Problem with FOG Service …

JJ Fullmer · Oct 24, 2024, 1:00 PM

@Laurent said in Problem with FOG Service …:

I use an encrypted password because I don’t want other fog users to see my password in plain text

I would recommend using a separate domain admin account rather than any 1 user’s domain account. Partly because of the issue you describe (though that’s not something that can be seen in the web gui) but also so that it’s a password that won’t expire with a user leaving and it’s a password that can be rotated without affecting other services.

Just my 2 cents.

sideone · Oct 24, 2024, 1:00 PM

@Laurent we’re on FOG 1.6, but I think its the same as 1.5.10. FOG doesn’t let you see the AD password once input, but I’d echo @JJ-Fullmer’s point of using a specific account

Laurent · Oct 24, 2024, 1:34 PM

@JJ-Fullmer

thanks Tom Elliott for your answer. The fog service I used until now (for fog versions 1.5.7 and 1.5.9) used encrypted passwords, and everything worked perfectly.

the problem is that if I don’t encrypt my password, other fog users will be able to see it, and it’s an administrator account of my domain (Active Directory) !

Is there a way to get around this problem?

Laurent · Oct 24, 2024, 1:45 PM

@sideone
you are absolutely right, we can’t see the password anymore !!! you just have to leave the host and come back in, and the password is hidden!!

For me, it was still visible because I hadn’t left the host…

Are you on version 1.6? where can I download it to test? any feedback on this version?

JJ Fullmer · Oct 24, 2024, 1:53 PM

@Laurent https://docs.fogproject.org/en/latest/installation/server/install-fog-server/#choosing-a-fog-version

Essentially, instead of checking out the stable branch and doing a git pull and running the installer, you check-out the working-1.6 branch, do a git pull and run the installer.

It’s still in “beta” but I believe we’re very close to releasing it as the new stable version.

It’s a whole new ui it’s pretty great. Lots of feature and security enhancement in the backend, faster search results in a universal search tool, cool stuff like that.

Tom Elliott · Oct 24, 2024, 1:59 PM

@Laurent The information is stored encrypted in the db + the transfer of information is encrypted between the client and the machine.

The only time the password is clear to any user is when you initially enter it in the field.

Laurent · Oct 24, 2024, 2:09 PM

@JJ-Fullmer

Top, that’s great news! Congrates !

iljared98 · Oct 24, 2024, 3:55 PM

@JJ-Fullmer
In our environment we just use a service account that has delegated rights to create / delete computer objects and domain join, it doesn’t have access to anything else. No need for domain admin in that case.

sideone · Oct 25, 2024, 6:56 AM

@iljared98 this is what we do too.

JJ Fullmer · Oct 28, 2024, 1:03 PM

@iljared98 I don’t suppose you’d be willing to share more on this config? What specific rights you gave the service account, did you have to do this whole thing https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 related to this whole thing https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 ?

I’ve previously attempted to create a standard user with such permissions, but I hadn’t tried a service account, that’s a grand idea. I would love to document the creation of a least privilege service account for fog domain operations.

Problem with FOG Service …

178

12.1k

17.3k

155.3k