Synology (MS) Active Directory
July 1, 2019 at 10:52 pm #34617
Certain Synology servers – they must have Intel CPUs – usually the + model in the range, now have Samba’s reverse engineered Active Directory. I believe it’s based on 2008. Following a How To setting it up was relatively easy, but as usual getting everything working correctly was another matter.
The first thing was DNS, it sets the NAS up as a DNS server and creates the records for the Domain. It took me a while to work out how to get the PiHole into the mix. Adding the NAS as an upstream DNS resolver made no difference, in the end I set up a conditional forward for gifford.local (the name of the Domain) to the NAS and that did the trick.
Permissions, I was expecting trouble here and I got it. The AD user permissions are separate from the NAS user permissions. I found a Synology How To to set the permissions on the Share that would be used to hold the user profiles. No joy, the client couldn’t find the profile share. I had to set up Advanced Shared Permissions and give the Domain Users Group read / write permissions here too. Advanced Permissions combines the Windows ACL and Synology DS permissions and only users with the correct perms in both have access.
So now the first test VM could join the Domain (DNS correct) and connect a user (perms correct). A simple login script dealt with a drive mapping to a data share on the NAS. Home drive didn’t seem to be working but could wait. Logged of, checked the NAS share and the profile was there.
Second test VM joined the domain OK but couldn’t connect to the users profile, it created a temporary one. Checked the machine had been added to the Domain, I knew the user perms were OK. Turns out the first VM had updated to W10 ver 1903 (the latest), this VM was still on 1809. When you do a major update to Windows – could even be a service pack in the old days – it changes the profile rules. Once you log on from an updated machine you cannot login from an older machine. Updated to 1903 and all OK. I set up Outlook on this machine then logged off.
Added my real laptop to the Domain and after a reboot logged into the domain user. All files where they should be and Outlook all set up.
Time to look at the Home issue, turns out I needed to explicitly enable user Homes in AD as well as the NAS. A tick box later and that was sorted.
Next job is to look at automatically deploying software through Group Policy Objects. First hurdle, the latest W10 versions have Domain Admin tools built in but they don’t work, probably because the Samba AD is based on an older version. I installed the old RSAT tools and they seem to work, but Synology don’t add and Admin Access for anyone by default. Adding the Domain\admin group sorted that. I am still getting some errors but things still seem to happen.
That’s for later. Meanwhile I now have a basic AD setup that will allow small businesses to easily deal with multiple users. Log into any PC and your data and email follows you. Users and security settings are all managed in one place.
The price of a Synology 2 Bay DS218+ is £310 (+ drives), that’s £50 cheaper than a HPE ProLiant Gen10 MicroServer plus you need another £330 for Windows Server 2016 Essentials. If you’re happy to use Synology’s collaboration tools of Office, Mail, Shared Drives, Chat etc. You needn’t spend a penny more.
July 3, 2019 at 9:50 am #34650
I guess you need a domain and AD to support all your IoT customers. You may be interested in this FREE O’Reilly book.
“In this free ebook, Oracle’s Laurent Gil and Recorded Future’s Allan Liska look at the strengths (and limitations) of AI- and ML-based security tools for dealing with today’s threat landscape—including quickly identifying threats, connecting attack patterns, and allowing operators and analysts to focus on their core mission. You’ll also learn how managed security service providers (MSSPs) use AI and ML to identify patterns from across their customer base. It’s not Robocop—but it’s getting closer.”
Too complex for my simple needs but I guess if you have a load of customers with unknown insecure practices it may become important.July 3, 2019 at 10:05 am #34651
If any of your customers are bleeding edge IoT users I can see that they REALLY will need support judging from this Zipato screwup which could leave them locked out of their office etc., or all their LED lights flashing to the rhythm of The Clash!July 3, 2019 at 11:10 am #34653
The Clash ? Not so baf ?July 3, 2019 at 11:10 am #34654
BadJuly 4, 2019 at 10:22 am #34665
Unfortunately I see the Zipato attitude displayed by most “white van man” installers and the OEMs they use. They don’t have an IT background and are used to plugging proprietary kit into various cables and doing some basic set up – think Sky. You can bet any Technomate kit’s password will still be 0000. Some of the smaller companies can be as bad as the boss probably had a white van at some time.
They don’t understand the concept of security whatsoever and view it as a PITA. They will use third party apps to provide remote viewing to the (cheap) generic kit they install.
That’s why there’s a code of conduct being put together very much like that of California. Hikvision are involved and for the last 4 or 5 years a camera or NVR cannot be used until activated and a strong password created. You can get a password reset but have to prove ownership or a good reason why you are doing it. That needs a relationship with one of the 3 top suppliers. If you do a physical factory reset you have to go through activation again.
Even on OEM training courses I’ve seen a lax attitude to networking issues like bandwidth. The local IT guy is seen as an obstacle not someone who you need a working relationship with. This is improving though as some of the “old hands” from the analogue days move on.
As with Zipato, the attitude of the OEMs will be key to sorting this as most installers don’t give a monkeys even if they’re aware of any implications. The same is true of Home owners doing some DIY, which is increasingly the case.July 4, 2019 at 1:57 pm #34667
RichardParticipant@sawbomanForumite Points: 2,303
There is no getting away from it, if You want to get something done, security is an obstruction, but if you want to stop someone else misusing your set up, security is essential. The arrival of one the pretty amazing new stuff (PANS) things generates the desire to just make-it-work is often pandered to by those who seek only user satisfaction and a lack of user complaints of difficulty getting things started.
