为何大多数人都存在这个问题

[u-raison]

看了一下列表的issues，几乎全是这个问题，肯定是有哪个地方存在问题的。

[+] XXXXXX 域注册失败: 未查询到域控制器.
创建日志缓存....

我连80端口都没有起起来呢？师傅们，这是为啥？

[Cgaii]

尝试下手动部署，单步执行初始化命令看下还有问题吗？
如果还报错，辛苦发一下配置和详细的报错信息。

[u-raison]

.env配置：

`#KAFKA配置，需修改为当前服务器的IP
KAFKAHOST=10.191.50.91
KAFKAADV=PLAINTEXT://10.192.50.91:9092
BROKER=10.191.50.91:9092

#Mongo配置，默认账号密码
MONGOUSER=IATP
MONGOPWD=IATP-by-360

#域控配置，其中DCUSER为域内用户的DN
DCNAME="zhuantest.cn"
DCSERVER=10.191.1.17
DCUSER="CN=Administrator, OU=Users, DC=zhuantest, DC=cn"
DCPWD="Test123@"

#WEB配置，可配置为域内任意用户，或DCUSER的CN
WEBUSER="Administrator"
`

我单步执行命令结果如下（服务器启用了tls，watchAD服务器到AD是网络全通的，账户密码试过是正确的）：

`[root@Chili home]# ./iatp init --mongourl mongodb://IATA:[email protected]:27017

[root@Chili home]# ./iatp init --mongourl mongodb://IATA:[email protected]:27017 --domainname zhuantest.cn --domainserver 10.191.1.17 --username Administrator --password Test123@ --ssl

[+] ZHUANTEST 域注册失败: 未查询到域控制器.
`

[root@Chili home]# ./iatp init --mongourl mongodb://IATA:[email protected]:27017 --index
创建日志缓存....

`[root@Chili home]# ./iatp run --engine_start
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"NEW GPO","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"DCShadow","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"SID History","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Certificate Active","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"TGT Activities","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"AS-REP Abnormal Response","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Create Machine User","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Similar Dc User","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Resource Based Constraint Delegation","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"GPO DELEGATION","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Shadow Credentials","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Skeleton Key","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Kerberoasting","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Close Log Service","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"JuicyPotato","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"SpoolSample","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"DSRM Change","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"NTLM Relay","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Remote Code Execute","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Reset Account Password","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Clear Log","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"SPN Jacking","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"ZeroLogon","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"samAccountName Spoofing","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"DCSync","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Explicit Credential","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Abnormal Permissions","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"Local Dump Ntds","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"ADCS-ESC","time":"2024-02-21 05:05:46"}
{"appName":"IATP Engine","file":"iatp.go","func":"iatp/iatp.registerBypassplugins","level":"info","msg":"加载实时日志检测插件","plugin_name":"MS17-010","time":"2024-02-21 05:05:46"}

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x9cf442]

goroutine 5 [running]:
go.mongodb.org/mongo-driver/mongo.(*Cursor).next(0xc0001311a0, {0x12b60b0, 0xc0000c2028}, 0x58)
/go/src/iatp_opensource/vendor/go.mongodb.org/mongo-driver/mongo/cursor.go:102 +0x22
go.mongodb.org/mongo-driver/mongo.(*Cursor).Next(...)
/go/src/iatp_opensource/vendor/go.mongodb.org/mongo-driver/mongo/cursor.go:81
iatp/setting.GetAllSettings()
/go/src/iatp_opensource/setting/ad_settings.go:53 +0xb1
iatp/setting.Init({0x12b6078, 0xc0002fed40})
/go/src/iatp_opensource/setting/ad_settings.go:60 +0x2d
iatp/iatp.Start.func1()
/go/src/iatp_opensource/iatp/iatp.go:204 +0x65
`

问题主要还是在这个域控认证这里。其次是引擎加载这里出错了。

[Cgaii]

[root@Chili home]# ./iatp init --mongourl mongodb://IATA:[email protected]:27017 --domainname zhuantest.cn --domainserver 10.191.1.17 --username Administrator --password Test123@ --ssl
这里参数带了--ssl 会走ldaps 对应端口636
不带--ssl参数 走的是ldap 对应端口389
看下服务器这俩端口都有开放吗？
如果只开放了389 就去掉--ssl再试下

[u-raison]

636被拒绝啦

telnet 10.191.0.17 636
Trying 10.191.0.17...
Connected to 10.191.0.17.
Escape character is '^]'.
Connection closed by foreign host.

域控上是有这端口的：

C:\Users\Administrator>netstat -ant|find "636"
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING InHost
TCP [::]:636 [::]:0 LISTENING InHost
UDP 0.0.0.0:56360 :
UDP 0.0.0.0:56361 :

389是OK的。

telnet 10.191.0.17 389
Trying 10.191.0.17...
Connected to 10.191.0.17.
Escape character is '^]'.

