheduled Pinned Locked Moved IT Discussion
    zerotieradactive directoryauthenticationwork in progress
    111 Posts 10 Posters 47.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam.ierymenko @dafyre
      last edited by

      @dafyre In the shorter term a more detailed HOWTO would probably be best. We can gear it to Debian since the Pi is Debian and makes a great bridge device, but you could also use a Debian VM or regular machine.

      dafyreD A 2 Replies Last reply Reply Quote 3
      • dafyreD
        dafyre @adam.ierymenko
        last edited by

        @adam.ierymenko said:

        @dafyre In the shorter term a more detailed HOWTO would probably be best. We can gear it to Debian since the Pi is Debian and makes a great bridge device, but you could also use a Debian VM or regular machine.

        I'd be happy to help test them as you write them. 😉

        1 Reply Last reply Reply Quote 1
        • DashrenderD
          Dashrender @adam.ierymenko
          last edited by

          @adam.ierymenko said:

          @Dashrender That's not true. If a ZT device is on the same local network, then it will just have two ports that go to the same network. It would be like putting two NICs in the device and running two cables to the same switch. Confusing, but nothing "wrong" with that.

          ZT emulates a smart Ethernet switch. Think of it the way you would think of a switch. An "active bridge" is a port set to permit bridging to another switch (some smart switches let you control that) while a regular ZeroTier endpoint is a port that only goes to a single device.

          If you're thinking of it any differently you're over-thinking it. Pertino adds a whole ton of complexity by operating at L3 and none of that applies here. VPNs also add a lot of complexity by fragmenting the network with tunnels and such, and that's also irrelevant. Just imagine a switch with invisible wires going to it.

          Yeah - I was over thinking that. JB set me straight already. 🙂

          1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre
            last edited by dafyre

            Okay, so I took a pot shot at @adam-ierymenko and told him Bridging should be easier... It turns out it is, lol. I blame Microsoft!

            Hyper-V has some security features that prevent the system from communicating on the network using a Mac Address that wasn't assigned to it via Hyper-V... There's a fix for that!

            In PowerShell, on the Hyper-V host, run the following (it should be typed all on one line... I broke it up for readability)...
            *note: This enables the Mac spoofing on ALL NICS attached to the VM.

            get-vmnetworkadapter -VMName MYVMNAME|where {$_.SwitchName -eq "MY_HYPERV_SWITCH"}|
            set-vmnetworkadapter -MacAddressSpoofing on
            

            Edit: In VMware, you will need to enable Forged Transmits and Promiscuous Mode on the VM that you run things like this on. I don't have access to a VMware system to chek this.

            1 Reply Last reply Reply Quote 2
            • A
              Alex Sage @adam.ierymenko
              last edited by Alex Sage

              @adam.ierymenko I have a Pi (the newest one) to test on if you need more testers 🙂

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch
                last edited by

                Back on the topic of this thread...

                I setup ZeroTier on FSLDC02. I put ZeroTier on LT-JARED-01

                ZeroTier is IPv6 only at the moment.
                0_1458613255829_upload-97c9f487-1490-4a67-a837-5a18ef895ac1

                I put the IPv6 address of the DC in the laptops's IPv6 config
                0_1458613620862_upload-113cb0ed-359f-485f-be1c-db25ed97645a

                I rebooted the laptop and then logged in with a domain user that has never been logged onto the device before. Everything worked fine.

                0_1458613455114_upload-071ba76b-c750-4d08-90a9-b8296cd842a9

                0_1458613529029_upload-ff8fdb70-206a-4d5b-979f-da4066bcc5d6

                AD Authenticaiton works great.

                It also works great with IPv4 if you put the ZeroTier IPv4 address in the DNS of the IPv4 adapter.

                So AD over ZeroTier is easy to do.

                K 1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  The problem I want to resolve now is how to not get DNS for everything.

                  With ZeroTier connected, if I try and connect to my ownCloud instance, I get the internal DNS back. This is not desired behavior. If I shut of ZeroTier, I properly get the external IP address.

                  0_1458615329976_upload-daa5986b-bf1d-4b6d-af58-853d487b3c7d

                  This is my problem. I need/want DNS to only work for AD Auth. I want ownCloud to use the public IP. That is why Pertino and ZeroTier are causing problems for me.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    @dafyre came up with a solution for this, a manually configured DNS server on ZT. you put in the AD resources you need so you can authenticate, and forward the rest out to an internet based DNS server.

