Active Directory registration not working Windows 7 x64 client

Berend de Boer

Wow, compiliation actually works if I compile the FOGService.exe as well and copy that first. That’s great, can now do development on Linux.

Berend de Boer

[quote=“Tom Elliott, post: 43893, member: 7271”]And your username field is not in the format domain/username?[/quote]

No, it wasn’t. The domain name is automatically appended I saw already. The problem is that the password is garbled. When I hard-code it, everything works. Narrowing down to the culprit.

Berend de Boer

One thing I found out is that you cannot use the fully qualified name as domain in the active domain settings of a client. It must be in NetBios format. The reason is that the backend returns the user name as “<DOMAIN><username>” and if you have as domain “fog.example.org” you get a user name “fog.example.org\Administrator” for example, which won’t work.

Berend de Boer

The error, as everyone expected, was indeed in the encryption key. Somehow there is a difference between how HostnameChange encrypts/decrypts. I put in some debug code to encrypt my password and the encrypted hex is completely different. When I enter this encrypted hex in the active domain settings, everything works. Now tracking down why HostnameChange encrypts differently from the standard FOGCrypt (recompiled that from scratch as well, same output as standard binary).

Tom Elliott

This completely depends on your set ups environment yes there are times were having the fully qualified domain name works perfectly and there are times where it doesn’t I don’t know the specific settings that cause these issues or how to fix them but they are completely environmental

Berend de Boer

And here’s the very very nasty deal: you will have to run FOGCrypt.exe on the SAME computer as you want to decrypt on. I did run FOGCrypt.exe on different computers (Linux in this case), and it simply does not encrypt/decrypt the same. I don’t know why.

This may be an implementation issue in mono, maybe 32/64 bit??

But that’s all that there was to it. Bummer, this whole thing cost me a big amount of time of getting fog up and running. I would love to contribute back some patches and knowledge. But can’t get access to the Wiki to cleanup some obsolete comments.

And how do I propose patches? Is that against the git branch? For example the AbstractFOGService uses the wrong variable name, here’s patch:

[CODE]diff --git a/FOGService/src/AbstractFogService/AbstractFOGService.cs b/FOGService/src/AbstractFogService/AbstractFOGService.cs
index f7cbeae…332b029 100755
— a/FOGService/src/AbstractFogService/AbstractFOGService.cs
+++ b/FOGService/src/AbstractFogService/AbstractFOGService.cs
@@ -265,9 +265,10 @@ namespace FOG
f.Delete();
}

•                objReader = new StreamWriter(strLogPath, true);
  

•                objReader.WriteLine(" " + DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + " " + moduleName + " " + strlog);
  

•                objReader.Close();
  

•      using (StreamWriter writer = new StreamWriter(strLogPath, true))
  

•      {
  

•        writer.WriteLine(" " + DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + " " + moduleName + " " + strlog);
  

•      }
            }
        }
        catch
  

[/CODE]

And this one to give better logging on what is exactly wrong instead of an error code:

[CODE]diff --git a/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs b/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
index ae3de28…c39c315 100755
— a/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
+++ b/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
@@ -47,6 +47,8 @@ namespace FOG
public const int AccessDenied = 5;
public const int BadNetPath = 53;
public const int WrongPassword = 1323;

•        public const int LogonFailure = 1326;
  

•        public const int BadDomain = 1355;
        public const int UnknownDevDir = 2116;
        public const int TooManyItems = 2121;
        public const int RemoteErr = 2127;
  

@@ -289,7 +291,7 @@ namespace FOG
{
try
{

•                            log(MOD_NAME, "Attempting to connect to fog server...");
  

•                            log(MOD_NAME, "Connecting to fog server...");
                            WebClient wc = new WebClient();
                            String strPath = strURLModuleStatus + "?mac=" + macList + "&moduleid=hostnamechanger";
                            strDta = wc.DownloadString(strPath);
  

@@ -437,7 +439,11 @@ namespace FOG

                                                strUser = strU;
                                                if (strP != null && strP != "")

•                                                {
  

•                                                    FOGCrypt c = new FOGCrypt(PASSKEY);
                                                    strPass = new FOGCrypt(PASSKEY).decryptHex(strP);
  