I agree that this is most acute with home gismos but even in a work situation security is often seen as ‘the enemy’. Almost no one wants to think about ‘what could go wrong and how to stop it happening.’ On another site there has been a row over the idea of outsourcing some software design to a poor chap in a shack in India on minimum pay as some thought it implied that the chap in a shack was dedicated to only turn out sloppy work. In fact the device builder was dedicated to doing the least possible for the lowest price achievable. They wrote the specification – there was a specification I trust, (a lesson for Boeing somewhere in there) but it will not have included any very meaningful references to a security module in most cases. Do not all put your hands up at once, but how many have come across shared use of logins and passwords. Or even the idea that the most deadly levels of access were assigned to the most senior persons on site, even though they would never understand the access implications and never use the access anyway, it was then shared with most of the staff who had some rudimentary need or understanding. So much for audit rails in those cases!
So Dave I agree, so until the OEMs either decide or are forced to decide to wake up and do something at least minimally sensible with their (hopefully) included security modules no one else can or will ever make the necessary changes.July 4, 2019 at 7:46 pm #34673
My mate who was a security professional of the ‘bang shoot dead’ variety stated that security always has to be appropriate to the task. Lock something down 100% and the insiders will start to break open the security and normally in ways that makes them or the installation harder to protect. By definition this also meant that it was necessary to detail the task and the malefactors.July 4, 2019 at 8:23 pm #34674
Anyone remember when ISP’s used to supply their routers with no WiFi password, just to make setup easy ?July 4, 2019 at 9:14 pm #34675
In the days of running a WISP, we used to drive around with a mag aerial on the car to check our coverage. The number of open networks was amazing.July 5, 2019 at 11:17 am #34676
RichardParticipant@sawbomanForumite Points: 2,303
My mate who was a security professional of the ‘bang shoot dead’ variety stated that security always has to be appropriate to the task. Lock something down 100% and the insiders will start to break open the security and normally in ways that makes them or the installation harder to protect. By definition this also meant that it was necessary to detail the task and the malefactors.
I tend to agree with most of that statement, though I am not sure it is always essential to detail the malefactors in less stressful situations. The access to functions is defined by a person’s role, this should have the effect of automatically excluding those who lack that initial pass through the authorisation gate. The problems start to arise when someone’s role should enable them to pass the checks but the system fails to allow them the expected access. Unfortunately this broad definition also includes those who fail to gain control because of the overly complex or trying access methods employed. A bypass then becomes vital.
I have an example of this effect with a little used credit card account that is having the existing on-line access and payment methods withdrawn in favour of a selection of methods I find personally unacceptable. The result will be that I shall be using a cheque payment dropped into the Post Office in the future. I am not sure this increase in cheque use was what they wanted to achieve, but it is the result they have produced.July 5, 2019 at 2:55 pm #34677
There must have been a whiff of litigation in the air. There’s just been an update that changes the application name to “Directory Server for Windows Domain”. The description also makes it very clear it’s the Samba project.July 5, 2019 at 7:52 pm #34685
I am actually surprised that anything ever gets authorised on a Windows domain based network ?
Have a look at the link above for how Kerberos is involved with active directory.July 5, 2019 at 10:52 pm #34690
“Although Kerberos might seem like black magic to many systems administrators”
Yep, that’s pretty much how I look at it.
I view DNS in much the same way but had to get down and dirty with it or just accept the DC had to be the DNS server too, which would have stopped my PiHole. Luckily many other people have had the same issue (with MS AD) and I got a clue of what I had to do (redirect any requests for the domain FQDN to the DC) but not an actual How To.
In my career I’ve had a terrible time explaining to customers that what they see advertised (things like roaming) is actually fraught with difficulty and even when set up has to be maintained by a real person and that person will need to be paid! Not least because the very people that advertise it will also be the ones that throw spanners in the works, often with no notice to the little people.
It was bad enough getting in the loop when working for huge Corporates, when you’re out there on your own dealing with small businesses you just can’t be. Even Synology now expect you to pay for the meatier part of training days. Only 2 years ago they were enticing me with a NAS at cost.July 6, 2019 at 7:40 am #34694
It may have been easier to follow the extremely turgid write-up if the essential diagrams were not 404’d!July 6, 2019 at 9:17 am #34698
Sorry about the 404’s. It did work when first looked at it but not now ?July 6, 2019 at 9:27 am #34699
Above is a slightly more specific link from Microsoft.July 6, 2019 at 9:31 am #34701
And a link that covers Windows authentication in more general terms.July 6, 2019 at 12:44 pm #34709
Richard, actually my friends comments were applicable to the IT situation, (despite his, at the time IRA focus), and that different responses were necessary for different people.
e.g. Just visiting – basically need to lock out completely and handle DDOS (not much of a problem in my day)
Guest – Basic authorities only, but they are through the big steel shutters so need to ensure elevation of privileges is handled.
Users – Layered by function etc. etc.
I will not belabour it, but the examples give you a feel for what he was trying to get me to focus on. In fact it is very similar to M$’s basic authority levels plus a bit.
You must be logged in to reply to this topic.