Tranquil IT Forum

Published: **Dec 31, 2019 - 1:19 PM**

Good morning,

I have a small problem with the implementation of my Wapt system regarding Kerberos.

I read the previous episodes, and was not fooled by the $(hostname) problem: I have a serviceprincipalname which has the name that is contacted by the agents.

When I deploy my agent, my test client machine does not register in the console.
Everything else works: I use a powershell script to launch waptdeploy.
I have the service, the store, I can see my packages, but there's no new PC in the console.

When in elevated command prompt, I execute the command:

Code: Select all

wapt-get register -l debug --service

I have this:

Code: Select all

C:\Windows\system32>wapt-get register -l debug --service
Current loglevel : DEBUG
About to speak to waptservice...
Call register URL...
url: http://127.0.0.1:8088/register.json?notify_user=0&notify_server=1 timeout: 10000
url: http://127.0.0.1:8088/events?max_count=1 timeout: 11000
Waptservice User :url: http://127.0.0.1:8088/events?max_count=1 : OK Duration: 47

... which remains suspended ad vitam eternam.

I also get a 403 error when I go to https://myserver.td/add_host_kerberos .. which I cannot explain on a browser when I log in as admin of the domain.

I am on a Debian 9 server, I have nothing fancy in my hostname, nor in my /etc/hosts.
On the client side, these are Windows 10 Pro 1903/1909

If you have any leads, I'm all ears!

Administrator machine: Windows 10
Wapt version: 1.7.4.6232

Published: **January 2, 2020 - 10:09 AM**

Good morning

The easiest way to debug is to do it with a psexec

Code: Select all

psexec.exe -s cmd
wapt-get register -ldebug

You can then verify that the workstation has negotiated a Kerberos ticket:

Code: Select all

klist

Note that your wapt agent must have the correct value (in wapt-get.ini)

Code: Select all

use_kerberos=1

Then on the server, in the file

/opt/wapt/conf/waptserver.ini

It's necessary :

Code: Select all

use_kerberos = True

In the file /etc/nginx/sites-enabled/wapt.conf

You must be able to find this

Code: Select all

            
            location /add_host_kerberos {
                auth_gss on;
                auth_gss_keytab  /etc/nginx/http-krb5.keytab;
                proxy_pass http://127.0.0.1:8080;
            }

If not, restart the postconf and check the Kerberos box

Published: **January 7, 2020 - 4:43 PM**

Good morning,

Thanks for the tip: I did all your tests and received this via a psexec:

Code: Select all

...
2020-01-07 16:36:16,733 DEBUG https://monserveur.tld:443 "POST /add_host_kerberos HTTP/1.1" 403 169
2020-01-07 16:36:16,733 DEBUG authenticate_user(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_401(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response() has seen 0 401 responses
2020-01-07 16:36:16,733 DEBUG handle_other(): Handling: 403
2020-01-07 16:36:16,733 DEBUG handle_other(): returning <Response [403]>
2020-01-07 16:36:16,733 DEBUG handle_response(): returning <Response [403]>
Traceback (most recent call last):
  File "<string>", line 1425, in <module>
  File "<string>", line 1207, in main
  File "C:\Program Files (x86)\wapt\common.py", line 5412, in register_computer
    signer = self.get_host_certificate().cn
  File "C:\Program Files (x86)\wapt\common.py", line 1882, in post
    req.raise_for_status()
  File "C:\Program Files (x86)\wapt\lib\site-packages\requests\models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos
FATAL ERROR : HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos
Exception at 0044181C: EPyIOError:
HTTPError: 403 Client Error: Forbidden for url: https://monserveur.tld/add_host_kerberos.

I also successfully re-ran the postconf.
It seems like a very simple problem, but I can't quite put my finger on it.

Published: **January 7, 2020 - 5:03 PM**

I also want to clarify what I receive with a status update on the service (on the wapt server):

Code: Select all

root@wapt:/opt/wapt# systemctl status waptserver.service
● waptserver.service - WAPT Server startup script
   Loaded: loaded (/lib/systemd/system/waptserver.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-01-07 16:58:54 CET; 1min 4s ago
 Main PID: 8929 (python)
    Tasks: 1 (limit: 1147)
   Memory: 42.1M
   CGroup: /system.slice/waptserver.service
           └─8929 /opt/wapt/bin/python /opt/wapt/waptserver/server.py

Jan 07 16:58:54 monserveur.tld systemd[1]: Started WAPT Server startup script.
Jan 07 16:59:22 monserveur.tld  python[8929]: 2020-01-07 16:59:22,559 CRITICAL Get_websocket_auth_token failed EWaptAuthenticationFailure(u'Unknown host UUID 4DA586BB-BE2D-4232-903D-1DDC1F8E190F. Please register first.',)

Published: **January 7, 2020 - 5:29 PM**

Hello,

I found the solution: a chmod 644 on the keytab file used by nginx...

Thank you for your help.

Tranquil IT Forum

[RESOLVED] Kerberos Episode 3

[RESOLVED] Kerberos Episode 3

Re: Kerberos Episode 3

Re: Kerberos Episode 3

Re: Kerberos Episode 3

[RESOLVED] Kerberos Episode 3