Comparison of Salt vs AD
-
@dafyre said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
The windows installer of salt minion asks you for :
Salt Master Hostname or IP address
Minion NameAnd you can install it silently with:
Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname
Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name
Now I have to do them all manually
90 MACHINESUser PowerShell or GPO.
Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.
@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.
-
@Romo said in Comparison of Salt vs AD:
@dafyre said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
The windows installer of salt minion asks you for :
Salt Master Hostname or IP address
Minion NameAnd you can install it silently with:
Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname
Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name
Now I have to do them all manually
90 MACHINESUser PowerShell or GPO.
Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.
@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.
I use Chocolatey.
-
@NerdyDad said in Comparison of Salt vs AD:
I'm trying to clarify this statement from this post
By @scottalanmiller "I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD."
https://mangolassi.it/topic/13786/how-to-patch-wannacry-using-saltstack-ad-alternative/3
Please correct me if I am wrong, but I want to clarify if I am understanding this correctly.
We all know that AD is a collective, server/client, authentication system. Client computers connected to an AD system has to communicate with an AD server in order to authenticate users for resources.
Salt syncs local users to each other in a mesh-network so that all users are still capable of accessing all of the computers with the same credentials without having to authenticate to a central server.
Is this correct or am I reading too much into this?
a more strict analogous of AD authentication in linux is kerberos (on which AD is based). Using Salt is most of an hack, which, considering the apparent possibility to fire events in Salt, seems anyway a feasible one.
-
@scottalanmiller said in Comparison of Salt vs AD:
@Romo said in Comparison of Salt vs AD:
@dafyre said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
The windows installer of salt minion asks you for :
Salt Master Hostname or IP address
Minion NameAnd you can install it silently with:
Salt-Minion-2016.11.5-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname
Sadly I cant trust my users to run the installer and do the steps, I ASKED THEM TO PLACE THE 3 letter number sticker on their machine, and I emailed them an example photo, and the idiots entered alot of crap for minion name
Now I have to do them all manually
90 MACHINESUser PowerShell or GPO.
Or PDQ Deploy, lol. I probably should have mentioned I was thinking only of pushing out the Salt agent to the mentions.
@dafyre That is exactly how I deployed my salt-minions. Added the salt entry on my dns and deployed the minion with PDQ Deploy.
I use Chocolatey.
I actually deployed the salt-minions to upgrade powershell and deploy chocolatey =).
-
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work. -
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
-
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
-
Interesting, thanks.
-
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
-
@Dashrender said in Comparison of Salt vs AD:
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
- UDP 137
- UDP 138
- UDP 445
- TCP 139
- TCP 445
- TCP 6336
-
@wirestyle22 said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
- UDP 137
- UDP 138
- UDP 445
- TCP 139
- TCP 445
- TCP 6336
Man that's a lot.
-
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
-
@scottalanmiller said in Comparison of Salt vs AD:
@wirestyle22 said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
- UDP 137
- UDP 138
- UDP 445
- TCP 139
- TCP 445
- TCP 6336
Man that's a lot.
Could be easily done as part of an image, logon batch.
-
@dafyre said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@wirestyle22 said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
- UDP 137
- UDP 138
- UDP 445
- TCP 139
- TCP 445
- TCP 6336
Man that's a lot.
Could be easily done as part of an image, logon batch.
That is an insane amount of open ports! And oh yeah.. it's wannacry enabled!
-
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..
-
@dafyre said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@wirestyle22 said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
Are the needed ports open by default to allow the use of PDQ Deploy in a non AD environment?
- UDP 137
- UDP 138
- UDP 445
- TCP 139
- TCP 445
- TCP 6336
Man that's a lot.
Could be easily done as part of an image, logon batch.
But why would you want so many?
-
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..
Why would they enable it and not have the firewall ready to work?
-
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..
Why would they enable it and not have the firewall ready to work?
Why have a firewall if you're opening a thousand ports anyway
-
@wirestyle22 said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..
Why would they enable it and not have the firewall ready to work?
Why have a firewall if you're opening a thousand ports anyway
PS doesn't need them. That's for other tools, like PDQDeploy.
-
@scottalanmiller said in Comparison of Salt vs AD:
@wirestyle22 said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@Dashrender said in Comparison of Salt vs AD:
@scottalanmiller said in Comparison of Salt vs AD:
@NerdyDad said in Comparison of Salt vs AD:
@msff-amman-Itofficer said in Comparison of Salt vs AD:
This PDQ Deploy you guys have been mentioning, does it require an agent on the other Windows clients ?
or it just relies on Active Directory to work.No agent required. You can deploy based on AD, computer name, or IP address. AD is not required as long as you have local admin credentials.
Same as with PowerShell.
Does PowerShell require some sort of remote access to be enabled?
Yes, but it is enabled by default. Just don't turn it off.
And is the firewall ports open by default too? I'm guessing not.. but I'm willing to open those for this purpose..
Why would they enable it and not have the firewall ready to work?
Why have a firewall if you're opening a thousand ports anyway
PS doesn't need them. That's for other tools, like PDQDeploy.
PS needs at least one.