我试试了这2个还是不行，加--ssl也不行，watchAD不在域中。

./iatp init --mongourl mongodb://IATA:[email protected]:27017 --domainname "zhuantest.cn" --domainserver "10.191.0.17" --username "CN=Administrator, OU=Users, DC=zhuantest, DC=cn" --password "Test123@"
[+] ZHUANTEST 域注册失败: 未查询到域控制器.

./iatp init --mongourl mongodb://IATA:[email protected]:27017 --domainname "zhuantest.cn" --domainserver "10.191.0.17" --username "Administrator" --password "Test123@"
[+] ZHUANTEST 域注册失败: 未查询到域控制器.

我看挺多大佬都卡在这一步

[Cgaii]

域相关的配置确实比较复杂，这个问题我们在客户场景也经常会遇到，一般都是端口联通问题和用户配置问题导致
可以按照如下方式在域控中新建一个账户，尝试下报错可否解决：
1、登录域控服务器，打开Active Directory 用户和计算机，在Users下新建一个普通用户，例如iatptest

2、在配置密码时取消勾选”用户下次登录时必须更改密码“

3、通过如下三条命令分别获取域控的域名、IP、用户的DN
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
ipconfig | findstr IPv4
Get-ADUser -Identity "iatptest" | Select-Object DistinguishedName

4、命令行输入上述获取的域控配置信息，注册成功

[Cgaii]

另外，你的配置中mongodb的用户和实际命令行的用户不一致

[u-raison]

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xe239f5]

goroutine 1 [running]:
iatp/common/domain.(*Domain).RegisterDomain(...)
/go/src/iatp_opensource/common/domain/domain_helper.go:77
iatp/cmd.addDomainConf(0x95)
/go/src/iatp_opensource/cmd/init.go:113 +0x175
iatp/cmd.glob..func1(0x1a7ed40, {0x1039ae7, 0xa, 0xa})
/go/src/iatp_opensource/cmd/init.go:66 +0xbf
github.com/spf13/cobra.(*Command).execute(0x1a7ed40, {0xc0003bc3c0, 0xa, 0xa})
/go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0x1a7efc0)
/go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
/go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:902
iatp/cmd.Execute()
/go/src/iatp_opensource/cmd/root.go:47 +0x25
main.main()
/go/src/iatp_opensource/main.go:21 +0x17

这个又是啥问题呢？我按照你的方式，把--ssl去去掉了，没有报这个域注册失败: 未查询到域控制器， 而是报了这个

[u-raison]

./iatp init --mongourl mongodb://IATP:[email protected]:27017 --domainname zhuantest.cn --domainserver 10.191.0.17 --username "CN=watchAD,CN=Users,DC=zhuantest,DC=cn" --password "Pass@123@"

新命令报错

[Cgaii]

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xe239f5]

goroutine 1 [running]: iatp/common/domain.(*Domain).RegisterDomain(...) /go/src/iatp_opensource/common/domain/domain_helper.go:77 iatp/cmd.addDomainConf(0x95) /go/src/iatp_opensource/cmd/init.go:113 +0x175 iatp/cmd.glob..func1(0x1a7ed40, {0x1039ae7, 0xa, 0xa}) /go/src/iatp_opensource/cmd/init.go:66 +0xbf github.com/spf13/cobra.(*Command).execute(0x1a7ed40, {0xc0003bc3c0, 0xa, 0xa}) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:860 +0x5f8 github.com/spf13/cobra.(*Command).ExecuteC(0x1a7efc0) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:974 +0x3bc github.com/spf13/cobra.(*Command).Execute(...) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:902 iatp/cmd.Execute() /go/src/iatp_opensource/cmd/root.go:47 +0x25 main.main() /go/src/iatp_opensource/main.go:21 +0x17

这个又是啥问题呢？我按照你的方式，把--ssl去去掉了，没有报这个域注册失败: 未查询到域控制器， 而是报了这个

看起来可能是mongo中缓存了此前错误的域控配置，导致引擎起冲突了
如果是按照本项目docker启动的mongodb，可以删除下data文件夹重新启动mongodb镜像，再重新走一遍部署流程

[u-raison]

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xe239f5]
goroutine 1 [running]: iatp/common/domain.(*Domain).RegisterDomain(...) /go/src/iatp_opensource/common/domain/domain_helper.go:77 iatp/cmd.addDomainConf(0x95) /go/src/iatp_opensource/cmd/init.go:113 +0x175 iatp/cmd.glob..func1(0x1a7ed40, {0x1039ae7, 0xa, 0xa}) /go/src/iatp_opensource/cmd/init.go:66 +0xbf github.com/spf13/cobra.(*Command).execute(0x1a7ed40, {0xc0003bc3c0, 0xa, 0xa}) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:860 +0x5f8 github.com/spf13/cobra.(*Command).ExecuteC(0x1a7efc0) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:974 +0x3bc github.com/spf13/cobra.(*Command).Execute(...) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:902 iatp/cmd.Execute() /go/src/iatp_opensource/cmd/root.go:47 +0x25 main.main() /go/src/iatp_opensource/main.go:21 +0x17
这个又是啥问题呢？我按照你的方式，把--ssl去去掉了，没有报这个域注册失败: 未查询到域控制器， 而是报了这个

