Comparison of Salt vs AD

scottalanmiller

@dafyre said in Comparison of Salt vs AD:

I wonder how much of this could be automated via tools like PDQ Deploy? ... or just make sure your DNS servers have an entry for your Salt server.

not nearly so much and not nearly so well.

Emad R

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

GONA GO KILL MORE PPL IN DBD

scottalanmiller

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

dafyre

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

Alex Sage

@msff-amman-Itofficer said in Comparison of Salt vs AD:

Now I have to do them all manually
90 MACHINES

GONA GO KILL MORE PPL IN DBD

Don't do this.... The first rule of IT is the automate when possible. I suggest PDQ as well.

Romo

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

scottalanmiller

@Romo said in Comparison of Salt vs AD:

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

I use Chocolatey.

matteo nunziati

@NerdyDad said in Comparison of Salt vs AD:

I'm trying to clarify this statement from this post

By @scottalanmiller "I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD."

https://mangolassi.it/topic/13786/how-to-patch-wannacry-using-saltstack-ad-alternative/3

Please correct me if I am wrong, but I want to clarify if I am understanding this correctly.

We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.

Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.

Is this correct or am I reading too much into this?

a more strict analogous of AD authentication in linux is kerberos (on which AD is based). Using Salt is most of an hack, which, considering the apparent possibility to fire events in Salt, seems anyway a feasible one.

Romo

@scottalanmiller said in Comparison of Salt vs AD:

@Romo said in Comparison of Salt vs AD:

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@dafyre

The windows installer of salt minion asks you for :

Salt Master Hostname or IP address
Minion Name

And you can install it silently with:

Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name

Now I have to do them all manually
90 MACHINES

User PowerShell or GPO.

Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.

@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.

I use Chocolatey.

I actually deployed the salt-minions to upgrade powershell and deploy chocolatey =).

Emad R

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

NerdyDad

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

scottalanmiller

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Emad R

@NerdyDad

Interesting, thanks.

Dashrender

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Does PowerShell require some sort of remote access to be enabled?

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

wirestyle22

@Dashrender said in Comparison of Salt vs AD:

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

• UDP 137
• UDP 138
• UDP 445
• TCP 139
• TCP 445
• TCP 6336

scottalanmiller

@wirestyle22 said in Comparison of Salt vs AD:

@Dashrender said in Comparison of Salt vs AD:

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

• UDP 137
• UDP 138
• UDP 445
• TCP 139
• TCP 445
• TCP 6336

Man that's a lot.

scottalanmiller

@Dashrender said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Does PowerShell require some sort of remote access to be enabled?

Yes, but it is enabled by default. Just don't turn it off.

dafyre

@scottalanmiller said in Comparison of Salt vs AD:

@wirestyle22 said in Comparison of Salt vs AD:

@Dashrender said in Comparison of Salt vs AD:

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

• UDP 137
• UDP 138
• UDP 445
• TCP 139
• TCP 445
• TCP 6336

Man that's a lot.

Could be easily done as part of an image, logon batch.

Dashrender

@dafyre said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@wirestyle22 said in Comparison of Salt vs AD:

@Dashrender said in Comparison of Salt vs AD:

Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?

• UDP 137
• UDP 138
• UDP 445
• TCP 139
• TCP 445
• TCP 6336

Man that's a lot.

Could be easily done as part of an image, logon batch.

That is an insane amount of open ports! And oh yeah.. it's wannacry enabled!

Dashrender

@scottalanmiller said in Comparison of Salt vs AD:

@Dashrender said in Comparison of Salt vs AD:

@scottalanmiller said in Comparison of Salt vs AD:

@NerdyDad said in Comparison of Salt vs AD:

@msff-amman-Itofficer said in Comparison of Salt vs AD:

@Romo @aaronstuder @dafyre

This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.

No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.

Same as with PowerShell.

Does PowerShell require some sort of remote access to be enabled?

Yes, but it is enabled by default. Just don't turn it off.

And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..