Not working when at home connected to VPN about adpassmon HOT 21 CLOSED

Do you know if your VPN allows split tunnels, or when activated does all network traffic go over the vpn connection?

from adpassmon.

FWIW, I use Cisco's In-Built VPN client too & have been working from home since October 22nd.

ADPassMon works for me.

On 20 Jan 2016, at 19:55, Peter Bukowinski [email protected] wrote:

Do you know if your VPN allows split tunnels, or when activated does all network traffic go over the vpn connection?

—
Reply to this email directly or view it on GitHub.

from adpassmon.

Our VPN allows split tunneling

from adpassmon.

So is split tunneling an issue?

from adpassmon.

Likely yes, but it probably depends on the specifics of your tunnel and routing table.

On Jan 22, 2016, at 5:30 PM, amusser [email protected] wrote:

So is split tunneling an issue?

—
Reply to this email directly or view it on GitHub.

from adpassmon.

"The value for myLDAP is being set to my home router instead of the DC"

That really strikes me as odd.

from adpassmon.

@amusser Were you running the script when having had a kerberos ticket issued?

from adpassmon.

Yes I am running the script while I have a ticket

from adpassmon.

@amusser can you try? https://gist.github.com/macmule/a6bbd0d567fec5f2b5d2

It's basically the same thing as what @pmbuko passed you, just horribly written in python.

Only difference is that is will get a list of all ldap servers & if it fails to get a value from one, it'll move to the other.

from adpassmon.

Getting the follow error:

Traceback (most recent call last):
File "./PassMon.py", line 120, in
for index, item in enumerate(searchBase):
NameError: name 'searchBase' is not defined

from adpassmon.

Right.

What does the output of: klist --json

Look like?

Regards,

Ben.

On 24 Jan 2016, at 02:59, amusser [email protected] wrote:

Getting the follow error:

Traceback (most recent call last):
File "./PassMon.py", line 120, in
for index, item in enumerate(searchBase):
NameError: name 'searchBase' is not defined

—
Reply to this email directly or view it on GitHub.

from adpassmon.

@amusser I've updated the gist.. can you try it again please? https://gist.github.com/macmule/a6bbd0d567fec5f2b5d2

from adpassmon.

ERROR: No LDAP servers found

from adpassmon.

@amusser One last thing to try (change mycompany.com for your domain):

dig -t srv _ldap._tcp.mycompany.com +noall +answer

You should receive:

;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.3-P1 <<>> -t srv _ldap._tcp.mycompany.com +noall +answer
;; global options: +cmd
_ldap._tcp.mycompany.com. 600 IN SRV 0 100 389 dc03.mycompany.com.
_ldap._tcp.mycompany.com. 600 IN SRV 0 100 389 dc02.mycompany.com.

If not, then then something on the VPN is not allowing the queries.

If you get a reply, can you post a redacted version of it?

from adpassmon.

It's not returning anything. Could this have anything to do with cached credentials?

from adpassmon.

Nope.

That's more of a network lookup & is completely separate from credentials.

What's happening is that ADPassMon is realising it cannot connect to your domain & as is acting accordingly.

So ADPassMon is working correctly for how your VPN is setup.

As mentioned, similar VPN & the dig command returns LDAP servers for me.

On 24 Jan 2016, at 17:27, amusser [email protected] wrote:

It's not returning anything. Could this have anything to do with cached credentials?

—
Reply to this email directly or view it on GitHub.

from adpassmon.

OK. I'll research this further from my end. Thanks for all your help.

from adpassmon.

No problem.

I don't think we process this further & I'll close this issue off in a few.

Regards,

Ben.

On 24 Jan 2016, at 17:49, amusser [email protected] wrote:

OK. I'll research this further from my end. Thanks for all your help.

—
Reply to this email directly or view it on GitHub.

from adpassmon.

Reopening as @bp on slack is seeing the same.

Looks like domain lookup failing as dig result does not contain an answer section, but an authority section.

from adpassmon.

; <<>> DiG 9.8.3-P1 <<>> +time=2 +tries=1 -t srv _ldap._tcp.company.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.company.com.    IN    SRV

;; AUTHORITY SECTION:
company.com.    3600    IN    SOA    NS87.WORLDNIC.com. namehost.WORLDNIC.com. 116032214 10800 3600 604800 3600

;; Query time: 5 msec
;; SERVER: 172.20.10.1#53(172.20.10.1)
;; WHEN: Tue Mar 22 17:01:19 2016
;; MSG SIZE  rcvd: 103

Example from @bp

What ADPassMon expects:

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> +time=2 +tries=1 -t srv _ldap._tcp.pretendco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13329
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 31, AUTHORITY: 0, ADDITIONAL: 25

;; QUESTION SECTION:
;_ldap._tcp.pretendco.com.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.pretendco.com. 600    IN    SRV    0 100 389 dc-04.pretendco.com.

;; ADDITIONAL SECTION:
dc-04.pretendco.com.    3600    IN    A    10.1.2.16

from adpassmon.

So, this issue is due to some SSL VPN's causing ADPassMon to have issues looking up details etc.

Currently, I'll not be able to test anything in relation to this. So will close off for now, sorry folks.

from adpassmon.