Wapt self-service on macOS

yoann.montouchet · March 2, 2026 - 1:08 PM

Hello everyone,

I'm sorry to bother you with a problem that seems so trivial to me, but I'm tearing my hair out over the configuration of a wapt agent on macos 26.3.
The workstation is newly installed, connection to the domain is OK and VPN is set up.
We can clearly see the post in the wapt console, we can push packages from there without any problems.

You can also view the packages available on the server via "wapt-get search", and install them without any problems.

However, the self-service feature is not working. It consistently displays "No results found":

: Screenshot 2026-03-02 130303.png (222.37 KB) Viewed 4731 times

I know we managed to configure another Mac previously, and it's still working today. But I can't figure out what's missing on this one... Is there a log somewhere we could use?

Here is the current wapt-get.ini file (identical to the other m1 macbook that is currently working):

Code: Select all

[global]
repo_url=https://wapt.xxx.xx/wapt
wapt_server=https://wapt.xxx.xx
verify_cert=/opt/wapt/ssl/server/wapt.xxx.xx.crt
use_ad_groups=1
allow_remote_reboot=1
allow_remote_shutdown=1
service_auth_type = waptserver-ldap
use_kerberos = True
notify_user = 0
locales  = fr,en
loglevel=warning
log_to_windows_events=0
use_http_proxy_for_repo=0
use_http_proxy_for_server=0
tray_check_interval=2
use_hostpackages=1
ad_groups_use_nested_group=1
timeout=10
wapt_server_timeout=30
maturities=PROD
default_maturity=
http_proxy=
token_lifetime=86400
trust_all_certs_in_pems=0
default_sources_root=/var/root/waptdev
default_package_prefix=tis
default_sources_suffix=wapt
default_sources_url=
upload_cmd=
upload_cmd_host=
after_upload=
personal_certificate_path=
check_certificates_validity=1
use_fqdn_as_uuid=0
uninstallkey_timeout=120

We're definitely on "wapt enterprise", version 2.6.1.17705, the Mac is in the correct OU, there's a "self-service" package that I installed manually without any changes... help!!!

EDIT: A detail that may be useful: I tested with domain users who are or are not admins of the mac without any change.

March 2, 2026 - 1:11 PM

Good morning

I see :

Code: Select all

service_auth_type = waptserver-ldap
use_kerberos = True

Which is precisely the conference that works.

On the Wapt server you can launch to test the LDAP part

Code: Select all

/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh

If it works, you should see:

Code: Select all

[OK] Test SSO SELFSERVICE LDAP with ldap_account_service_login

yoann.montouchet · March 2, 2026 - 1:22 PM

I confirm that the configuration on the server seems OK to me:

Code: Select all

----------------------------------------------------------------
Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Username : yoann.montouchet
Group test member : Domain Users
----------------------------------------------------------------
[OK] Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Test ldap with direct Login
----------------------------------------------------------------
Username ldap: yoann.montouchet
Password ldap:
Group test member : Domain Users
--------
ALL GOOD
--------

But this will be quick: I tried changing the log level to debug. Then I restarted the wapt service, and after that, I don't understand I can now see the content displayed...

: Screenshot 2026-03-02 132241 (Small).png (155.2 KB) Viewed 4714 times

In terms of actions taken today, I only see two things: installing the self-service package and then restarting the wapt service. Could these two elements explain why it's working now?

Otherwise, I don't understand...

EDIT: Okay, that's it, it was adding the self-service package that unlocked it, potentially followed by restarting the service... I'll make a note of it in my documentation!

March 2, 2026 - 1:27 PM

Interesting.

If you close and then reopen the self-service area, does it work?

yoann.montouchet · March 2, 2026 - 1:31 PM

Yes, it's still working. I can confirm that the missing self-service package was the issue. I don't know why adding it earlier didn't get everything working, but it's fine now.
Removing the package leaves the self-service area empty, and adding it back restores its contents.
Another question, which might be normal, is that self-service is supposed to be installed for all machines in an OU, but I see that the Mac is only visible in the "(All)" group; it disappears as soon as I look at an OU in the directory tree.
Is this "normal" for Macs? Windows machines appear correctly in the appropriate OU, but not the Macs.

