Configurazione Kerberos - Tranquil IT Forum

Configurazione Kerberos

Regole del forum
Regole del forum della community
* Supporto in inglese su www.reddit.com/r/wapt
* Supporto della community in francese disponibile su questo forum
* Si prega di anteporre [RISOLTO] al titolo dell'argomento se è stato risolto.
* Si prega di non modificare un argomento contrassegnato con [RISOLTO]. Aprire un nuovo argomento facendo riferimento a quello precedente.
* Specificare la versione di WAPT installata, la versione completa e il numero di build (2.2.1.11957 / 2.2.2.12337 / ecc.) nonché l'edizione Enterprise/Discovery.
* Le versioni 1.8.2 e precedenti non sono più supportate. Le uniche domande accettate relative alla versione 1.8.2 riguardano l'aggiornamento a una versione supportata (2.1, 2.2, ecc.).
* Specificare il sistema operativo del server (Linux/Windows) e la versione (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specificare il sistema operativo della macchina di amministrazione/creazione dei pacchetti e della macchina con l'agente problematico, se applicabile (Windows 7/10/11/Debian 11/ecc.).
* Evitare di porre più domande quando si apre una discussione, altrimenti potrebbe essere ignorata. Se ci sono più discussioni, aprirle separatamente, preferibilmente una dopo l'altra e non tutte contemporaneamente (ovvero, non intasare il forum).
* Includere frammenti di codice, screenshot e altre immagini direttamente nel post. I link a Pastebin, Bitly e altri siti di terze parti verranno sistematicamente rimossi.
* Come in qualsiasi forum della community, il supporto è fornito volontariamente dai membri. Se si necessita di supporto commerciale, è possibile contattare il reparto vendite di Tranquil IT al numero 02.40.97.57.55

Bloccato

10 messaggi • Pagina 1 di 1

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

16 marzo 2018 - 17:51

Buongiorno,

Sto provando a configurare l'autenticazione della macchina tramite Kerberos seguendo il tutorial:

https://www.wapt.fr/fr/doc-1.5/Installa ... ebian.html#

Tutti i passaggi descritti nel tutorial si sono svolti senza problemi e senza alcun messaggio di errore.
Quando provo a registrare una macchina, ricevo i seguenti errori:

Sul client, nell'account di sistema

Codice: Seleziona tutto

C:\Windows\system32>wapt-get register
        System Power Controls
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerberos

Sul server in /var/log/nginx/access.log

Codice: Seleziona tutto

[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"
[16/Mar/2018:17:37:07 +0100] "POST /add_host_kerberos HTTP/1.1" 401 195 "-" "wapt/1.5.1.21"

Non capisco perché; kinit ha funzionato, anche msktutil ha funzionato, l'account è stato creato correttamente in AD, keytab è stato creato correttamente, ...
Ho già fatto cose simili con Squid, ma mai con nginx!
Grazie in anticipo per aver condiviso le tue esperienze su questo argomento.

Sinceramente,

MODIFICARE:
Server che esegue Debian 9 / tis-waptserver 1.5.1.21-tisdeb9-4799-7c25f1fd
Client su Windows 7 64 bit Waptagent francese 1.5.1.21

Ultima modifica da TomTomGo il 16 marzo 2018 alle 18:06, modificato 1 volta.

agauvrit: Esperto WAPT; Messaggi: 238; Registrazione: 17 nov 2016 - 10:25; Posizione: Nantes; Contatto:
Contatta agauvrit

Cinguettio

16 marzo 2018 - 18:06

Ciao TomTomGo

3 cose da fare/controllare correttamente:

Codice: Seleziona tutto

/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos --force-https

Codice: Seleziona tutto
```
systemctl restart nginx
```
controlla che
Codice: Seleziona tutto
```
use_kerberos = True
```

Alessandro

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

16 marzo 2018 - 18:12

Ciao Alexandre,

Grazie per la risposta.
Ho eseguito i primi due passaggi.
Tuttavia, il parametro `use_kerberos = True` è impostato sul client o sul server?
Sul client, l'ho impostato correttamente su 1 in wapt-get.ini

Codice: Seleziona tutto

[global]
waptupdate_task_period=120
wapt_server=
repo_url=
use_hostpackages=1
send_usage_report=0
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
hiberboot_enabled=0
max_gpo_script_wait=180
pre_shutdown_timeout=180
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

E sul server in waptserver.ini:

Codice: Seleziona tutto

[uwsgi]
http-socket = 127.0.0.1:8080
master = true
processes = 16
wsgi = waptserver:app
chdir = /opt/wapt/waptserver/
max-requests = 100
uid = wapt
gid = www-data
enable-threads = true

[options]
wapt_user = admin
wapt_password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wapt_folder = /var/www/wapt
server_uuid = 76cd413e-2b41-11e7-8383-820a97f8d762
waptwua_folder = /var/www/waptwua
allow_unauthenticated_registration = True
secret_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
use_kerberos = True

GRAZIE.

Tommaso

agauvrit: Esperto WAPT; Messaggi: 238; Registrazione: 17 nov 2016 - 10:25; Posizione: Nantes; Contatto:
Contatta agauvrit

Cinguettio

16 marzo 2018 - 18:27

Infatti, in entrambi i file

Per testare una registrazione, prova a usare:

Codice: Seleziona tutto

wapt-get register -S

Oppure alla massima elevazione (account di sistema con PsExec):

Codice: Seleziona tutto

psexec.cmd -i -s -d cmd.exe

Prossimo

Codice: Seleziona tutto

wapt-get register -l debug

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

16 marzo 2018 - 18:37

Grazie per l'aiuto!

Ecco l'output del comando debug in modalità psexec -s cmd:

Codice: Seleziona tutto

C:\Windows\system32>wapt-get register -l debug
Current loglevel : DEBUG
2018-03-16 18:32:26,144 DEBUG Default encoding : ascii
2018-03-16 18:32:26,144 DEBUG Setting encoding for stdout and stderr to cp850
2018-03-16 18:32:26,145 DEBUG Python path ['c:\\wapt', 'c:\\wapt\\python27.zip', 'c:\\wapt\\DLLs', 'c:\\wapt\\lib', 'c:\
\wapt\\lib\\plat-win', 'c:\\wapt\\lib\\lib-tk', 'c:\\wapt', 'c:\\wapt\\lib\\site-packages', 'c:\\wapt\\lib\\site-package
s\\pywin32-221-py2.7-win32.egg']
2018-03-16 18:32:26,145 INFO Using local waptservice configuration c:\wapt\wapt-get.ini
2018-03-16 18:32:26,145 DEBUG Config file: c:\wapt\wapt-get.ini
2018-03-16 18:32:26,151 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,181 DEBUG All interfaces : [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Local connected IPs: [u'192.168.1.14/255.255.0.0']
2018-03-16 18:32:26,201 DEBUG Trying _wapt-host._tcp.mondomaine.lan SRV records
2018-03-16 18:32:26,203 DEBUG   No _wapt-host._tcp.mondomaine.lan SRV record found
2018-03-16 18:32:26,203 DEBUG Trying wapt-host.mondomaine.lan CNAME records
2018-03-16 18:32:26,203 DEBUG   No working wapt-host.mondomaine.lan CNAME record found
2018-03-16 18:32:26,203 DEBUG Trying wapt.mondomaine.lan. A records
2018-03-16 18:32:26,204 DEBUG   No wapt.mondomaine.lan. A record found
2018-03-16 18:32:26,204 INFO User Groups:[]
2018-03-16 18:32:26,206 DEBUG WAPT base directory : c:\wapt
2018-03-16 18:32:26,206 DEBUG Package cache dir : c:\wapt\cache
2018-03-16 18:32:26,206 DEBUG WAPT DB Structure version;: 20180303
2018-03-16 18:32:26,207 DEBUG Thread 4180 is connecting to wapt db
2018-03-16 18:32:26,207 DEBUG DB Start transaction
2018-03-16 18:32:26,207 DEBUG DB commit
2018-03-16 18:32:26,367 INFO Run "dmidecode -q"
2018-03-16 18:32:26,394 INFO dmidecode -q command returns code 0
        System Power Controls
2018-03-16 18:32:28,431 DEBUG Trying _waptserver._tcp.mondomaine.lan SRV records
2018-03-16 18:32:28,433 DEBUG   Defined servers : [(0, 0, 'https://srv-wapt.mondomaine.lan')]
2018-03-16 18:32:28,506 INFO Unknown UUID or hostname has changed: reading host UUID
2018-03-16 18:32:28,506 INFO reading custom host UUID from WMI System Information.
2018-03-16 18:32:28,528 DEBUG DB Start transaction
2018-03-16 18:32:28,529 DEBUG DB commit
2018-03-16 18:32:28,551 DEBUG DB Start transaction
2018-03-16 18:32:28,551 DEBUG DB commit
2018-03-16 18:32:28,635 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,647 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,648 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,658 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2018-03-16 18:32:28,661 DEBUG Starting new HTTPS connection (1): srv-wapt.mondomaine.lan
2018-03-16 18:32:28,673 DEBUG https://srv-wapt.mondomaine.lan:443 "POST /add_host_kerberos HTTP/1.1" 401 195
FATAL ERROR : EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action ad
d_host_kerberosTraceback (most recent call last):

  File "<string>", line 1215, in <module>
  File "<string>", line 1004, in main
  File "c:\wapt\common.py", line 4698, in register_computer
    signer = self.get_host_certificate().cn
  File "c:\wapt\common.py", line 1602, in post
    raise EWaptBadServerAuthentication('Authentication failed on server %s for action %s' % (self.server_url,action))
common.EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_
kerberos
Exception at 0043EC7F: EPyException:
EWaptBadServerAuthentication: Authentication failed on server https://srv-wapt.mondomaine.lan for action add_host_kerbero
s.

