[RESOLVED] Kerberos Episode 3

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
pirona
Messages: 7
Registration: Oct 15, 2019 - 3:09 p.m.

December 31, 2019 - 1:19 PM

Good morning,

I have a small problem with the implementation of my Wapt system regarding Kerberos.

I read the previous episodes, and was not fooled by the $(hostname) problem: I have a serviceprincipalname which has the name that is contacted by the agents.

When I deploy my agent, my test client machine does not register in the console.
Everything else works: I use a powershell script to launch waptdeploy.
I have the service, the store, I can see my packages, but there's no new PC in the console.

When in elevated command prompt, I execute the command:

Code: Select all

wapt-get register -l debug --service
I have this:

Code: Select all

C:\Windows\system32>wapt-get register -l debug --service
Current loglevel : DEBUG
About to speak to waptservice...
Call register URL...
url: http://127.0.0.1:8088/register.json?notify_user=0&notify_server=1 timeout: 10000
url: http://127.0.0.1:8088/events?max_count=1 timeout: 11000
Waptservice User :url: http://127.0.0.1:8088/events?max_count=1 : OK Duration: 47
... which remains suspended ad vitam eternam.

I also get a 403 error when I go to https://myserver.td/add_host_kerberos .. which I cannot explain on a browser when I log in as admin of the domain.

I am on a Debian 9 server, I have nothing fancy in my hostname, nor in my /etc/hosts.
On the client side, these are Windows 10 Pro 1903/1909

If you have any leads, I'm all ears! :)

Administrator machine: Windows 10
Wapt version: 1.7.4.6232
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

January 2, 2020 - 10:09 AM

Good morning

The easiest way to debug is to do it with a psexec

Code: Select all

psexec.exe -s cmd
wapt-get register -ldebug
You can then verify that the workstation has negotiated a Kerberos ticket:

Code: Select all

klist

Note that your wapt agent must have the correct value (in wapt-get.ini)

Code: Select all

use_kerberos=1
Then on the server, in the file

/opt/wapt/conf/waptserver.ini

It's necessary :

Code: Select all

use_kerberos = True
In the file /etc/nginx/sites-enabled/wapt.conf

You must be able to find this

Code: Select all

            
            location /add_host_kerberos {
                auth_gss on;
                auth_gss_keytab  /etc/nginx/http-krb5.keytab;
                proxy_pass http://127.0.0.1:8080;
            }
If not, restart the postconf and check the Kerberos box
High
pirona
Messages: 7
Registration: Oct 15, 2019 - 3:09 p.m.

January 7, 2020 - 4:43 PM

Good morning,

Thanks for the tip: I did all your tests and received this via a psexec:

Code: Select all

...
2020-01-07 16:36:16,733 DEBUG https://monserveur.tld:443 "POST /add_host_kerberos HTTP/1.1" 403 169
2020-01-07 16:36:16,733 DEBUG authenticate_user(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_401(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response() has seen 0 401 responses
2020-01-07 16:36:16,733 DEBUG handle_other(): Handling: 403
2020-01-07 16:36:16,733 DEBUG handle_other(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response(): returning <Response [403]>
Traceback (most recent call last):
  File "<string>", line 1425, in <module>
  File "<string>", line 1207, in main
  File "C:\Program Files (x86)\wapt\common.py", line 5412, in register_computer
    signer = self.get_host_certificate().cn
  File "C:\Program Files (x86)\wapt\common.py", line 1882, in post
    req.raise_for_status()
  File "C:\Program Files (x86)\wapt\lib\site-packages\requests\models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos
FATAL ERROR : HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos
Exception at 0044181C: EPyIOError:
HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos.

I also successfully re-ran the postconf.
It seems like a very simple problem, but I can't quite put my finger on it.
High
pirona
Messages: 7
Registration: Oct 15, 2019 - 3:09 p.m.

January 7, 2020 - 5:03 PM

I also want to clarify what I receive with a status update on the service (on the wapt server):

Code: Select all

root@wapt:/opt/wapt# systemctl status waptserver.service
● waptserver.service - WAPT Server startup script
   Loaded: loaded (/lib/systemd/system/waptserver.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-01-07 16:58:54 CET; 1min 4s ago
 Main PID: 8929 (python)
    Tasks: 1 (limit: 1147)
   Memory: 42.1M
   CGroup: /system.slice/waptserver.service
           └─8929 /opt/wapt/bin/python /opt/wapt/waptserver/server.py

Jan 07 16:58:54 monserveur.tld systemd[1]: Started WAPT Server startup script.
Jan 07 16:59:22 monserveur.tld  python[8929]: 2020-01-07 16:59:22,559 CRITICAL Get_websocket_auth_token failed EWaptAuthenticationFailure(u'Unknown host UUID 4DA586BB-BE2D-4232-903D-1DDC1F8E190F. Please register first.',)
High
pirona
Messages: 7
Registration: Oct 15, 2019 - 3:09 p.m.

January 7, 2020 - 5:29 PM

Hello,

I found the solution: a chmod 644 on the keytab file used by nginx...

Thank you for your help.
High
Locked

Return to "WAPT Server"


  • To go further with WAPT