Hello,
We have enabled Kerberos authentication for WAPT as well as certificate verification, so we have the following in our wapt-get.ini file:
wapt-get.ini;use_kerberos=1
wapt-get.ini;verify_cert=C:\Program Files (x86)\wapt\ssl\server\ca.crt
This works perfectly as long as we are using a machine with a DJOIN connection prepared.
The problem arises with non-domain machines.
Once the non-domain machines are deployed via WAPT, the agent cannot connect to WAPT automatically. We therefore have to go to the machine and run "wapt-get register". There, we are asked for the WAPT admin login credentials. Once logged in, everything is in order; the machine appears in WAPT, and we send it the configuration package associated with its fake OU.
Two questions:
- Can we make these machines authenticate to WAPT automatically despite Kerberos and without lowering the security level?
- Can we ensure that the configuration package (we have two different ones depending on the machine) is automatically assigned (based on the machine name / during deployment configuration in the WAPT console, for example)?
Regards,
Off-domain machine registration in WAPT via Kerberos
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Good morning,
There are two solutions for agents to register automatically:
- Kerberos authentication for domain machines
- without authentication
The user/password authentication solution is not automatic.
For the second question, it's possible to create a package that installs other packages (metapackage) under certain conditions:
Or :
This package could be included in a core package group.
Good day,
Bertrand
There are two solutions for agents to register automatically:
- Kerberos authentication for domain machines
- without authentication
The user/password authentication solution is not automatic.
For the second question, it's possible to create a package that installs other packages (metapackage) under certain conditions:
Code: Select all
# -*- coding: utf-8 -*-
from setuphelpers import *
def install():
if get_hostname().startswith('test'):
WAPT.install('préfixe-paquetconftest')Code: Select all
# -*- coding: utf-8 -*-
from setuphelpers import *
def install():
if get_hostname().startswith('test'):
inifile_writestring(WAPT.config_filename, "global", "host_organizational_unit_dn", "OU=test,DC=hors_domaine")
This package could be included in a core package group.
Good day,
Bertrand
How are out-of-domain agents currently installed? With another deployment tool or manually?
For username/password authentication, it is possible to create a dedicated account (specific ACL) for agent registration. If the installation is done manually, this requires an additional command to register the agent ("wapt-get register" then enter the username/password).
Alternatively, you can script using the following command line (user password in the command line):
For username/password authentication, it is possible to create a dedicated account (specific ACL) for agent registration. If the installation is done manually, this requires an additional command to register the agent ("wapt-get register" then enter the username/password).
Alternatively, you can script using the following command line (user password in the command line):
Code: Select all
wapt-get register --wapt-server-user=WAPT_SERVER_USER --wapt-server-passwd=WAPT_SERVER_PASSWD
