Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

Off-domain machine registration in WAPT via Kerberos

https://forum.tranquil.it/viewtopic.php?t=4129

Page 1 of 1

Off-domain machine registration in WAPT via Kerberos

Published: Dec 5, 2024 - 11:08 AM
by PaulSLA
Hello,

We have enabled Kerberos authentication for WAPT as well as certificate verification, so we have the following in our wapt-get.ini file:

wapt-get.ini;use_kerberos=1
wapt-get.ini;verify_cert=C:\Program Files (x86)\wapt\ssl\server\ca.crt

This works perfectly as long as we are using a machine with a DJOIN connection prepared.
The problem arises with non-domain machines.

Once the non-domain machines are deployed via WAPT, the agent cannot connect to WAPT automatically. We therefore have to go to the machine and run "wapt-get register". There, we are asked for the WAPT admin login credentials. Once logged in, everything is in order; the machine appears in WAPT, and we send it the configuration package associated with its fake OU.

Two questions:

- Can we make these machines authenticate to WAPT automatically despite Kerberos and without lowering the security level?
- Can we ensure that the configuration package (we have two different ones depending on the machine) is automatically assigned (based on the machine name / during deployment configuration in the WAPT console, for example)?

Regards,

Re: Registering a machine outside the domain in WAPT via Kerberos

Published: Dec 6, 2024 - 12:39
by blemoigne
Good morning,
There are two solutions for agents to register automatically:
- Kerberos authentication for domain machines
- without authentication
The user/password authentication solution is not automatic.

For the second question, it's possible to create a package that installs other packages (metapackage) under certain conditions:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

def install():
    if get_hostname().startswith('test'):
        WAPT.install('préfixe-paquetconftest')
Or :

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

def install():
    if get_hostname().startswith('test'):
        inifile_writestring(WAPT.config_filename, "global", "host_organizational_unit_dn", "OU=test,DC=hors_domaine")

This package could be included in a core package group.

Good day,
Bertrand

Re: Registering a machine outside the domain in WAPT via Kerberos

Published: Dec 6, 2024 - 2:01 PM
by blemoigne
How are out-of-domain agents currently installed? With another deployment tool or manually?
For username/password authentication, it is possible to create a dedicated account (specific ACL) for agent registration. If the installation is done manually, this requires an additional command to register the agent ("wapt-get register" then enter the username/password).
Alternatively, you can script using the following command line (user password in the command line):

Code: Select all

wapt-get register  --wapt-server-user=WAPT_SERVER_USER --wapt-server-passwd=WAPT_SERVER_PASSWD
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru