Trouble installing SmartClient on MacOS Sierra

Joe Schmitt

@Wayne-Workman thanks for pinging me, I was meaning to get back to this topic.

@kwetiaw in short here’s what’s happening. Starting with El Capitan OSX ships with a feature called system integrity protection (SIP). Many applications have had some difficulty adjusting to the new security model. Mono included. With the release of El Capitan they had to rebuild parts of their build process to be in compliance with SIP. Even then it took them awhile to figure out how to ensure their root keystore was also compliant with SIP. The client was actually OSX compatible a long time ago, but I and @Tom-S had to wait for mono to patch this issue.

I suspect with the release of OSX Sierra some changes were made to SIP. While mono still works (hence you can run the smart installer), the keystore is once again broken. This keystore is what allows the client to “pin” your FOG server for security purposes. If you can ensure you are running the latest version of mono (and if so report back with the exact version number mono --version) I can confirm the issue and check in with the Mono team about this issue. Also if you can, upload the entire SmartInstaller.log file.

To clarify; this is not an issue with the client, but rather a bug with mono dealing with Apple’s SIP.

kwetiaw

@Tom-Elliott Hi Tom,
It listed different folder but none of them is .mono

kwetiaw

@Tom-Elliott there isnt a folder called “share”

kwetiaw

@Joe-Schmitt

Mono version

When i tried running mono to install smartclient.exe

Duncan

https://www.howtogeek.com/230424/how-to-disable-system-integrity-protection-on-a-mac-and-why-you-shouldnt/

reboot into recovery > start terminal

csrutil disable

ArtLong

@kwetiaw I’m getting this same error on HS has this been resolved?

Sebastian Roth

@ArtLong As Joe posted long time ago:

To clarify; this is not an issue with the client, but rather a bug with mono dealing with Apple’s SIP (system integrity protection).

I don’t have access to a Mac to test so we probably need other people to confirm this is still an issue. There is nothing much we can do about I suppose.

Daniel Miller

This is still an issue. Tested with Mono 5.20.1 Stable (5.20.1.19) on macOS 10.11.6, 10.13.6, and 10.14.5 with SmartInstaller.exe distributed with 1.5.5 and 1.5.6.

SmartInstaller.log

output from mono --version

Mono JIT compiler version 5.20.1.19 (2018-10/886c4901747 Tue Apr  9 12:37:29 EDT 2019)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  amd64
	Disabled:      none
	Misc:          softdebug 
	Interpreter:   yes
	LLVM:          yes(600)
	Suspend:       hybrid
	GC:            sgen (concurrent by default)

Issue on the mono GitHub related to this is certmgr System.UnauthorizedAccessException: Access to the path “/usr/share/.mono” is denied. #12005 and it is still in an open status.

Sebastian Roth

@Daniel-Miller Good you brought this topic up again. We had a very similar thing on Linux where the fog-client wouldn’t be able to read back the certificates from the mono cert store. I can imagine this being the same issue.

Check out this: https://forums.fogproject.org/topic/13374/fog-client-under-ubuntu-18-04-authentication-error-could-not-authenticate

Daniel Miller

@Sebastian-Roth
Well, not the same, but likely related. The mono issue noted the problem was present on both Linux and macOS, but for different reasons. If the changes in that version of zazzles takes over the cert handling from mono, that solution might work, but the installer removes the client when it detects the failed install so I don’t have a means to test if it does. These are all new installations as part of an attempt to solve a large package deployment issue here, so I don’t have a previously working client base to play with unfortunately.