•                                                }
                                                else
                                                    strPass = "";
  

@@ -599,6 +605,10 @@ namespace FOG
return "Domain Error! (‘Bad Netpath’ Code: " + code + ") ";
case NERR.WrongPassword:
return "Domain Error! (‘Wrong Password’ Code: " + code + ") ";

•            case NERR.LogonFailure:
  

•                return "Domain Error! ('Logon failure, unknown user name or bad password' Code: " + code + ") ";
  

•            case NERR.BadDomain:
  

•                return "Domain Error! ('The specified domain either does not exist or could not be contacted' Code: " + code + ") ";
            case NERR.DCNotFound:
                return "Domain Error! ('DCNotFound' Code: " + code + ") ";
            case NERR.SetupAlreadyJoined:
  

[/CODE]

And I would love to be allowed to add a patch that forbids people to use a DNS domain name in the active directory settings, or forbids to use the ‘’ character in the user name, both won’t work.

Berend de Boer

[quote=“Tom Elliott, post: 43939, member: 7271”]This completely depends on your set ups environment yes there are times were having the fully qualified domain name works perfectly and there are times where it doesn’t I don’t know the specific settings that cause these issues or how to fix them but they are completely environmental[/quote]

Hi Tom, I think I know exactly why and when they work now. For 1.2 the issue is that the domain name is prepended to the user name.

So you get domain fog.example.org, but the user name then becomes fog.example.org\Administrator. The [URL=‘https://msdn.microsoft.com/en-us/library/windows/desktop/aa370433(v=vs.85).aspx?f=255&MSPPError=-2147217396’]NetJoinDomain[/URL] domain call does not like that. [URL=‘http://www.fogproject.org/forum/threads/wiki-login.12416/#post-43951’]See my other post [/URL]where I touched upon this as well: I suggest FOG always uses the unqualified name for the domain name, and no domain name in the user name, far less confusing.

But there may be setups where a difference is required?? Not sure, but then the prepending logic must become way smarter, and the GUI should check for users who enter this wrong too.

You can lookup the Microsoft docs for [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/aa370433(v=vs.85).aspx?f=255&MSPPError=-2147217396’]what’s allowed as value for the account name[/URL]:
[QUOTE][I]lpAccount[/I] [in]
A pointer to a constant null-terminated character string that specifies the account name to use when connecting to the domain controller. The string must specify either a domain NetBIOS name and user account (for example, [I]REDMOND\user[/I]) or the user principal name (UPN) of the user in the form of an Internet-style login name (for example, “[EMAIL]someone@example.com[/EMAIL]”). If this parameter is [B]NULL[/B], the caller’s context is used.[/QUOTE]

Berend de Boer

[quote=“Berend de Boer, post: 43941, member: 28367”]And here’s the very very nasty deal: you will have to run FOGCrypt.exe on the SAME computer as you want to decrypt on. I did run FOGCrypt.exe on different computers (Linux in this case), and it simply does not encrypt/decrypt the same. I don’t know why.

This may be an implementation issue in mono, maybe 32/64 bit??[/quote]

One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.

Junkhacker

[quote=“Berend de Boer, post: 43956, member: 28367”]One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.[/quote]

regarding issues with the client, here’s something you might have missed. [url]http://fogproject.org/forum/threads/new-client-progress.12136/[/url]
the client is being rewritten from scratch.
btw, the domain\user issue is changed in the dev version of the code. in the current dev version of the code, the user field is checked for a \ or @. if either of those exist, the field is sent as is. if not, the domain is a added as domain\user.

Wayne Workman

[quote=“Berend de Boer, post: 43956, member: 28367”]One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.[/quote]

Maybe Mono uses a different compiler or libraries for Windows and Linux?

Berend de Boer

[quote=“Junkhacker, post: 43983, member: 21583”]btw, the domain\user issue is changed in the dev version of the code. in the current dev version of the code, the user field is checked for a \ or @. if either of those exist, the field is sent as is. if not, the domain is a added as domain\user.[/quote]

Yes, Tom told me about that, and what you describe seems exactly the right behaviour.