Skip to content
ISEAGE Cyber Defense Challenges

Recent News

Add Students to Active Directory

You will be expected to have students in your Active Directory server.  Please follow the directions below to add them.

 

You will need the files AddUsersAD.ps1 and Users_CURRENT.csv, they are located in the scenario folder.

  1. Log in as an Administrator on your Active Directory VM.
  2. Download the files from the scenario folder
  3. Open PowerShell in the current directory (type cd C:\%userprofile%\Downloads to get to the downloads folder)
  4. Edit line 5 of the script and change team42 to teamN, where N is your team’s number.
  5. Execute the PowerShell script .\AddUsersAD.ps1

Users should now be imported into Active Directory. Verify this by opening up the server manager and looking at the user list.
Note: you might need to modify the script to fit your need.

Changing the default domain for the IIS FTP server

In a command prompt, navigate to the AdminScripts directory (probably C:\Inetpub\AdminScripts\) and run the following:

cscript adsutil.vbs set msftpsvc/DefaultLogonDomain teamN.isucdc.com

where N is your team number.

Tutorial: PAM LDAP Authentication against Active Directory on Debian/Ubuntu

Using the LDAP plugin available for PAM, it’s possible to do LDAP authentication without joining the domain. Note however that this requires installing Identity Management for Unix on your domain controllers. See this tutorial for more information.

Before we proceed, it’s a good idea to take a snapshot. I’ll wait for you to do that.

Okay, let’s install the required packages:

apt-get install libnss-ldapd libpam-ldapd

Now edit /etc/nslcd.conf. This assumes the user you created for binding to AD is named “ldap”.

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://teamN.isucdc.com

# The search base that will be used for all queries.
base dc=teamN,dc=isucdc,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn ldap@teamN.isucdc.com
bindpw <password>

# The DN used for password modifications by root.
# Leave this blank unless you want to allow password changes from your debian systems
# If so, you will need to place the password in /etc/ldap.secret - be sure it is only readable by root
#rootpwmoddn cn=admin,dc=example,dc=com

# The search scope.
scope sub

# Mappings for Active Directory
# This is the important bit; these fields match up with the fields added by Directory Services for UNIX
pagesize 1000
#referrals no
filter passwd (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
# If you wish to override the shell given by LDAP, uncomment the next line
#map    passwd loginShell       "/bin/bash"
filter shadow (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
#map    group  gid              member

# SSL options
tls_reqcert never
#ssl start_tls
#ssl on
#tls_cacertfile /etc/ssl/ca.pem

After you edit this file, restart nslcd and nscd:

service nslcd restart
service nscd restart

Now edit /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns ldap
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Make sure LDAP authentication is enabled by running

pam-auth-update

In /etc/pam.d/common-session, add the following at the bottom of the file. This will make home directories for users that have never logged in before. Be careful – mis-editing PAM configuration could permanently lock you out of your system! Take a snapshot before proceeding.

# make home directories
session required   pam_mkhomedir.so skel=/etc/skel/ umask=0077

This umask will prevent users from reading each others’ home directories. If you’d prefer to be more open, use umask=0022 instead.

You can test this out by restarting sshd (service ssh restart) or by rebooting. If you managed to accidentally completely lock yourself out, revert to that snapshot you took earlier.