[SOLVED] Self Service on Mac

[yoann.montouchet]

Hello,
We primarily have a fleet of Windows machines, which generally works very well, but we would like to add wapt to the few Macs we are forced to use.
We registered them without any problems in the wapt console; they appear correctly, and we can push packages to them without any issues, and they install successfully.
However, the self-service repository is desperately empty, and there doesn't seem to be an equivalent to the wapttray (which is a shame!).
We assumed this was because the Macs weren't in Active Directory (Samba-AD, to be precise), so we added them in the same OU as the Windows machines. Nothing has worked; the self-service repository is still empty.
The "self-service" package, which contains the packages we want to make available to employees, is correctly installed on the Macs. It contains group declarations that list the users logged into the Macs, with applications deployed for these groups, and applications that are also available in a "macOS" version in the repository.
Authentication on the self-service portal is done via "system", unless I'm mistaken.
We're on WAPT 2.6.0.16767, upgraded today.
I tried looking in the waptservice.log file, but all I see is that there are 0 packets.
Does anyone have any ideas?

[sfonteneau]

Hello,

do you have a local account on the Mac with the same name as the logged-in domain user?

Is there a /etc/krb5.conf file on the Mac?

Does the Active Directory information appear correctly for the Mac in the console (for example, the machine's OU)?

What version of Samba Active Directory are you using?

An alternative solution could be to use the following mode:
service_auth_type=waptserver-ldap

, which allows you to transfer authentication to the WAPT server (LDAP authentication on the WAPT server must be configured).

[yoann.montouchet]

Thank you for your answers!
Here is my feedback:
Do you have a local account on the Mac with the same name as the domain logged-in user? => Well, yes and no. We have "mobile" accounts that are created from the Active Directory connection, using the names of the Active Directory accounts. These accounts are created automatically upon login, but they aren't truly local accounts.

Is there a /etc/krb5.conf file on the Mac? => Yes, I confirm, with the correct Active Directory connection information

The Admin information appears correctly for the Mac in the console. (The machine's OU, for example?) => Yes, I can see the machines in the correct OU in the tree view on the left

What is your Samba Active Directory version? => 4.19.9

However, I see in the console that the logged-in account, as seen by wapt, is the local account which is an admin. The AD account is not an admin on the machine (so it seems impossible to use wapt-get commands, unlike in Windows).
But when I open the self-service portal, my AD user does appear in the bottom left corner.

For operation with:

Code: Select all

 service_auth_type=waptserver-ldap

We tried it on Windows machines after upgrading to version 2.6, but we encountered numerous errors and had to push an agent configuration to all machines to force a return to "system" mode; otherwise, self-service wouldn't work. We performed all the LDAP configuration on the WAPT server side, with testing via the script successful

Code: Select all

root@si-wapt-01:~# /opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
----------------------------------------------------------------
Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Username : yoann.montouchet
Group test member : nvm4windows
----------------------------------------------------------------
[OK] Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Test ldap with direct Login
----------------------------------------------------------------
Username ldap: yoann.montouchet
Password ldap:
Group test member : nvm4windows
--------
ALL GOOD
--------

These are the mistakes we made:

Code: Select all

2025-01-10 14:13:37,294 [wapttasks CP Server Thread-11 19600] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:44,111 [wapttasks CP Server Thread-10 23876] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:50,884 [wapttasks CP Server Thread-5 19640] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:57,681 [wapttasks CP Server Thread-4 9412] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:14:04,475 [wapttasks CP Server Thread-6 23348] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateur

[sfonteneau]

For operation with:

Code: Select all

 service_auth_type=waptserver-ldap

We tried it on Windows machines, after upgrading to version 2.6, but we got a lot of errors and we had to push an agent configuration to all machines to force a return to "system" mode, otherwise self-service did not work.
These are the mistakes we made:

Code: Select all

2025-01-10 14:13:37,294 [wapttasks CP Server Thread-11 19600] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:44,111 [wapttasks CP Server Thread-10 23876] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:50,884 [wapttasks CP Server Thread-5 19640] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:13:57,681 [wapttasks CP Server Thread-4 9412] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateurs
2025-01-10 14:14:04,475 [wapttasks CP Server Thread-6 23348] WARNING check_auth_groups: Self service authentication failed for yoann.montouchet: Invalid input name: builtin\utilisateur

Did you include "builtin\user" in your self-service rules package?

If so, it would be better to use "domain users"

[yoann.montouchet]

I can confirm! Indeed, most of the packages in the self-service area are assigned to this group!
I'll look into fixing that and will rerun the tests with waptserver-ldap...
I'll keep you posted, thanks!

[yoann.montouchet]

I can confirm that waptserver-ldap is now working perfectly (so SSO is OK! ), and that it has also fixed the self-service issue on Macs.
I suggest updating the documentation to better highlight the change to the default parameter for "service_auth_type." On our system, upgrading from version 2.5.5 to 2.6.0 caused self-service to stop working because of this!
Thank you very much for your help!

[sfonteneau]

Thanks for the feedback.

Normally, filetoken should work.

I wonder if it wasn't builtin\utilisateurs that was causing it to crash!

Another possibility, as I mentioned, is that a local account with the same name exists.