Tranquil IT Forum

WAPT1.3.13
Debian8
Win7&10
-----------------------
Hello,
I performed a test update from 1.3.13 to 1.5. It works quite well. However, I would like to enable Kerberos for security reasons, but I get this error:
FATAL ERROR: EWaptBadServerAuthentication: Authentication failed on server https://....

I've already seen this topic, but I don't have a problem with the DNS SRV record: viewtopic.php?t=1060
When should I enable Kerberos? Is it better to do it during the initial postconf.sh or later?
Does it work under Debian 9? Perhaps a silly question, but what is the username/password to enter when running apt-get register?
Thank you

When you enable Kerberos on the server, WAPT agents must attempt to register using a Kerberos ticket.

For this to work, the agent must have `use_kerberos = 1` in its configuration

(https://www.wapt.fr/fr/doc/Configuratio ... rveur-wapt).

When you generate an agent from the console, the "Use Kerberos for initial registration" checkbox enables this in the `waptagent.exe` file.

Yes, I've already checked the server and client configuration files, and I'm successfully generating the agent.
I reinstalled and finally switched to Debian 9.5.

I'm getting a new error:
`wapt-get register -S
.... HTTPError: 403 Error: FORbidden for url: https://...../add_host_kerberos`.

Is this an nginx configuration issue?

Indeed, at the moment the post-conference is not very clean.

You must launch the postconf with the --use-kerberos option
Otherwise, indeed, the nginx configuration is not suitable for kerberos

Kerberos authentication isn't working at all for me...
I followed the documentation step by step:
https://www.wapt.fr/fr/doc/Installation ... ebian.html (Ad Microsoft W2016)

Test 1:
Test on a client registered with AD (Computers) (use_kerberos = 1 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
HTTPError: 403 Error: FORbidden for url: https://wapt.0861234a.lan//add_host_kerberos

Test 2:
Test on a client registered with AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = False on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan for action add_host

Test 3:
Test on a client referenced on the AD (Computers) (use_kerberos = 0 on the client - use_kerberos = True, allow_unauthentificated_registration = True on the server):
wapt-get register -S
waptservice User: (admin local)
Password: ***
The inventory was sent to the WAPT server (the machine appears correctly on the console

/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...

Conf client:
[global]
repo_url=https://wapt.0861234a.lan/wapt
send-usage_report=1
use_hostpackages=1
wapt_server=https://wapt.0861234a.lan
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=
max_gpo_script_wait=180
pre_shutdown_timeout=180
hibertboot_enabled=0

Server conf: /opt/wapt/conf/waptserver.ini
[uwsqi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsqi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true

[options]
wapt_user = admin
wapt-password = ...
wapt-folder = /var/www/wapt
server_uuid = ...
waptwua_folder = /var/www/waptwua
allow_unauthentificated_registration = False
secret_key = ...
use_kerberos = True

In view of the error message
the nginx configuration is bad
add_host_kerberos returns 403 if --use-kerberos is not passed as an option (I just made a fix to make the postconf cleaner)

check your nginx configuration


if this is present in /etc/nginx/sites-enabled/wapt.conf:
So the postconf wasn't applied correctly

Okay, so I just ran the command
`/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos` again
, and it does modify the contents of `/add_host_kerberos` in `/etc/nginx/sites-enabled/wapt.conf`.

I now have: `
location /add_host_kerberos {
auth_gss on;
auth_gss_keytab /etc/nginx/http-krb5.keytab;
proxy_pass http://127.0.0.1:8080;
}`

However, it's still not working... I'm back to my initial error:
`EWaptBadServerAuthentication: Authentication failed on server https://wapt.0861234a.lan/ for action add_host_kerberos...`

Just to be clear, the WaptService User requested for registration is indeed a local admin account that needs to be provided? I tried with the domain admin and it's the same.

I still get this error:
/var/log/nginx/error.log:
[error] *640 open() "/var/www/wapt-host/676.....wapt" failed (2: No such file or directory), client: IP, server: _, request: "GET ...

---
Kinit works fine... klist too... msktutil OK - permissions OK.
We agree that we should clear the contents of the /etc/krb5.conf file and add this:
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_kdc = true
dns_lookup_realm=false.

Just one thing, the "To verify, the command line echo $(hostname) should return the DNS address that the WAPT agents will use."
message only returns its machine name, namely wapt. Is that normal?

THANKS

James wrote: ↑Sep 20, 2018 - 5:02 PM Just one thing, the command "To verify, the command line echo $(hostname) should return the DNS address that the WAPT agents will use."
only returns its machine name, namely wapt, is that normal?

No
As the documentation indicates "echo $(hostname) should return the DNS address that the WAPT agents will use"

otherwise your serviceprincipalname will not be correctly registered in the ad.

* Remove the machine account from the wapt server in the ad
* Delete the ticket /etc/nginx/http-krb5.keytab

Now restart the procedure from the beginning with a fully qualified domain name (FQDN) in your /etc/hostname file

Yes, the problem was indeed with the hostname.
One last question: how do I now register a machine outside of Active Directory? Thank you.

Hello James,

James wrote: ↑Sep 25, 2018 - 1:59 PM Indeed, the problem was with the hostname...
One last question: how do I now register a machine outside of Active Directory? Thanks

It is recommended to open a new topic for a new subject. I am closing this one as resolved.

Sincerely,

Denis