WAPT1.3.13
Debian8
Win7&10
-----------------------
Hello,
I performed a test update from 1.3.13 to 1.5. It works quite well. However, I would like to enable Kerberos for security reasons, but I get this error:
FATAL ERROR: EWaptBadServerAuthentication: Authentication failed on server https://....
I've already seen this topic, but I don't have a problem with the DNS SRV record: viewtopic.php?t=1060
When should I enable Kerberos? Is it better to do it during the initial postconf.sh or later?
Does it work under Debian 9? Perhaps a silly question, but what is the username/password to enter when running apt-get register?
Thank you
[SOLVED] Kerberos Problem
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
When you enable Kerberos on the server, WAPT agents must attempt to register using a Kerberos ticket.
For this to work, the agent must have `use_kerberos = 1` in its configuration
(https://www.wapt.fr/fr/doc/Configuratio ... rveur-wapt).
When you generate an agent from the console, the "Use Kerberos for initial registration" checkbox enables this in the `waptagent.exe` file.
For this to work, the agent must have `use_kerberos = 1` in its configuration
(https://www.wapt.fr/fr/doc/Configuratio ... rveur-wapt).
When you generate an agent from the console, the "Use Kerberos for initial registration" checkbox enables this in the `waptagent.exe` file.
Yes, I've already checked the server and client configuration files, and I'm successfully generating the agent.
I reinstalled and finally switched to Debian 9.5.
I'm getting a new error:
`wapt-get register -S
.... HTTPError: 403 Error: FORbidden for url: https://...../add_host_kerberos`.
Is this an nginx configuration issue?
I reinstalled and finally switched to Debian 9.5.
I'm getting a new error:
`wapt-get register -S
.... HTTPError: 403 Error: FORbidden for url: https://...../add_host_kerberos`.
Is this an nginx configuration issue?
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Indeed, at the moment the post-conference is not very clean.
You must launch the postconf with the --use-kerberos option
Otherwise, indeed, the nginx configuration is not suitable for kerberos
You must launch the postconf with the --use-kerberos option
Code: Select all
/opt/wapt/waptserver/scripts/postconf.sh --use-kerberosKerberos authentication isn't working at all for me...
I followed the documentation step by step:
https://www.wapt.fr/fr/doc/Installation ... ebian.html (Ad Microsoft W2016)
Test 1:
Test on a client registered with AD (Computers) (use_kerberos = 1 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
HTTPError: 403 Error: FORbidden for url: https://wapt.0861234a.lan//add_host_kerberos
Test 2:
Test on a client registered with AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan for action add_host
Test 3:
Test on a client referenced on the AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = True on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
The inventory was sent to the WAPT server (the machine appears correctly on the console
/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...
Conf client:
[global]
repo_url=https://wapt.0861234a.lan/wapt
send-usage_report=1
use_hostpackages=1
wapt_server=https://wapt.0861234a.lan
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=
max_gpo_script_wait=180
pre_shutdown_timeout=180
hibertboot_enabled=0
Server conf: /opt/wapt/conf/waptserver.ini
[uwsqi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsqi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true
[options]
wapt_user = admin
wapt-password = ...
wapt-folder = /var/www/wapt
server_uuid = ...
waptwua_folder = /var/www/waptwua
allow_unauthentificated_registration = False
secret_key = ...
use_kerberos = True
I followed the documentation step by step:
https://www.wapt.fr/fr/doc/Installation ... ebian.html (Ad Microsoft W2016)
Test 1:
Test on a client registered with AD (Computers) (use_kerberos = 1 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
HTTPError: 403 Error: FORbidden for url: https://wapt.0861234a.lan//add_host_kerberos
Test 2:
Test on a client registered with AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan for action add_host
Test 3:
Test on a client referenced on the AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = True on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
The inventory was sent to the WAPT server (the machine appears correctly on the console
/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...
Conf client:
[global]
repo_url=https://wapt.0861234a.lan/wapt
send-usage_report=1
use_hostpackages=1
wapt_server=https://wapt.0861234a.lan
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=
max_gpo_script_wait=180
pre_shutdown_timeout=180
hibertboot_enabled=0
Server conf: /opt/wapt/conf/waptserver.ini
[uwsqi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsqi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true
[options]
wapt_user = admin
wapt-password = ...
wapt-folder = /var/www/wapt
server_uuid = ...
waptwua_folder = /var/www/waptwua
allow_unauthentificated_registration = False
secret_key = ...
use_kerberos = True
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
In view of the error message
the nginx configuration is bad
add_host_kerberos returns 403 if --use-kerberos is not passed as an option (I just made a fix to make the postconf cleaner)
check your nginx configuration
if this is present in /etc/nginx/sites-enabled/wapt.conf:
So the postconf wasn't applied correctly
Code: Select all
HTTPError : 403 Error : FOrbidden for url : https://wapt.0861234a.lan//add_host_kerberosadd_host_kerberos returns 403 if --use-kerberos is not passed as an option (I just made a fix to make the postconf cleaner)
check your nginx configuration
if this is present in /etc/nginx/sites-enabled/wapt.conf:
Code: Select all
location /add_host_kerberos {
return 403;
}
Okay, so I just ran the command
`/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos` again
, and it does modify the contents of `/add_host_kerberos` in `/etc/nginx/sites-enabled/wapt.conf`.
I now have: `
location /add_host_kerberos {
auth_gss on;
auth_gss_keytab /etc/nginx/http-krb5.keytab;
proxy_pass http://127.0.0.1:8080;
}`
However, it's still not working... I'm back to my initial error:
`EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan/ for action add_host_kerberos...`
Just to be clear, the WaptService User requested for registration is indeed a local admin account that needs to be provided? I tried with the domain admin and it's the same.
I still get this error:
/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...
---
Kinit works fine... klist too... msktutil OK - permissions OK.
We agree that we should clear the contents of the /etc/krb5.conf file and add this:
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = true
dns_lookup_realm=false.
Just one thing, the "To verify, the command line echo $(hostname) should return the DNS address that the WAPT agents will use."
message only returns its machine name, namely wapt. Is that normal?
THANKS
`/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos` again
, and it does modify the contents of `/add_host_kerberos` in `/etc/nginx/sites-enabled/wapt.conf`.
I now have: `
location /add_host_kerberos {
auth_gss on;
auth_gss_keytab /etc/nginx/http-krb5.keytab;
proxy_pass http://127.0.0.1:8080;
}`
However, it's still not working... I'm back to my initial error:
`EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan/ for action add_host_kerberos...`
Just to be clear, the WaptService User requested for registration is indeed a local admin account that needs to be provided? I tried with the domain admin and it's the same.
I still get this error:
/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...
---
Kinit works fine... klist too... msktutil OK - permissions OK.
We agree that we should clear the contents of the /etc/krb5.conf file and add this:
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = true
dns_lookup_realm=false.
Just one thing, the "To verify, the command line echo $(hostname) should return the DNS address that the WAPT agents will use."
message only returns its machine name, namely wapt. Is that normal?
THANKS
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
No
As the documentation indicates "echo $(hostname) should return the DNS address that the WAPT agents will use"
otherwise your serviceprincipalname will not be correctly registered in the ad.
* Remove the machine account from the wapt server in the ad
* Delete the ticket /etc/nginx/http-krb5.keytab
Now restart the procedure from the beginning with a fully qualified domain name (FQDN) in your /etc/hostname file
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello James,
Sincerely,
Denis
It is recommended to open a new topic for a new subject. I am closing this one as resolved.
Sincerely,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
