Kerberos configuration

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 16, 2018 - 5:51 PM

Good morning,

I'm trying to configure machine authentication using Kerberos by following the tutorial:

https://www.wapt.fr/fr/doc-1.5/Installa ... ebian.html#

All the steps outlined in the tutorial went smoothly without any error messages.
When I try to register a machine, I get the following errors:

On the client, in the system account

Code: Select all

C:\Windows\system32>wapt-get register
        System Power Controls
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerberos
On the server in /var/log/nginx/access.log

Code: Select all

[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
I don't understand why; kinit worked, msktutil worked too, the account was created correctly in AD, keytab was created correctly, ...
I've done this kind of thing before with Squid, but never with nginx!
Thank you in advance for sharing your experiences on this topic.

Sincerely,

EDIT:
Server running Debian 9 / tis-waptserver 1.5.1.21-tisdeb9-4799-7c25f1fd
Client under WIndows 7 64bits French waptagent 1.5.1.21
Last edited by TomTomGo on March 16, 2018 - 18:06, edited 1 time.
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

March 16, 2018 - 6:06 PM

Hello TomTomGo

3 things to do/check properly:

  • Code: Select all

    /opt/wapt/waptserver/scripts/postconf.sh --use-kerberos --force-https

  • Code: Select all

    systemctl restart nginx
  • check that

    Code: Select all

    use_kerberos = True
Alexander
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 16, 2018 - 6:12 PM

Hello Alexandre,

Thanks for your reply.
I've done the first two steps.
However, is the parameter `use_kerberos = True` set on the client or the server?
On the client, I correctly set it to 1 in wapt-get.ini

Code: Select all

[global]
waptupdate_task_period=120
wapt_server=
repo_url=
use_hostpackages=1
send_usage_report=0
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
hiberboot_enabled=0
max_gpo_script_wait=180
pre_shutdown_timeout=180
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1


And on the server in waptserver.ini:

Code: Select all

[uwsgi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsgi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true

[options]
wapt_user = admin
wapt_password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wapt_folder = /var/www/wapt
server_uuid = 76cd413e-2b41-11e7-8383-820a97f8d762
waptwua_folder = /var/www/waptwua
allow_unauthenticated_registration = True
secret_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
use_kerberos = True
THANKS.

Thomas
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

March 16, 2018 - 6:27 PM

Indeed, in both files

To test a recording, try using:

Code: Select all

wapt-get register -S
Or at maximum elevation (System account with PsExec):

Code: Select all

psexec.cmd -i -s -d cmd.exe
Next

Code: Select all

wapt-get register -l debug
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 16, 2018 - 6:37 PM

Thanks for your help!

So here's the output of the debug command in psexec -s cmd mode:

Code: Select all

C:\Windows\system32>wapt-get register -l debug
Current loglevel : DEBUG
2018-03-16 18:32:26,144 DEBUG Default encoding : ascii
2018-03-16 18:32:26,144 DEBUG Setting encoding for stdout and stderr to cp850
2018-03-16 18:32:26,145 DEBUG Python path ['c:\\wapt', 'c:\\wapt\\python27.zip', 'c:\\wapt\\DLLs', 'c:\\wapt\\lib', 'c:\
\wapt\\lib\\plat-win', 'c:\\wapt\\lib\\lib-tk', 'c:\\wapt', 'c:\\wapt\\lib\\site-packages', 'c:\\wapt\\lib\\site-package
s\\pywin32-221-py2.7-win32.egg']
2018-03-16 18:32:26,145 INFO Using local waptservice configuration c:\wapt\wapt-get.ini
2018-03-16 18:32:26,145 DEBUG Config file: c:\wapt\wapt-get.ini
2018-03-16 18:32:26,151 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,181 DEBUG All interfaces : [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Local connected IPs: [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Trying _wapt-host._tcp.mondomaine.lan SRV records
2018-03-16 18:32:26,203 DEBUG   No _wapt-host._tcp.mondomaine.lan SRV record found
2018-03-16 18:32:26,203 DEBUG Trying wapt-host.mondomaine.lan CNAME records
2018-03-16 18:32:26,203 DEBUG   No working wapt-host.mondomaine.lan CNAME record found
2018-03-16 18:32:26,203 DEBUG Trying wapt.mondomaine.lan. A records
2018-03-16 18:32:26,204 DEBUG   No wapt.mondomaine.lan. A record found
2018-03-16 18:32:26,204 INFO User Groups:[]
2018-03-16 18:32:26,206 DEBUG WAPT base directory : c:\wapt
2018-03-16 18:32:26,206 DEBUG Package cache dir : c:\wapt\cache
2018-03-16 18:32:26,206 DEBUG WAPT DB Structure version;: 20180303
2018-03-16 18:32:26,207 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,207 DEBUG DB Start transaction
2018-03-16 18:32:26,207 DEBUG DB commit
2018-03-16 18:32:26,367 INFO Run "dmidecode -q"
2018-03-16 18:32:26,394 INFO dmidecode -q command returns code 0
        System Power Controls
2018-03-16 18:32:28,431 DEBUG Trying _waptserver._tcp.mondomaine.lan SRV records
2018-03-16 18:32:28,433 DEBUG   Defined servers : [(0, 0, 'https://srv-wapt.mondomaine.lan')]
2018-03-16 18:32:28,506 INFO Unknown UUID or hostname has changed: reading host UUID
2018-03-16 18:32:28,506 INFO reading custom host UUID from WMI System Information.
2018-03-16 18:32:28,528 DEBUG DB Start transaction
2018-03-16 18:32:28,529 DEBUG DB commit
2018-03-16 18:32:28,551 DEBUG DB Start transaction
2018-03-16 18:32:28,551 DEBUG DB commit
2018-03-16 18:32:28,635 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,647 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,648 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,658 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,661 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,673 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action ad
d_host_kerberosTraceback (most recent call last):

