Getting a Windows XP workstation to join a domain with a Windows 2019 Server domain controller requires more than just enabling SMBv1, despite what most Google results on the topic would tell you. My former colleague and I had attempted to upgrade our DC a few years back from Windows 2012R2 to Windows 2019. In doing so, we found that all Windows XP SP3 workstations began to exclaim that their trust relationship with the domain had ended. Attempting to rejoin the domain resulted in a failure message of “An internal error occurred.”
It turns out, the XP machines also require Hotfix KB969442 and Security Patch to fix a problem XP has with AES.
The hotfix requirement was mentioned in passing on Reddit a few years ago. But I also found a reference to this KB in another blog post which itself references an even older blog post from 2011.
That original 2011 blogger to his credit provided specific Wireshark evidence showing how the original Windows XP kerberos.dll had a bug that prevented it from handshaking with the DC using AES. I presume that our Windows 2012R2 server (running at a 2012R2 functional level) permitted RC4 fallback in a manner that Windows 2019 does not.
To test the efficacy of these changes, I started first with a Windows 2019 Standard Server edition with SMBv1 enabled. I promoted this server to a domain controller and attempted to join my WinXP SP3 VM to its domain. I got the internal error.
I then applied the Hotfix and tried again. Voila!
Lastly, to confirm that SMBv1 is required here, I disjoined the XP machine from the domain and disabled SMBv1 on the domain controller.
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Interestingly, the error message that resulted was different this time. “The specified netowrk name is no longer available.”
Just a quick blurb about the Azure-based web application service that I set up for my cybersecurity website.
Hello. I have not been keeping this blog up to date much lately. My cybersecrity bootcamp started on Halloween and we just completed the fifth week, covering system administration basics like auditing and logging. This week we’ll doing bash scripting. So far it’s been a pretty easy course. I’ve consistently been about a week ahead on the homework. I just recently looked over the first project that will come due in February, and it’s about a domain and a blogging website. So I guess I was on the right track setting this one up. I really have enjoyed working in Linux and hope to continue that more.
Oh, got myself a new car! 2023 Nissan Leaf — I’m all-electric now. Just tacked on the 500th mile on the odometer. It’s a comfortable and quiet improvement over the 2011 Honda Fit.
Now is also the time of year when I need to start using up my vacation. I took Thanksgiving week off and enjoyed the relaxation. My friend Laura was cat sitting and the host was gracious enough to let us use her kitchen for making dinner.
And now that it’s December I’m taking Mondays and Wednesdays off. 1 day on, 1 day off, 2 days on, 3 days off. That’s a nice schedule. I might have to bake some bread or something for the coworkers.
Meanwhile, the leaves are everywhere right now! As the only real caretaker of my COA, I have already filled up our green recycling bin completely. Otherwise this would be a great day to take on some yardwork, I just don’t have a place to put them right now. They get picked up tomorrow, but there’s also a storm coming through. Oh well.
Another positive thing recently is reconnecting with my friend Tara and my old bandmates from college. I had gone looking through old cassette tapes and realized I had no way to play them anymore. I found a cheap tape-to-mp3 transcriber and enjoyed listening some old sounds we made back in the day. I think they were amused by them as much as I was. Plus it makes all the easier to visit again in person after breaking the ice with the unexpected “lost tracks” of Soulcraft.
Well the sun is out, maybe I should try getting a walk in while I can. Here’s a picture of Mt. McLoughlin I took last Friday.
Over the last two months I’ve been working on learning more about cybersecurity. I’ve signed up for a 6-month bootcamp course to that end. It starts at the end of the month and will probably occupy most of my free time. In the end, you get a credit towards taking the CompTIA Security+ exam for certification. It’s been awhile since I’ve been a student — just a little longer than it’s been since I’ve last brushed up my resume.