C:\Windows\system32>

Tommaso

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

17 marzo 2018 - 15:36

Buongiorno,

Sto scavando...

Ho testato la parte Kerberos sul lato server e l'autenticazione sembra funzionare correttamente:

Codice: Seleziona tutto

root@srv-wapt:/opt/wapt# kinit -5 -V -k -t /etc/nginx/http-krb5.keytab srv-wapt$
Using default cache: /tmp/krb5cc_0
Using principal: srv-wapt$@MONDOMAINE.LAN
Using keytab: /etc/nginx/http-krb5.keytab
Authenticated to Kerberos v5
root@srv-wapt:/opt/wapt#

Ho abilitato il debug sul lato Nginx:

Codice: Seleziona tutto

location /add_host_kerberos {
            auth_gss on;
            auth_gss_keytab  /etc/nginx/http-krb5.keytab;
            error_log /var/log/nginx/kerberos.log debug;
            proxy_pass http://127.0.0.1:8080;
        }

Problema di debug quando provo a registrarmi con l'account di sistema sul client:

Codice: Seleziona tutto

2018/03/17 15:23:34 [debug] 7751#7751: *65 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *65 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *65 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *65 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *65 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *65 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 3166
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *65 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *65 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *65 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *65 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *65 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398D70D0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *65 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *65 http finalize request: 0, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *65 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *65 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398D70D0
2018/03/17 15:23:34 [debug] 7751#7751: *65 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer add: 10: 65000:1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *65 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *65 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *65 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *65 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *65 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *65 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *65 event timer del: 10: 1521296679306
2018/03/17 15:23:34 [debug] 7751#7751: *65 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *65 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *66 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *66 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *66 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *66 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *66 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *66 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *66 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *66 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *66 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *66 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *66 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *66 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 5000:1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *66 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *66 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *66 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *66 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *66 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296619329
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer add: 10: 65000:1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *66 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *66 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *66 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *66 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *66 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *66 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *66 event timer del: 10: 1521296679330
2018/03/17 15:23:34 [debug] 7751#7751: *66 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E6EB0, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *66 free: 00005585398E1900, unused: 400
2018/03/17 15:23:34 [debug] 7751#7751: *67 http cl:28037 max:4294967296
2018/03/17 15:23:34 [debug] 7751#7751: *67 rewrite phase: 3
2018/03/17 15:23:34 [debug] 7751#7751: *67 post rewrite phase: 4
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 6
2018/03/17 15:23:34 [debug] 7751#7751: *67 generic phase: 7
2018/03/17 15:23:34 [debug] 7751#7751: *67 access phase: 8
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling IN: token.len=0, head=0, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 Begin auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect basic auth
2018/03/17 15:23:34 [debug] 7751#7751: *67 Detect SPNEGO token
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSO auth handling OUT: token.len=0, head=1, ret=401
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 401, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 http special response: 401, "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http set discard body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 3072
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter header
2018/03/17 15:23:34 [debug] 7751#7751: *67 HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Sat, 17 Mar 2018 14:23:34 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm=""