                     ..#######:.    ..,#,..     .::##::.   
                .:######          .:;####:......;#;..      
                ...##...        ...##;,;##::::.##...       
                   ,#          ...##.....##:::##     ..::  
                   ##    .::###,,##.   . ##.::#.:######::. 
                ...##:::###::....#. ..  .#...#. #...#:::.  
                ..:####:..    ..##......##::##  ..  #      
                    #  .      ...##:,;##;:::#: ... ##..    
                   .#  .       .:;####;::::.##:::;#:..     
                    #                     ..:;###..        
                                                           
                ###########################################
                #     FOG                                 #
                #     Free Computer Imaging Solution      #
                #                                         #
                #     https://www.fogproject.org/         #
                #                                         #
                #     Credits:                            #
                #     https://fogproject.org/Credits      #
                #     GNU GPL Version 3                   #
                ###########################################
                #           FOG Service Installer         #

------------------------------------License-----------------------------------

FOG Service Copyright (C) 2014-2017 FOG Project
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain
conditions. See your FOG server under 'FOG Configuration' -> 'License' for
further information.

----------------------------------Information---------------------------------

Version................................................................0.11.16
OS.........................................................................Mac
Current Path........................................../Users/x/Downloads
Install Location............................................../opt/fog-service

-----------------------------------Configure----------------------------------

FOG Server address [default: fogserver]: fogserver
Webroot [default: /fog]:                 
Enable tray icon? [Y/n]:                 y

----------------------------------Installing----------------------------------

Getting things ready....................................................[Pass]
Installing files........................................................[Pass]
Saving Configuration....................................................[Pass]
Applying Configuration..................................................[Pass]
Pinning FOG Project.....................................................[Fail]

Installation failed, cleaning system

-----------------------------------Uninstall----------------------------------

Uninstalling............................................................[Pass]

-----------------------------------Finished-----------------------------------

See /Users/x/Downloads/SmartInstaller.log for more information.

ASEGCB0240-06:opt x$ ls -al /opt
total 0
drwxr-xr-x   2 root  wheel    68 Jun 27 10:23 .
drwxr-xr-x  40 root  wheel  1428 Jun 26 16:37 ..

Sebastian Roth

@Daniel-Miller said:

...
FOG Server address [default: fogserver]: fogserver
...

Make sure you give the FOG server IP hear or it won’t be able to pin to it!

Daniel Miller

@Sebastian-Roth names were changed to protect the guilty.

Sebastian Roth

@Daniel-Miller Ahh, I see. So then what do you get in /Users/x/Downloads/SmartInstaller.log??

Daniel Miller

@Daniel-Miller said in Trouble installing SmartClient on MacOS Sierra:

SmartInstaller.log

Sebastian Roth

@Daniel-Miller Dang… should have expected that.

I am not that great a C# coder than Joe is who created the whole new fog-client three years ago. Looking around I came across this: https://www.pinvoke.net/default.aspx/shell32/SHSetKnownFolderPath.html

Maybe we can use this on MacOS X to save the cert store in a different place?!

As well I am wondering what would happen if we change the fog-client code to not do:

var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);

but

var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);

But I have no idea where it would put the store then and if things would work this way?!

Sebastian Roth

@Daniel-Miller I just compiled a new SmartInstaller for you that does use the StoreLocation.CurrentUser. Lets see if that makes a difference on your MacOS X.

https://file.io/JDxjcp

Cant promise anything. Its just a first try and I am not really sure if it will run properly even if the installer itself is fixed. The whole project building and signing the binaries is a very complex process and I am not sure I got it all right.

Daniel Miller

@Sebastian-Roth
I can give it a go. Will need another link though; that one is returning an http error 404.

Sebastian Roth

@Daniel-Miller Strange, the link worked yesterday. Will upload somewere else later on.