  File "<string>", line 1215, in <module>
  File "<string>", line 1004, in main
  File "c:\wapt\common.py", line 4698, in register_computer
    signer = self.get_host_certificate().cn
  File "c:\wapt\common.py", line 1602, in post
    raise EWaptBadServerAuthentication('Authentication failed on server %s for action %s' % (self.server_url,action))
common.EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_
kerberos
Exception at 0043EC7F: EPyException:
EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerbero
s.

C:\Windows\system32>
Thomas
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 17, 2018 - 3:36 PM

Good morning,

I'm digging...

I tested the Kerberos part on the server side, and the authentication seems to be working correctly:

Code: Select all

root@srv-wapt:/opt/wapt# kinit -5 -V -k -t /etc/nginx/http-krb5.keytab srv-wapt$
Using default cache: /tmp/krb5cc_0
Using principal: srv-wapt$@MONDOMAINE.LAN
Using keytab: /etc/nginx/http-krb5.keytab
Authenticated to Kerberos v5
root@srv-wapt:/opt/wapt#
I enabled debugging on the Nginx side:

Code: Select all

location /add_host_kerberos {
            auth_gss on;
            auth_gss_keytab  /etc/nginx/http-krb5.keytab;
            error_log /var/log/nginx/kerberos.log debug;
            proxy_pass http://127.0.0.1:8080;
        }
The debugging issue when I try to register with the system account on the client:

Code: Select all

2018/03/17 15:23:34 [debug] 7751#7751: *65 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *65 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *65 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *65 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3166
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *65 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *65 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *65 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398D70D0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 0, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *65 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398D70D0
2018/03/17 15:23:34 [debug] 7751#7751: *65 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer add: 10: 65000:1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *65 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *65 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer del: 10: 1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *66 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *66 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *66 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *66 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *66 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *66 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *66 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 5000:1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *66 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *66 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 65000:1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *66 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *66 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E6EB0, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *67 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *67 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *67 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *67 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *67 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *67 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *67 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 5000:1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *67 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *67 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 65000:1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *67 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *67 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1900, unused: 400
I also tried adding the parameter "auth_gss_realm = MONDOMAINE.LAN;" in the nginx conf but got the same result.
I am continuing my investigations...

Thomas
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

March 18, 2018 - 11:22

You can start the Wapt server in debug mode:

Code: Select all

bash /opt/wapt/runwaptserver.sh -ldebug
If you don't see anything happen during a register, it means that the authentication is not getting past the nginx barrier.

Also, be careful with your server configuration:

The conference:

Code: Select all

allow_unauthenticated_registration = True


Normally, if you enable Keberos, this should be set to False to avoid unauthenticated recordings.
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 18, 2018 - 7:23 PM

Hello,

thanks for the tip.
I launched the server in debug mode and indeed, I don't see anything happening when a workstation tries to register, which confirms that the problem lies with the Nginx server, which I already suspected...

Yes, for now I'm leaving the `allow_unauthenticated_registration` parameter set to `True` to allow workstations registered before Kerberos was enabled to continue authenticating to the server.

I'll continue my investigation!

Thomas
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 19, 2018 - 10:40

Good morning,

I found the source of the problem.
As mentioned in a previous post (viewtopic.php?f=13&t=1059) we rely on the DNS SRV records to locate the wapt server and the repositories.
Therefore, in the wapt-get.ini file of the workstations, we have the wapt_server field which is empty, which causes a problem during registration.
It works with the wapt-get.ini file below:

Code: Select all

[global]
waptupdate_task_period=120
wapt_server=https://srv-wapt.mondomaine.lan
repo_url=
use_hostpackages=1
send_usage_report=1
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1
This therefore seems to indicate that if the wapt_server is not specified in the wapt-get.ini, the client is unable to find the main server via the DNS query during a register.

Thomas
High
TomTomGo
Messages: 25
Registration: May 3, 2017 - 3:36 p.m.
Location: La Chapelle-sur-Erdre

March 30, 2018 - 12:28

Ah, I just saw that it was listed under "Known issues" in version 1.5.1.22...
When waptserver is searched with DNS SRV query (dnsdomain param), Kerberos register auth is not working.
High
Locked

Return to "WAPT Server"


  • To go further with WAPT