Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

[RESOLVED] Client deployment error (Kerberos auto-enrollment)

https://forum.tranquil.it/viewtopic.php?t=3970

Page 1 of 1

[RESOLVED] Client deployment error (Kerberos auto-enrollment)

Published: July 8, 2024 - 11:12 AM
by TomTom
Hello everyone,

Since this week, I have noticed a problem when deploying the wapt agent on my new client workstations (via OS deployment and/or GPO).
Indeed, the agent installs correctly but does not register with the server. Here is the output when running `wapt-get update`:

Code: Select all

Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Update package list from https://fr-for-wapt1.fr.hydac.int/wapt, https://fr-for-wapt1.fr.hydac.int/wapt-host
2024-07-08 11:02:15,368 CRITICAL Error merging Packages from wapt into db: None : None
Total packages : 0
Added packages :

Removed packages :

Discarded packages count : 1
Pending operations :
  install:
  upgrade:
  additional:
  remove:
  immediate_installs:
Repositories URL :
  wapt
  wapt-host
If I launch the

Code: Select all

wapt-get register
And when I enter the credentials, everything is OK. So, is there a Kerberos problem?

The general configuration has not been modified, except for the test of updating the WAPT server to Debian 12. I reverted to my previous snapshot because I had some errors.
Is it possible that this manipulation could have "broken" something?

Thank you in advance for your feedback.
Thomas

Re: Client deployment error (Kerberos auto-enrollment)

Published: July 8, 2024 - 2:52 PM
by sfonteneau
The easiest way to test the Kerberos register is to use psexe to try it out:

https://www.wapt.fr/fr/doc/wapt-securit ... em-account

Re: Client deployment error (Kerberos auto-enrollment)

Published: July 9, 2024 - 8:31 AM
by TomTom
Thanks Simon for the help.

So, when launching the registry with system authority, here's the output:

Code: Select all

FATAL ERROR : ImportError: GSSAPIProxy requires the Python gssapi library: No module named 'gssapi'

Re: Client deployment error (Kerberos auto-enrollment)

Published: July 9, 2024 - 1:37 PM
by TomTom
I'm replying to myself; in the meantime, the error has been resolved. The WAPT server's registration in the Active Directory domain had failed.
Re-registering the machine fixed the problem.
The post can now be marked as resolved.

Thanks again, Simon, for the clarification.

Re: [SOLVED] Client deployment error (Kerberos auto-enrollment)

Published: July 9, 2024 - 2:19 PM
by dcardon
Hello Thomas,

To complete the topic, I will add that the error message below has nothing to do with the absence of the Python gssapi module (gssapi is only used under Linux, under Windows it is SSPI that is used), but the python requests-kerberos library tends to bug strangely when there is something wrong and if it cannot retrieve a service ticket from the Windows layer.

Code: Select all

FATAL ERROR : ImportError: GSSAPIProxy requires the Python gssapi library: No module named 'gssapi'

For your information, Simon has started preparing some scripts to facilitate debugging the Kerberos and LDAP components on the server, in order to test and validate the most common problems. This could have helped diagnose the issue :-)

Sincerely,

Denis
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru