Ruhiges IT-Forum

Guten Morgen,

Ich versuche, die Maschinenauthentifizierung mit Kerberos gemäß dieser Anleitung zu konfigurieren:

https://www.wapt.fr/fr/doc-1.5/Installa ... ebian.html#

Alle im Tutorial beschriebenen Schritte verliefen reibungslos und ohne Fehlermeldungen.
Beim Versuch, eine Maschine zu registrieren, erhalte ich folgende Fehlermeldungen:

Auf dem Client, im Systemkonto

Code: Alle auswählen

C:\Windows\system32>wapt-get register
        System Power Controls
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerberos

Auf dem Server in /var/log/nginx/access.log

Code: Alle auswählen

[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"

Ich verstehe nicht, warum; kinit funktionierte, msktutil funktionierte auch, das Konto wurde korrekt in AD erstellt, die Keytab-Datei wurde korrekt erstellt, ...
Ich habe so etwas schon mal mit Squid gemacht, aber noch nie mit nginx!
Vielen Dank im Voraus für das Teilen Ihrer Erfahrungen zu diesem Thema.

Aufrichtig,

BEARBEITEN:
Server läuft unter Debian 9 / tis-waptserver 1.5.1.21-tisdeb9-4799-7c25f1fd
Client unter Windows 7 64-Bit, französische Version von waptagent 1.5.1.21

Hallo TomTomGo

3 Dinge, die Sie sorgfältig tun/überprüfen sollten:

Code: Alle auswählen

/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos --force-https

Code: Alle auswählen
```
systemctl restart nginx
```
Überprüfen Sie das
Code: Alle auswählen
```
use_kerberos = True
```

Alexander

Hallo Alexandre,

Danke für Ihre Antwort.
Die ersten beiden Schritte habe ich erledigt.
Ist der Parameter `use_kerberos = True` jedoch auf dem Client oder auf dem Server gesetzt?
Auf dem Client habe ich den Wert in der wapt-get.ini korrekt auf 1 gesetzt

Code: Alle auswählen

[global]
waptupdate_task_period=120
wapt_server=
repo_url=
use_hostpackages=1
send_usage_report=0
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
hiberboot_enabled=0
max_gpo_script_wait=180
pre_shutdown_timeout=180
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

Und auf dem Server in der waptserver.ini:

Code: Alle auswählen

[uwsgi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsgi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true

[options]
wapt_user = admin
wapt_password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wapt_folder = /var/www/wapt
server_uuid = 76cd413e-2b41-11e7-8383-820a97f8d762
waptwua_folder = /var/www/waptwua
allow_unauthenticated_registration = True
secret_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
use_kerberos = True

DANKE.

Thomas

Tatsächlich in beiden Dateien

Um eine Aufnahme zu testen, versuchen Sie Folgendes:

Code: Alle auswählen

wapt-get register -S

Oder bei maximaler Berechtigungsstufe (Systemkonto mit PsExec):

Code: Alle auswählen

psexec.cmd -i -s -d cmd.exe

wapt-get register -l debug

Vielen Dank für Ihre Hilfe!

Hier ist also die Ausgabe des Debug-Befehls im psexec -s cmd-Modus:

Code: Alle auswählen

C:\Windows\system32>wapt-get register -l debug
Current loglevel : DEBUG
2018-03-16 18:32:26,144 DEBUG Default encoding : ascii
2018-03-16 18:32:26,144 DEBUG Setting encoding for stdout and stderr to cp850
2018-03-16 18:32:26,145 DEBUG Python path ['c:\\wapt', 'c:\\wapt\\python27.zip', 'c:\\wapt\\DLLs', 'c:\\wapt\\lib', 'c:\
\wapt\\lib\\plat-win', 'c:\\wapt\\lib\\lib-tk', 'c:\\wapt', 'c:\\wapt\\lib\\site-packages', 'c:\\wapt\\lib\\site-package
s\\pywin32-221-py2.7-win32.egg']
2018-03-16 18:32:26,145 INFO Using local waptservice configuration c:\wapt\wapt-get.ini
2018-03-16 18:32:26,145 DEBUG Config file: c:\wapt\wapt-get.ini
2018-03-16 18:32:26,151 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,181 DEBUG All interfaces : [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Local connected IPs: [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Trying _wapt-host._tcp.mondomaine.lan SRV records
2018-03-16 18:32:26,203 DEBUG   No _wapt-host._tcp.mondomaine.lan SRV record found
2018-03-16 18:32:26,203 DEBUG Trying wapt-host.mondomaine.lan CNAME records
2018-03-16 18:32:26,203 DEBUG   No working wapt-host.mondomaine.lan CNAME record found
2018-03-16 18:32:26,203 DEBUG Trying wapt.mondomaine.lan. A records
2018-03-16 18:32:26,204 DEBUG   No wapt.mondomaine.lan. A record found
2018-03-16 18:32:26,204 INFO User Groups:[]
2018-03-16 18:32:26,206 DEBUG WAPT base directory : c:\wapt
2018-03-16 18:32:26,206 DEBUG Package cache dir : c:\wapt\cache
2018-03-16 18:32:26,206 DEBUG WAPT DB Structure version;: 20180303
2018-03-16 18:32:26,207 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,207 DEBUG DB Start transaction
2018-03-16 18:32:26,207 DEBUG DB commit
2018-03-16 18:32:26,367 INFO Run "dmidecode -q"
2018-03-16 18:32:26,394 INFO dmidecode -q command returns code 0
        System Power Controls
2018-03-16 18:32:28,431 DEBUG Trying _waptserver._tcp.mondomaine.lan SRV records
2018-03-16 18:32:28,433 DEBUG   Defined servers : [(0, 0, 'https://srv-wapt.mondomaine.lan')]
2018-03-16 18:32:28,506 INFO Unknown UUID or hostname has changed: reading host UUID
2018-03-16 18:32:28,506 INFO reading custom host UUID from WMI System Information.
2018-03-16 18:32:28,528 DEBUG DB Start transaction
2018-03-16 18:32:28,529 DEBUG DB commit
2018-03-16 18:32:28,551 DEBUG DB Start transaction
2018-03-16 18:32:28,551 DEBUG DB commit
2018-03-16 18:32:28,635 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,647 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,648 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,658 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,661 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,673 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action ad
d_host_kerberosTraceback (most recent call last):