In the meantime, I’ve been pleasantly surprised at how many skils that I’ve picked up over the years have helped me catch on to the exercises offered by Hack the Box. Even so, the labs there are extremely challenging. There are so many hacking tools out there, each of them with a myriad of options to invoke. But before you can even get there, you have to perceive what obstacles are preventing you from your goal. That is where understanding the fundamentals of operating systems, databases, communication protocols, and scripting all help. I only recently climbed from Noob to Script Kiddie on that platform, but I feel like my brain has stretched out and is thinking more creatively in doing so.
Here are some images from my early morning runs this past month.
I recently read this post by Carlos Fenollosa lamenting the difficulties hosting your own email server. I can understand where he’s coming from and he makes some solid points. So far I’ve been fortunate enough to have avoided being blacklisted with one exception. Proofpoint is the only mail relay that blocks my mail. I’ve tried contacting them 5 times and have given up. Unfortunately they are the relay my current employer uses.
I admit, I had not considered that market forces may be working against private hosting in the way Fenollosa describes. It makes sense though. The practice of blacklisting blocks of addresses indefinitely with no recourse for appeal is the laziest shotgun approach, yet it there is no incentive to do otherwise. Solutions like requiring blacklisting to be temporary don’t seem to have a technical means of enforcement. It would have to mandated by law for the practices to change.
Oh well. I’ve loved the experience and would recommend it to anyone interested in diving into system administration. It’s been a long time since I’ve had such a concentrated effort put into research for its own sake.
I bake bread fairly often, usually sourdough. Last night I had three mini-loaves baking showing some great oven spring. Sadly I burnt them all to a crisp. What could have distracted me so much?
Sadly, it was just me getting confused over why the website wasn’t getting DNS resolution. DNSChecker.org was showing that phasedoor.com was correctly resolving everywhere, so why couldn’t I navigate there. The IP address was up. Dig showed that everything was fine.
Then I noticed this CD flag checkbox. Say what does that do?
Toggling it off and requerying — oh DNSSEC must have expired. I guess it has been 30 days since I last updated my DNS. Wow, time flies.
sniff sniff “What’s that sm… oh noooo!”
Lesson learned — run a cron job every 4 weeks to update DNS to keep DNSSEC from burning your bread.
Over the weekend I talking my son about the set up of this VPS and how it could be used to for setting up temporary email accounts to avoid spam. Even as I was talking aobut it though, I realized I didn’t have an easy method of providing other email users a way of managing their password. Not only that, but I figured he’d be disinclined to install Thunderbird just to get his junk mail account. No, what I needed was a web interface for email.
At first I went with squirrelmail, since I remember that was a piece of cake to set up. And it was easy to set up again this time around. However, I really did not like what I saw when it came to password maintenance integration. The plugins offered were ancient and opened up security issues I wasn’t comfortable with. Maybe squirrelmail was just too old of a project.
So I decided to go with roundcube. It took two efforts to get the installation wizard to function, but once it did it was pretty slick. I got the password plugin installed, but I had to get under the hood with dovecot passwd file driver. Looks like the author had attempted to replace existing lines with new password hashed using substr, but it just ended up appending the new data to the old data, effectively corrupting the passwd file. It was a simple fix once I determined which script was the culprit. I like the roundcube’s interface and it seems to be well-organized. 8/10 would recommend.
I’m dusting off and publishing some old source code for fun over at code.phasedoor.com and will probably continue to do so over the next few months. There’s a now dropdown link in this blog’s title. Some of it probably still rough around the edges but I kind of like it that way at this point.
I try to explain to others the unique relationship that comes from maintaining an application for decades. The comments, the structures, the clevernesses, and the too-clever-for-your-goods are all part of the living document that is source code. And when that code persists far beyond your expectations, it becomes a window to your past self, like the rings in the trunk of a gnarly tree. My oldest code that’s still active today dates back to 1999. So many things have changed since then, but good comments can bring me right back to a moment in time. I was very late to using git so the discipline in keeping comments and backup copies was crucial.
I’m telling you, this is my new favorite kraut. Finely shredded cabbage, 2% salt, and a sprinkle of Italian seasoning. Ferment for two weeks.
It’s got the crunch and tang of a Blimpie’s sub.