                    Though, if you have a split horizon DNS, you'll have to specify the IP for ownCloud to the external IP.

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender
                      last edited by

                      Did you check your AD DNS, did it have copies of the ZT addresses in it?

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @Dashrender
                        last edited by

                        @Dashrender said:

                        @dafyre came up with a solution for this, a manually configured DNS server on ZT. you put in the AD resources you need so you can authenticate, and forward the rest out to an internet based DNS server.

                        Though, if you have a split horizon DNS, you'll have to specify the IP for ownCloud to the external IP.

                        No, @dafyre came up with a mess based on a work around. Every single thing in his process was extra work to setup, which is not bad. But it was all extra maintenance also, which is horrible.

                        If you are trying to sell me SDN, then you need to sell me SDN that fulfills the task I need. yes, Pertino and ZeroTier may not be right for this scenario, but then I know of no other solution for this either. That is the point of working on this.

                        1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @Dashrender
                          last edited by

                          @Dashrender said:

                          Did you check your AD DNS, did it have copies of the ZT addresses in it?

                          At what point have I stated anyplace that I have ZeroTier on more than 2 devices? I do not. It exists solely on the DC and the test laptop.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender
                            last edited by

                            I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

                            1 Reply Last reply Reply Quote 0
                            • dafyreD
                              dafyre
                              last edited by

                              @Dashrender said:

                              I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

                              I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

                              I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

                              JaredBuschJ 1 Reply Last reply Reply Quote 0
                              • JaredBuschJ
                                JaredBusch @dafyre
                                last edited by

                                @dafyre said:

                                @Dashrender said:

                                I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

                                I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

                                I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

                                AD relies on DNS.
                                Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

                                So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

                                Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
                                When something is not found query the IPv6 DNS backup only.

                                This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

                                dafyreD 1 Reply Last reply Reply Quote 2
                                • dafyreD
                                  dafyre @JaredBusch
                                  last edited by

                                  @JaredBusch said:

                                  @dafyre said:

                                  @Dashrender said:

                                  I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

                                  I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

                                  I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

                                  AD relies on DNS.
                                  Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

                                  So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

                                  Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
                                  When something is not found query the IPv6 DNS backup only.

                                  This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

                                  What would happen if you added Google's Public DNS to the IPv4 stuff on the ZT Adapter?

                                  Oh wait... you only have IPv6 enabled on ZT... Hmm...

                                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @dafyre
                                    last edited by

                                    @dafyre said:

                                    @JaredBusch said:

                                    @dafyre said:

                                    @Dashrender said:

                                    I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

                                    I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

                                    I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

                                    AD relies on DNS.
                                    Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

                                    So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

                                    Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
                                    When something is not found query the IPv6 DNS backup only.

                                    This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

                                    What would happen if you added Google's Public DNS to the IPv4 stuff on the ZT Adapter?

                                    Oh wait... you only have IPv6 enabled on ZT... Hmm...

                                    The computer is working properly and getting the ownCloud IP from the DC because it knows where the DC is. The question is can I force DNS to behave like I want.

                                    A 3 Replies Last reply Reply Quote 0
                                    • A
                                      adam.ierymenko @JaredBusch
                                      last edited by

                                      @JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

                                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                                      • A
                                        adam.ierymenko @JaredBusch
                                        last edited by

                                        @JaredBusch What's wrong with using the AD servers for all DNS? Other than reliability?

                                        Note that ZT does not depend on DNS, so ZT will work if DNS is not up.

                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • A
                                          adam.ierymenko @JaredBusch
                                          last edited by

                                          @JaredBusch I used teh Google a little and found this open source project:

                                          https://github.com/stackia/DNSAgent

                                          Never used it but it looks promising. This could be installed on a client machine and then you could configure it to route DNS queries to different servers by regex of the DNS name.

                                          Looks source only so you'd need to build. Has a .sln file.

                                          1 Reply Last reply Reply Quote 1
                                          • JaredBuschJ
                                            JaredBusch @adam.ierymenko
                                            last edited by

                                            @adam.ierymenko said:

                                            @JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

                                            No, I want DNS only so far as AD authentication. I want all DNS to use the dhcp assigned DNS that the primary network adapter gets.

                                            I am not having any problems with ZeroTier as stated above.

                                            ZT works perfectly as designed. I am not trying to limit DNS in windows.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 6 / 6
                                            • First post
                                              Last post