看起来可能是mongo中缓存了此前错误的域控配置，导致引擎起冲突了 如果是按照本项目docker启动的mongodb，可以删除下data文件夹重新启动mongodb镜像，再重新走一遍部署流程

谢谢帮助，重新下载代码、镜像部署还是不行，有交流群或可方便远程协助查看一下吗？My WeChat ID：Coronavirus_COVID-19

[0xo7]

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xe239f5]
goroutine 1 [running]: iatp/common/domain.(*Domain).RegisterDomain(...) /go/src/iatp_opensource/common/domain/domain_helper.go:77 iatp/cmd.addDomainConf(0x95) /go/src/iatp_opensource/cmd/init.go:113 +0x175 iatp/cmd.glob..func1(0x1a7ed40, {0x1039ae7, 0xa, 0xa}) /go/src/iatp_opensource/cmd/init.go:66 +0xbf github.com/spf13/cobra.(*Command).execute(0x1a7ed40, {0xc0003bc3c0, 0xa, 0xa}) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:860 +0x5f8 github.com/spf13/cobra.(*Command).ExecuteC(0x1a7efc0) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:974 +0x3bc github.com/spf13/cobra.(*Command).Execute(...) /go/src/iatp_opensource/vendor/github.com/spf13/cobra/command.go:902 iatp/cmd.Execute() /go/src/iatp_opensource/cmd/root.go:47 +0x25 main.main() /go/src/iatp_opensource/main.go:21 +0x17
这个又是啥问题呢？我按照你的方式，把--ssl去去掉了，没有报这个域注册失败: 未查询到域控制器， 而是报了这个

看起来可能是mongo中缓存了此前错误的域控配置，导致引擎起冲突了 如果是按照本项目docker启动的mongodb，可以删除下data文件夹重新启动mongodb镜像，再重新走一遍部署流程

谢谢帮助，重新下载代码、镜像部署还是不行，有交流群或可方便远程协助查看一下吗？My WeChat ID：Coronavirus_COVID-19

已经搭建成功，docker启动后，需要重新进入iatp相关的容器，再执行如下命令（其实就是重新执行sh文件里面命令，只不过不用执行第一条），注意把环境变量替换成实际的值
./iatp init --mongourl mongodb://$MONGOUSER:[email protected]:27017 --domainname $DCNAME --domainserver $DCSERVER --username $DCUSER --password $DCPWD
./iatp init --mongourl mongodb://$MONGOUSER:[email protected]:27017 --index
./iatp web --init --authdomain $DCNAME --user $WEBUSER
./iatp source --sourcename ITEvent --sourceengine event_log --brokers $BROKER --topic winlogbeat --group iatp --oldest false --kafka true
nohup ./iatp run --engine_start > engine.log 2>&1 &
nohup ./iatp run --web_start > web.log 2>&1 &
tail -f engine.log web.log

[u-raison]

不行了，总感觉哪里有毛病？

如果设置administrator就提示： 域注册失败: 未查询到域控制器.，设置新创建的watchAD用户就直接报“invalid memory address or nil pointer dereference”

[Cgaii]

不行了，总感觉哪里有毛病？

如果设置administrator就提示： 域注册失败: 未查询到域控制器.，设置新创建的watchAD用户就直接报“invalid memory address or nil pointer dereference”

@u-raison 本地没有复现出来，根据如上反馈信息，可以再尝试如下方法0：
1、下载ldapsearch验证域控的配置是否正常
2、抓包看下ldap返回的结果是否存在异常
3、如果是手动编译的程序，确认下版本是否是go1.17.1

[u-raison]

[u-raison]

看样子没什么问题

[u-raison]

不行了，总感觉哪里有毛病？


如果设置administrator就提示： 域注册失败: 未查询到域控制器.，设置新创建的watchAD用户就直接报“invalid memory address or nil pointer dereference”

@u-raison 本地没有复现出来，根据如上反馈信息，可以再尝试如下方法0： 1、下载ldapsearch验证域控的配置是否正常 2、抓包看下ldap返回的结果是否存在异常 3、如果是手动编译的程序，确认下版本是否是go1.17.1

抓包好像没啥问题，我看case #18也遇到这个问题，但是后面好像换了mongodb密码成功了？另外对方的mongodb是宿主机IP？我执行第一个mongodb的命令，我也没看到mongodb端口起来啊

[Nightingle-yeying]

不行了，总感觉哪里有毛病？

如果设置administrator就提示： 域注册失败: 未查询到域控制器.，设置新创建的watchAD用户就直接报“invalid memory address or nil pointer dereference”

重启docker后解决了。。

[u-raison]

@Cgaii 既然这个域控认证多数人都遇到这个问题，为啥后台登录不改成其它类型的认证方式呢

[notalkingya]

@Cgaii 既然这个域控认证多数人都遇到这个问题，为啥后台登录不改成其它类型的认证方式呢

师傅 你解决这个问题了吗