  File "<string>", line 1215, in <module>
  File "<string>", line 1004, in main
  File "c:\wapt\common.py", line 4698, in register_computer
    signer = self.get_host_certificate().cn
  File "c:\wapt\common.py", line 1602, in post
    raise EWaptBadServerAuthentication('Authentication failed on server %s for action %s' % (self.server_url,action))
common.EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_
kerberos
Exception at 0043EC7F: EPyException:
EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerbero
s.

C:\Windows\system32>

Thomas

Guten Morgen,

Ich grabe...

Ich habe den Kerberos-Teil serverseitig getestet, und die Authentifizierung scheint korrekt zu funktionieren:

Code: Alle auswählen

root@srv-wapt:/opt/wapt# kinit -5 -V -k -t /etc/nginx/http-krb5.keytab srv-wapt$
Using default cache: /tmp/krb5cc_0
Using principal: srv-wapt$@MONDOMAINE.LAN
Using keytab: /etc/nginx/http-krb5.keytab
Authenticated to Kerberos v5
root@srv-wapt:/opt/wapt#

Ich habe das Debugging auf der Nginx-Seite aktiviert:

Code: Alle auswählen

location /add_host_kerberos {
            auth_gss on;
            auth_gss_keytab  /etc/nginx/http-krb5.keytab;
            error_log /var/log/nginx/kerberos.log debug;
            proxy_pass http://127.0.0.1:8080;
        }

Das Debugging-Problem beim Versuch, mich auf dem Client mit dem Systemkonto zu registrieren:

Code: Alle auswählen

2018/03/17 15:23:34 [debug] 7751#7751: *65 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *65 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *65 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *65 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3166
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *65 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *65 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *65 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398D70D0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 0, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *65 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398D70D0
2018/03/17 15:23:34 [debug] 7751#7751: *65 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer add: 10: 65000:1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *65 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *65 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer del: 10: 1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *66 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *66 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *66 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *66 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *66 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *66 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *66 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 5000:1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *66 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *66 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 65000:1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *66 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *66 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E6EB0, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *67 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *67 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *67 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *67 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *67 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *67 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *67 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 5000:1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *67 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *67 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 65000:1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *67 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *67 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1900, unused: 400

Ich habe auch versucht, den Parameter "auth_gss_realm = MONDOMAINE.LAN;" in der nginx-Konfiguration hinzuzufügen, erhielt aber das gleiche Ergebnis.
Ich setze meine Ermittlungen fort...

Thomas

Sie können den Wapt-Server im Debug-Modus starten:

Code: Alle auswählen

bash /opt/wapt/runwaptserver.sh -ldebug

Wenn während einer Registrierung nichts passiert, bedeutet dies, dass die Authentifizierung die nginx-Barriere nicht überwinden kann.

Achten Sie außerdem sorgfältig auf Ihre Serverkonfiguration:

Die Konferenz:

Code: Alle auswählen

allow_unauthenticated_registration = True

Normalerweise sollte diese Einstellung auf „False“ gesetzt werden, wenn Keberos aktiviert ist, um nicht authentifizierte Aufzeichnungen zu vermeiden.

Hallo,

danke für den Tipp.
Ich habe den Server im Debug-Modus gestartet und tatsächlich passiert nichts, wenn sich eine Workstation registrieren möchte. Das bestätigt, dass das Problem beim Nginx-Server liegt, was ich bereits vermutet hatte.

Ja, ich lasse den Parameter `allow_unauthenticated_registration` vorerst auf `True` gesetzt, damit sich Workstations, die vor der Aktivierung von Kerberos registriert waren, weiterhin am Server authentifizieren können.

Ich werde meine Untersuchung fortsetzen!

Thomas

Guten Morgen,

Ich habe die Ursache des Problems gefunden.
Wie bereits in einem früheren Beitrag erwähnt (viewtopic.php?f=13&t=1059Wir verlassen uns auf die DNS-SRV-Einträge, um den WAPT-Server und die Repositories zu finden.
Daher ist in der wapt-get.ini-Datei der Workstations das Feld wapt_server leer, was bei der Registrierung zu einem Problem führt.
Es funktioniert mit der unten stehenden wapt-get.ini-Datei:

Code: Alle auswählen

[global]
waptupdate_task_period=120
wapt_server=https://srv-wapt.mondomaine.lan
repo_url=
use_hostpackages=1
send_usage_report=1
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

Dies deutet darauf hin, dass der Client den Hauptserver während einer Registrierung nicht über die DNS-Abfrage finden kann, wenn der wapt_server in der wapt-get.ini nicht angegeben ist.

Thomas

Ah, ich habe gerade gesehen, dass es in Version 1.5.1.22 unter „Bekannte Probleme“ aufgeführt war….

Wenn waptserver mit einer DNS-SRV-Abfrage (dnsdomain-Parameter) gesucht wird, funktioniert die Kerberos-Registrierungsauthentifizierung nicht.

Ruhiges IT-Forum

Kerberos-Konfiguration

Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration

Betreff: Kerberos-Konfiguration