2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:0 f:0 s:221
2018/03/17 15:23:34 [debug] 7751#7751: *67 http output filter "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 image filter
2018/03/17 15:23:34 [debug] 7751#7751: *67 xslt filter body
2018/03/17 15:23:34 [debug] 7751#7751: *67 http postpone filter "/add_host_kerberos?" 000055853991E918
2018/03/17 15:23:34 [debug] 7751#7751: *67 write old buf t:1 f:0 000055853991E700, pos 000055853991E700, size: 221 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D888A0, size: 142 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 write new buf t:0 f:0 0000000000000000, pos 0000558538D88E40, size: 53 file: 0, size: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter: l:1 f:0 s:416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter limit 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 posix_memalign: 00005585398E1900:512 @16
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 000055853991F5B0:16384
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 221
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 142
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL buf copy: 53
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL to write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_write: 416
2018/03/17 15:23:34 [debug] 7751#7751: *67 http write filter 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 http copy filter: 0 "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: 0, "/add_host_kerberos?" a:1, c:2
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 5000:1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 http request count:2 blk:0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http run request: "/add_host_kerberos?"
2018/03/17 15:23:34 [debug] 7751#7751: *67 http read discarded body
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 4096
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 94
2018/03/17 15:23:34 [debug] 7751#7751: *67 http finalize request: -4, "/add_host_kerberos?" a:1, c:1
2018/03/17 15:23:34 [debug] 7751#7751: *67 set http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 http close request
2018/03/17 15:23:34 [debug] 7751#7751: *67 http log handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398DB220, unused: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991E5A0, unused: 3003
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc free: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 hc busy: 0000000000000000 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 000055853991F5B0
2018/03/17 15:23:34 [debug] 7751#7751: *67 tcp_nodelay
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296619353
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer add: 10: 65000:1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: -1
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 2
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 post event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 delete posted event 00005585398AD670
2018/03/17 15:23:34 [debug] 7751#7751: *67 http keepalive handler
2018/03/17 15:23:34 [debug] 7751#7751: *67 malloc: 00005585398EC5E0:1024
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_read: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_get_error: 5
2018/03/17 15:23:34 [debug] 7751#7751: *67 peer shutdown SSL cleanly
2018/03/17 15:23:34 [info] 7751#7751: *67 client 192.168.1.5 closed keepalive connection
2018/03/17 15:23:34 [debug] 7751#7751: *67 close http connection: 10
2018/03/17 15:23:34 [debug] 7751#7751: *67 SSL_shutdown: 1
2018/03/17 15:23:34 [debug] 7751#7751: *67 event timer del: 10: 1521296679353
2018/03/17 15:23:34 [debug] 7751#7751: *67 reusable connection: 0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398EC5E0
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 0000000000000000
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1D10, unused: 16
2018/03/17 15:23:34 [debug] 7751#7751: *67 free: 00005585398E1900, unused: 400

Ho anche provato ad aggiungere il parametro "auth_gss_realm = MONDOMAINE.LAN;" nella configurazione nginx, ma ho ottenuto lo stesso risultato.
Continuo le mie indagini...

Tommaso

sfontenau: Esperto WAPT; Messaggi: 2312; Registrato: 10 luglio 2014 - 23:52; Contatto:
Contatta Sfonteneau

Twitter Facebook

18 marzo 2018 - 11:22

È possibile avviare il server Wapt in modalità debug:

Codice: Seleziona tutto

bash /opt/wapt/runwaptserver.sh -ldebug

Se non si verifica nulla durante la registrazione, significa che l'autenticazione non riesce a superare la barriera nginx.

Inoltre, fai attenzione alla configurazione del tuo server:

La conferenza:

Codice: Seleziona tutto

allow_unauthenticated_registration = True

Normalmente, se si abilita Keberos, questo dovrebbe essere impostato su False per evitare registrazioni non autenticate.

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

18 marzo 2018 - 19:23

Ciao,

grazie per il suggerimento.
Ho avviato il server in modalità debug e, in effetti, non vedo nulla accadere quando una workstation tenta di registrarsi, il che conferma che il problema risiede nel server Nginx, come già sospettavo...

Sì, per ora lascio il parametro `allow_unauthenticated_registration` impostato su `True` per consentire alle workstation registrate prima dell'attivazione di Kerberos di continuare ad autenticarsi al server.

Continuerò le mie indagini!

Thomas

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

19 marzo 2018 - 10:40

Buongiorno,

Ho trovato la fonte del problema.
Come accennato in un post precedente (viewtopic.php?f=13&t=1059) ci affidiamo ai record DNS SRV per individuare il server wapt e i repository.
Pertanto, nel file wapt-get.ini delle workstation, abbiamo il campo wapt_server che è vuoto, il che causa un problema durante la registrazione.
Funziona con il file wapt-get.ini qui sotto:

Codice: Seleziona tutto

[global]
waptupdate_task_period=120
wapt_server=https://srv-wapt.mondomaine.lan
repo_url=
use_hostpackages=1
send_usage_report=1
use_kerberos=1
check_certificates_validity=1
verify_cert=0
dnsdomain=mondomaine.lan
max_gpo_script_wait=180
pre_shutdown_timeout=180
hiberboot_enabled=0
[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert=1

Ciò sembra quindi indicare che se wapt_server non è specificato in wapt-get.ini, il client non è in grado di trovare il server principale tramite la query DNS durante una registrazione.

Tommaso

TomTomGo: Messaggi: 25; Registrazione: 3 maggio 2017 - 15:36; Ubicazione: La Chapelle-sur-Erdre

30 marzo 2018 - 12:28

Ah, ho appena visto che era elencato nella sezione "Problemi noti" nella versione 1.5.1.22...

Quando si esegue una ricerca su waptserver con una query DNS SRV (parametro dnsdomain), l'autenticazione del registro Kerberos non funziona.

Bloccato

10 messaggi • Pagina 1 di 1

Torna a "Server WAPT"

Tranquil IT in 7 date importanti

Tranquil IT in 7 date importanti

Per andare oltre con WAPT

WAPT Enterprise

Documentazione ufficiale

Powered by phpBB™ • Design by PlanetStyles
Traduzione ufficiale in francese © Qiaeru