EDIT: Correction, only *this* Mac doesn't appear in the correct OU; the other Macs are fine (and self-service installed itself for them).

March 2, 2026 - 2:11 PM

You can try watching on the Mac:

Code: Select all

wapt-get shell
>>> get_domain_info()

yoann.montouchet · March 2, 2026 - 2:57 PM

That's strange, it seems he can't connect to AD even though it's reachable, and I was able to add an AD user on my end:

: Screenshot 2026-03-02 145457 (Small).png (131.96 KB) Viewed 4672 times

I'm going to try rebooting and starting over

EDIT: It's the same after rebooting, with the VPN connected and even after restarting the service. Self-service works, but Active Directory seems unreachable

Code: Select all

Python 3.10.19 (main, Dec 22 2025, 15:32:31) [Clang 14.0.0 (clang-1400.0.29.202)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> get_domain_info()
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/opt/wapt/setuphelpers_unix.py", line 112, in get_domain_info
    error('Failed connect to active directory')
  File "/opt/wapt/waptutils.py", line 2093, in error
    raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : Failed connect to active directory

yoann.montouchet · March 2, 2026 - 4:26 PM

I just pulled up another Mac that appears correctly in the OU, but we're getting the same message as the Mac that's giving us trouble today. Could it be related to our infrastructure? We're on a Samba-AD server at the AD level, but it's only accessible through a VPN.

EDIT: I tried the same command on a Windows machine, it returns even less information, it just doesn't recognize the command, strangely enough!

Code: Select all

Python 3.10.19 (main, Jan 28 2026, 14:09:14) [MSC v.1929 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> get_domain_info()
Traceback (most recent call last):
  File "<console>", line 1, in <module>
NameError: name 'get_domain_info' is not defined
>>> get_domain_info()
Traceback (most recent call last):
  File "<console>", line 1, in <module>
NameError: name 'get_domain_info' is not defined
>>>

March 2, 2026 - 5:19 PM

You can try this:

Code: Select all

wapt-get shell
>>> client = pyldap.PyLdapClient(domain_name="mydomain.lan")
>>> print(client.bind_sasl_kerberos())

And this:

Code: Select all

wapt-get shell
pyldap.cldap_get_domain_info(domain_name="mydomain.lan")

yoann.montouchet · March 2, 2026 - 5:24 PM

OK, the first command fails on the problematic Mac:

Code: Select all

>>> client = pyldap.PyLdapClient(domain_name="ad.xxx.xx")
>>> print(client.bind_sasl_kerberos())
(False, '')

It works on the Windows machine; my AD account appears correctly.

The second command works:

Code: Select all

>>> pyldap.cldap_get_domain_info(domain_name="ad.xxx.xx")
{'nt_version': 5, 'logon_type': 'Anonymous', 'flags': 'PDC,GC,LDAP,DS,KDC,TimeServer,Closest,Writable,GoodTimeServer', 'guid': '{7492B563-849C-4422-B7E6-FDF790A36BBE}', 'forest': 'ad.xxx.xx', 'domain': 'ad.xxx.xx', 'host_name': 'xxx-xxx-xxx.ad.xxx.xx', 'netbios_domain': 'xx', 'netbios_hostname': 'xxx-xxx-xxx', 'unk': '', 'user': '', 'ip': 'xxx.xxx.xxx.xxx:389', 'server_site': 'Default-First-Site-Name', 'client_site': 'Default-First-Site-Name'}

And here I have the same line on both machines.

I'm going to check the Mac, which was able to recover its OU.
EDIT: I have the same behavior with the Mac that was able to recover its OU:

Code: Select all

>>> client = pyldap.PyLdapClient(domain_name="ad.xxx.xx")
>>> print(client.bind_sasl_kerberos())
(False, '')