[RESOLVED] [WAPT 1.8.2] Deployment via GPO and superadmin password request

[ozsupport]

Hello everyone.

My deployment via GPO starts correctly on my machine but seems to be stuck in a loop as it never stops. Furthermore, I've configured my server to require the superadmin password during agent deployment.

How do you configure this password during deployment via GPO?

SERVER OS: Debian 10
CLIENT OS: Windows Server 2012R2
ADMINISTRATION Machine OS: Windows Server 2016

Thanks in advance for your help and have a good day

. PA.

[sfonteneau]

Hello everyone.

My deployment via GPO starts correctly on my machine but seems to be stuck in a loop because it never stops. Furthermore, I've configured my server to require the superadmin password during agent deployment.

So, how do you specify this password during deployment via GPO?

Indeed, the installation is waiting for the password to register
As a general rule, the agent is modified directly:

https://github.com/tranquilit/WAPT/blob ... n.iss#L209

Code: Select all

wapt-get register --wapt-server-user=admin --wapt-server-passwd=password

Then restart the recreation of an agent.

Be aware that in terms of security it's not great, you should prefer Kerberos authentication!

[ozsupport]

Good morning,

So yes, it's not very clean, but let's admit it.

Our concern is that we're dealing with a multi-domain setup without a connection. Is it possible to specify, for a user accessing the WAPT console via an LDAP link, that they only have client integration rights on the console?

Because in principle, we could very well:

• Modify the agent.
  Generate the agents.
  Modify the agents again to remove the password.
  Generate the agents again to prevent anyone from potentially recovering the agent.

[sfonteneau]

Hello,

So indeed, it's not very clean, but let's assume it is.

Our problem is that we are in a multi-domain case without a connection.

No problem:

https://www.wapt.fr/fr/doc/wapt-securit ... lationship

The WAPT server does not need access to Active Directory for Kerberos to function. A separate account for the WAPT server is required in each domain.

You just need a keytab.

To generate a keytab without the WAPT server having access to AD:

https://www.wapt.fr/fr/doc/wapt-securit ... -directory

[ozsupport]

Thanks for the great feedback! We'll look into it very soon!

However, if we generate the correct package for deployment via GPO for our different domains, and then generate a new package with password authentication, will the previously generated package with keytabs still be usable?

Thanks in advance.

[sfonteneau]

The Waptagent does not contain the keytabs; the server has the keytab.

The Waptagent only has the information it needs to register with (password or Kerberos).

[ozsupport]

We're starting to understand how it all works.
However, if we enable Kerberos authentication, we're forced to have machines belonging to a domain; we can't mix Kerberos and passwords in that case, right?

Also, because I'm struggling with Kerberos, when the documentation mentions the case of "My WAPT server does not have write access to an Active Directory," does that also apply to "My WAPT server does not have access to an Active Directory"?

To clarify, we want our WAPT server as a standalone service, allowing admins to connect from a primary domain via LDAP (that's fine), and then we have servers on several domains with no connection to each other, and especially no LAN connection to the WAPT server. We want to deploy to these domains using Group Policy Objects (GPOs).
In parallel, we also have some "support services" servers that are not in any domain.

Will we get there one day, or is this an uncovered use case?

D.

[sfonteneau]

We're starting to understand how it works with all this.
However, if we enable Kerberos authentication, we're forced to have machines belonging to a domain; we can't mix Kerberos and passwords in this case?

If kerberos is not working, wapt will request a password for registration.

And also, because I'm struggling with Kerberos, when the documentation mentions the case of: "My WAPT server does not have write access to an Active Directory", does that also apply to "My WAPT server does not have access to an Active Directory"?

Yes

To give you some context, we want our WAPT server as a standalone service, allowing admins to connect from a primary domain via LDAP (that's fine). Then we have servers on several domains with no connection to each other, and especially no LAN connection to the WAPT server. We want to deploy to these domains using GPO.
In parallel, we also have some "support services" servers that aren't in any domain.

Will we ever get this working, or is this an unsupported use case?

D.

The wapt server does not need to see the ad as long as it has an ok keytab.

You would need two agents, one with Kerberos and one without

[ozsupport]

Okay, so there's definitely a problem somewhere...

For the moment I am only testing with one of the domains that I will eventually need.
I have :

• configured my /etc/krb5.conf file

• I created my computer account on the domain in question

• added the spn (and verified by the computer record)

• I created my keytab (is it normal to have /mapuser in the command when it's a user account?)

• uploaded my keytab and changed the permissions

• restarted the post-conference to activate Kerberos

but with this:

• My GPO is applied correctly, the agent installs, and the service exists

• The service won't start; I have to start it manually

• I have logs on the WAPT server telling me that the FQDN in question is not recognized and that I need to "register it first"

• If I try to register it manually, it asks me for a login

Code: Select all

PS C:\Users\Administrateur.XXXXXX\Downloads\PSTools> .\psexec.exe -s cmd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.