Sebastian Roth

@Daniel-Miller I know this doesn’t look very official uploading the installer to some cloud thing but it’s just for testing and the easiest for me right now: https://cloud.mi.hdm-stuttgart.de/index.php/s/LZnrNB9cWrmqsz7

Daniel Miller

@Sebastian-Roth no worries

Good News:
The installer finished up without error.
After rebooting the machine and logging back into the admin user, the tray icon appeared, the service process appears to be running, and /opt/fog-server/fog.log appears to be initially happy:

 6/28/2019 11:29 AM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo
&configure&newService&json
 6/28/2019 11:29 AM Middleware::Response Success
 6/28/2019 11:29 AM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo
&mac=00:25:00:F0:83:DF|00:25:00:F0:6F:45|00:25:4B:FF:FE:FB:69:24&newService&json
 6/28/2019 11:29 AM Middleware::Response Invalid host
 6/28/2019 11:29 AM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newServic
e&json
 6/28/2019 11:29 AM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json

 6/28/2019 11:29 AM Service Creating user agent cache
 6/28/2019 11:29 AM Middleware::Response Module is disabled on the host
 6/28/2019 11:29 AM Middleware::Response Module is disabled on the host
 6/28/2019 11:29 AM Middleware::Response Module is disabled globally on the FOG server

Bad News:
Certificate store appears to be ~/.config/.mono/certs/Trust with respect to the installing user account and the service doesn’t appear to be reliably pulling from that store after further reboots. From /opt/fog-service/fog.log:

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 6/28/2019 11:44 AM Client-Info Version: 0.11.16
 6/28/2019 11:44 AM Client-Info OS:      Mac
 6/28/2019 11:44 AM Middleware::Authentication Waiting for authentication timeout to pass
 6/28/2019 11:46 AM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 6/28/2019 11:46 AM Data::RSA ERROR: Unable to retrieve FOG Server CA
 6/28/2019 11:46 AM Data::RSA ERROR: FOG Server CA NOT found in keystore
 6/28/2019 11:46 AM Middleware::Authentication ERROR: Could not authenticate
 6/28/2019 11:46 AM Middleware::Authentication ERROR: Value cannot be null.
Parameter name: authority


 6/28/2019 11:46 AM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 6/28/2019 11:46 AM Middleware::Response Success
 6/28/2019 11:46 AM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&mac=00:25:00:F0:83:DF|00:25:00:F0:6F:45|00:25:4B:FF:FE:FB:69:24&newService&json
 6/28/2019 11:46 AM Middleware::Authentication Waiting for authentication timeout to pass
 6/28/2019 11:48 AM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 6/28/2019 11:48 AM Data::RSA ERROR: Unable to retrieve FOG Server CA
 6/28/2019 11:48 AM Data::RSA ERROR: FOG Server CA NOT found in keystore
 6/28/2019 11:48 AM Middleware::Authentication ERROR: Could not authenticate
 6/28/2019 11:48 AM Middleware::Authentication ERROR: Value cannot be null.
Parameter name: authority
 6/28/2019 11:48 AM Middleware::Response Success
 6/28/2019 11:48 AM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newService&json
 6/28/2019 11:48 AM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json

 6/28/2019 11:48 AM Service Creating user agent cache
 6/28/2019 11:48 AM Middleware::Response ERROR: Unable to get subsection
 6/28/2019 11:48 AM Middleware::Response ERROR: Object reference not set to an instance of an object
 6/28/2019 11:48 AM Middleware::Response ERROR: Unable to get subsection
 6/28/2019 11:48 AM Middleware::Response ERROR: Object reference not set to an instance of an object
 6/28/2019 11:48 AM Middleware::Response ERROR: Unable to get subsection
 6/28/2019 11:48 AM Middleware::Response ERROR: Object reference not set to an instance of an object
 6/28/2019 11:48 AM Service Initializing modules

Being the service appears to start as root, I’m not entirely certain how it was initially able to access the cert store (I blame unicorns). Unfortunately, the constructor for X509Store appears to be doing exactly what it was told without any pleasant side effects.

Additionally, even when the service was checking in, the fog server didn’t appear to be acknowledging the communications; the http requests were showing up in other_vhosts_access.log on the fog server, but no pending registrations appeared in the web interface and, when I manually added the host and scheduled a hardware inventory, no task reboot information appeared to be passed to the client. This may be attributable to the lack of CA (or the aforementioned unicorns).

I did try swapping out the Zazzles.dll with the one posted in Client not authenticating, but it is giving the same results.