Tranquil IT Forum

WAPT Server version: 1.8.0
WAPT Agent version: 1.8.0.6641
WAPT Setup version: 1.8.0.6641
WAPT Deploy version: 1.8.0.6641
Database status: OK (1.8.0.0)

Server OS: Linux/Debian 10.2
Operating system of the administration/package creation machine: Windows 10

Good morning,

We are currently in the testing phase of the WAPT community version solution before migrating to the Enterprise version.

I followed the following configuration:

https://www.wapt.fr/fr/doc/wapt-securit ... 20machines

in order to authenticate machines via Kerberos before they are registered.

The setup went well, but I would like to know if there is a way to set up this configuration without having to enter the admin ID to register the machine.


Should the credentials be put in the server configuration file or the client configuration file?

I tried modifying the server configuration file /opt/wapt/conf/waptserver.ini by setting the value allow_unauthenticated_registration = True

[options]
waptwua_folder = /var/www/waptwua
server_uuid = xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx
clients_signing_key = /opt/wapt/conf/ca-xxxxxxxxxxxxxx.lan.pem
clients_signing_certificate = /opt/wapt/conf/ca-xxxxxxxxxxxxx.lan.crt
wapt_password = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
use_kerberos = True
allow_unauthenticated_connect = False
allow_unauthenticated_registration = True
secret_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

When I launch the WAPT server in debug mode, I get this output:

2020-01-31 10:55:08,558 DEBUG Traceback (most recent call last):
File "/opt/wapt/waptserver/server.py", line 429, in register_host
valid_auth = auth_result and auth_result['auth_method'] in ['admin','passwd','ldap','kerb']
UnboundLocalError: local variable 'auth_result' referenced before assignment



Sincerely,

Rebecca

Good morning

If you want to enable Kerberos, you need to set the value
in the agent in wapt-get.ini

Next, to verify that the workstation is correctly negotiating a Kerberos ticket, you can run psexec:

If no ticket mentions wapt, it means your wapt server registration in AD did not go well (probably an SPN problem).

The username and password are only requested if Kerberos authentication fails

Here is the wapt-get.ini configuration

[overall]
repo_url=https://wapt-server/wapt
send_usage_report=1
use_hostpackages=1
wapt_server=https:///wapt-server.lan
use_kerberos=1
check_certificates_validity=1
verify_cert=0
use_repo_rules=0
dnsdomain=
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

After running the commands, here is the result:

It seems there's a problem with Wapt.

Could you test with this version:

https://wapt.tranquil.it/wapt/nightly/w ... -acfedbd8/

In other words, instead of using https://wapt.tranquil.it/debian/wapt-1.8/ ?

Or just a specific file?

Hello RebeccaS,

there was a regression in the Kerberos registration section in WAPT version 1.8.0. This has been fixed in version 1.8.1. If you can upgrade, it should resolve your issue.

Regards,

Denis

Hello,

I just retested the new version, but I still have the same problem...

And the problem appears as soon as the management console is installed...

Best regards,

Rebecca.

Difficult to diagnose with the limited information available.
* Client logs (%WAPT_HOME%\log\waptservice.log)
* Server logs (/var/log/waptserver.log or /var/log/daemon.log)
* Test with `wapt-get register -l debug` in `psexec -i -s cmd.exe` using the new version 1.8.1.
Regards,
Denis

Good morning,

Here is the information you requested:
* client logs (%WAPT_HOME%\log\waptservice.log)

Serving on http://client:8088
2020-02-24 15:45:26,707 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
Get packages index
u'2 packet(s) in the d\xe9p\xf4t\nThe system is \xe0 day'
2020-02-24 15:45:38,444 [waptcore ] WARNING Host on the server is not known or not known under this FQDN name (known as None). Trying to register the computer...
System Power Controls
2020-02-24 15:47:26,846 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:49:26,976 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:51:27,138 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:53:27,269 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:55:27,414 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:57:27,540 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 15:59:27,690 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)
2020-02-24 16:01:27,819 [waptws ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxx-xx. Please register first.',)

* Server logs (/var/log/waptserver.log or /var/log/daemon.log)

Feb 24 16:01:24 waptserver python[2598]: 2020-02-24 16:01:24,331 [waptserver ] CRITICAL Get_websocket_auth_token failed EWaptAuthenticationFailure(u'Unknown host UUID xxxxxxx-xxxxxxxx-xxxxxxxx-xxxxx. Please register first.',)
Feb 24 16:01:24 waptserver python[2598]: 2020-02-24 16:01:24,378 [waptws ] WARNING SocketIO connection refused for uuid xxxxxxx-xxxxxxxx-xxxxxxxx-xxxxx, sid xxxxxxxxxxxxxxxxx: SocketIO connection not authorized, invalid token: 400 Bad Request: The browser (or proxy) sends a request that this server could not understand., instance

* Test a `wapt-get register -l debug` command in a `psexec -i -s cmd.exe` with the new version 1.8.1
For your information:

wapt-get.ini (Client)

[overall]
repo_url=https://waptserver/wapt
send_usage_report=1
use_hostpackages=1
wapt_server=https://waptserver
use_kerberos=1
check_certificates_validity=1
verify_cert=0
use_repo_rules=0
dnsdomain=
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

/etc/nginx/nginx.conf

location /add_host_kerberos {
auth_gss on;
auth_gss_keytab /etc/nginx/http-krb5.keytab;
proxy_pass http://127.0.0.1:8080;
}


/opt/wapt/conf/waptserver.ini

[options]
waptwua_folder = /var/www/waptwua
server_uuid = xxxxxxxxx-xxxxxxxx--xxxxxxxx-xxxxxx
clients_signing_key = /opt/wapt/conf/ca-waptserver.pem
clients_signing_certificate = /opt/wapt/conf/ca-waptserver.crt
wapt_password = $xxxxxxXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
use_kerberos = True
allow_unauthenticated_connect = False
secret_key = xxxxxxxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXXXXXxxxx


Sincerely,

Rebecca.

After registering with psexec, do you have a ticket for srvwapt (as above)?