C:\Windows\system32>wapt-get register -ldebug
2020-07-20 12:27:20,569 DEBUG Default encoding : ascii
2020-07-20 12:27:20,569 DEBUG Setting encoding for stdout and stderr to cp850
2020-07-20 12:27:20,585 DEBUG Python path ['C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt', 'C:\\Progra
m Files (x86)\\wapt\\python27.zip', 'C:\\Program Files (x86)\\wapt\\DLLs', 'C:\\Program Files (x86)\\wapt\\lib', 'C:\\Pr
ogram Files (x86)\\wapt\\lib\\plat-win', 'C:\\Program Files (x86)\\wapt\\lib\\lib-tk', 'C:\\Program Files (x86)\\wapt',
'C:\\Program Files (x86)\\wapt\\lib\\site-packages', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\pywin32-227-py2
.7-win32.egg', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32', 'C:\\Program Files (x86)\\wapt\\lib\\site-pac
kages\\win32\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\Pythonwin']
2020-07-20 12:27:20,585 INFO Using local waptservice configuration C:\Program Files (x86)\wapt\wapt-get.ini
2020-07-20 12:27:20,585 DEBUG Config file: C:\Program Files (x86)\wapt\wapt-get.ini
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
2020-07-20 12:27:20,601 DEBUG Thread 5932 is connecting to wapt db
2020-07-20 12:27:20,601 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\mqt-rds.xxxxxxxx.local.pem for rep
o global auth
2020-07-20 12:27:20,601 DEBUG Thread 5932 is connecting to wapt db
2020-07-20 12:27:20,601 DEBUG DB Start transaction
2020-07-20 12:27:20,601 DEBUG DB commit
2020-07-20 12:27:20,617 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\mqt-rds.xxxxxxxxx.local.pem for rep
o wapt auth
2020-07-20 12:27:20,617 INFO Main repository: https://xxxxxx.xxxxxxxxxx.xx/wapt
2020-07-20 12:27:20,617 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\mqt-rds.xxxxxxxx.local.pem for rep
o wapt-host auth
2020-07-20 12:27:20,617 INFO User Groups:[]
2020-07-20 12:27:20,617 DEBUG WAPT base directory : C:\Program Files (x86)\wapt
2020-07-20 12:27:20,617 DEBUG Package cache dir : C:\Program Files (x86)\wapt\cache
2020-07-20 12:27:20,617 DEBUG WAPT DB Structure version;: 20200415
2020-07-20 12:27:20,631 DEBUG DB Start transaction
2020-07-20 12:27:20,631 DEBUG DB commit
Registering host against server: https://xxxxx.xxxxxxx.xx
2020-07-20 12:27:20,648 DEBUG DB Start transaction
2020-07-20 12:27:20,648 DEBUG DB commit
2020-07-20 12:27:20,678 DEBUG DB Start transaction
2020-07-20 12:27:20,678 DEBUG DB commit
2020-07-20 12:27:20,944 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-1975 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,944 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-1988 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,944 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2029 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,944 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2613 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,960 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2645.bak : (1337,
 'ConvertStringSidToSid', 'Structure d\x92ID de s\xe9curit\xe9 non valide.'), using profile directory instead
2020-07-20 12:27:20,960 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-1975 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,960 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-1988 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,960 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2029 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,960 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2613 : (1332, 'Lo
okupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), u
sing profile directory instead
2020-07-20 12:27:20,976 DEBUG Unable to GET username from SID S-1-5-21-3790108901-3680768173-678536012-2645.bak : (1337,
 'ConvertStringSidToSid', 'Structure d\x92ID de s\xe9curit\xe9 non valide.'), using profile directory instead
2020-07-20 12:27:21,039 DEBUG DB Start transaction
2020-07-20 12:27:21,039 DEBUG DB commit
2020-07-20 12:27:21,053 DEBUG Stores cert chain check in cache
2020-07-20 12:27:21,210 INFO Run "dmidecode -q"
2020-07-20 12:27:21,303 INFO dmidecode -q command returns code 0
2020-07-20 12:27:24,992 DEBUG Loading ssl context with cert C:\Program Files (x86)\wapt\private\mqt-rds.XXXXXXXXX.local.crt
and key C:\Program Files (x86)\wapt\private\mqt-rds.XXXXXXXXX.local.pem
2020-07-20 12:27:25,023 DEBUG Starting new HTTPS connection (1): cloud:443
2020-07-20 12:27:25,101 DEBUG https://xxxxxx.xxxxxxxxxx.xx:443 "POST /add_host HTTP/1.1" 401 41
Please get login for add_host:

[sfonteneau]

You need to check with a psexec if a ticket is properly negotiated:

Code: Select all

psexec -s -i cmd
klist

You can do a:

Code: Select all

wapt-get register

What topics might help you?

viewtopic.php?f=13&t=2428&p=7994&hilit=kerberos#p7994