Problem with some hostname and AD integration

Matthieu Jacquart

Hi

I have problems with some computers with latest svn and new client : for most of computers everything is fine, computer name and AD inegration works.
But for some others, hostname didn’t change (stays like PROF-BN04FSGEER) and are considered as new computers in AD, and for others computer name changes AFTER AD integration !

Evertyhing was fine with fog 1.2 and older client, but now with latest svn ond new client, I had these problems. I don’t know if it’s a bug or a bad parameters in my fog settings, so I looked in “Active Directory Defaults” and try to understand difference between FOG_AD_DEFAULT_PASSWORD and FOG_AD_DEFAULT_PASSWORD_LEGACY.
I understood that legacy password was the previous one, with the older client, generate with fogcrypt, and which always works like a charm.
And the other one (FOG_AD_DEFAULT_PASSWORD) is the new AD password to works with new client, that’s it ? To be sure, I’ve just to enter in plain text AD password, and after clicking “save changes” this password is encrypted, right ?

But why this encrypted password always whange ? With fog crypt, if a type the same password twice, I’ve got twice the same result. And with the new AD password, if I try several times, encrypted password looks always different !
So I don’t know if I make a mistake somewhere or not…

Thnks for your help and explanations !

Matthieu

Wayne Workman

Your understanding of what the two fields are for is correct.

The legacy pass field doesn’t change because… well… because the web-interface doesn’t do anything with the encrypted string except for store it in the DB - very insecure.

The new client and new security model is (HIGHLY) secure, in fact insanely secure. The web interface handles the encryption and it will not produce the same string each time simply because you entered in the same text - which makes it even more secure.

as far as the inconsistency with the client operation - try building images with the FOG Service set to delayed start from now on. Also - when you are imaging systems, why not use early hostname changer? Is it because you sysprep?

Either way, I’m alerting @Jbob about it, the new client is his baby.

Joe Schmitt

@Matthieu-Jacquart , @Wayne-Workman is correct about the new style of AD password. A brief overview of how the AD password is handled for the new client:

1. When the user enters it into the settings field, on-the-fly AES 256 is done on it using a new key each time. Granted if someone can breach your database then they would still be able to retrieve it (there is nothing we can do about that).
2. When the client requests the ad information, the server decrypts the password, and re-encrypts it along with all other data being sent using an AES key established during the client’s handshake (I won’t get into that).

As for the problem you are describing, I am baffled. It should not be possible for the beta client to do rename-joinAD out of order. Could you post the log of a client that does this? (please take the log right after it finishes renaming / ad joining).

Matthieu Jacquart

Thanks you two for answers, I nunderstood better new client / AD joining !

Here are my log for hostname changer and AD joining problems (after sysprep)

------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 21/08/2015 09:40 Client-Info Version: 0.9.4
 21/08/2015 09:40 HostnameChanger Running...
 21/08/2015 09:40 Middleware::Communication URL: http://192.168.10.60/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00|&newService=1
 21/08/2015 09:40 Middleware::Communication Response: Success
 21/08/2015 09:40 Middleware::Communication URL: http://192.168.10.60/fog/service/hostname.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00|&newService=1
 21/08/2015 09:40 Middleware::Communication Response: Success
 21/08/2015 09:40 HostnameChanger Checking Hostname
 21/08/2015 09:40 HostnameChanger Renaming host to S081PROF2
 21/08/2015 09:40 HostnameChanger Unregistering computer
 21/08/2015 09:40 HostnameChanger Removing host from active directory
 21/08/2015 09:40 HostnameChanger The machine is not currently joined to a domain, code =  2692
 21/08/2015 09:40 HostnameChanger Updating registry
 21/08/2015 09:40 RegistryHandler ERROR: Could not set SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerNameComputerName
 21/08/2015 09:40 RegistryHandler ERROR: Impossible de créer une sous-clé stable sous une clé parente volatile.

 21/08/2015 09:40 Service ERROR: Erreur critique ```

--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 21/08/2015 09:41 Client-Info Version: 0.9.4
 21/08/2015 09:41 HostnameChanger Running...
 21/08/2015 09:41 Middleware::Communication URL: http://192.168.10.60/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00||00:00:00:00:00:00:00:E0&newService=1
 21/08/2015 09:41 Middleware::Communication Response: Success
 21/08/2015 09:41 Middleware::Communication URL: http://192.168.10.60/fog/service/hostname.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00||00:00:00:00:00:00:00:E0&newService=1
 21/08/2015 09:41 Middleware::Communication Response: Success
 21/08/2015 09:41 HostnameChanger Checking Hostname
 21/08/2015 09:41 HostnameChanger Renaming host to S081PROF2
 21/08/2015 09:41 HostnameChanger Unregistering computer
 21/08/2015 09:41 HostnameChanger Removing host from active directory
 21/08/2015 09:41 HostnameChanger The machine is not currently joined to a domain, code =  2692
 21/08/2015 09:41 HostnameChanger Updating registry
 21/08/2015 09:41 RegistryHandler ERROR: Could not set SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerNameComputerName
 21/08/2015 09:41 RegistryHandler ERROR: Impossible de créer une sous-clé stable sous une clé parente volatile.

 21/08/2015 09:41 Power Creating shutdown request
 21/08/2015 09:41 Power Parameters: /r /c "FOG needs to rename your computer" /t 0
 21/08/2015 09:41 HostnameChanger Registering host with active directory
 21/08/2015 09:41 HostnameChanger Success, code =  0
 21/08/2015 09:41 Power Creating shutdown request
 21/08/2015 09:41 Power Parameters: /r /c "Host joined to Active Directory, restart required" /t 0
 21/08/2015 09:41 HostnameChanger Activing host with product key

------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 21/08/2015 09:43 Client-Info Version: 0.9.4
 21/08/2015 09:43 HostnameChanger Running...
 21/08/2015 09:43 Middleware::Communication URL: http://192.168.10.60/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00||00:00:00:00:00:00:00:E0&newService=1
 21/08/2015 09:43 Middleware::Communication Response: Success
 21/08/2015 09:43 Middleware::Communication URL: http://192.168.10.60/fog/service/hostname.php?moduleid=hostnamechanger&mac=00:1C:C0:42:9F:00||00:00:00:00:00:00:00:E0&newService=1
 21/08/2015 09:43 Middleware::Communication Response: Success
 21/08/2015 09:43 HostnameChanger Checking Hostname
 21/08/2015 09:43 HostnameChanger Renaming host to S081PROF2
 21/08/2015 09:43 HostnameChanger Unregistering computer
 21/08/2015 09:43 HostnameChanger Removing host from active directory
 21/08/2015 09:43 HostnameChanger Success, code =  0
 21/08/2015 09:43 Power Creating shutdown command in 60 seconds
 21/08/2015 09:43 Bus {
  "channel": "Power",
  "data": "{\r\n  \"action\": \"request\",\r\n  \"period\": 60,\r\n  \"options\": 2,\r\n  \"command\": \"/r /c \\\"Host left active directory, restart needed\\\" /t 0\",\r\n  \"message\": \"This computer needs to perform maintance.\"\r\n}"
}
 21/08/2015 09:43 Bus Emmiting message on channel: Power
 21/08/2015 09:43 HostnameChanger Updating registry
 21/08/2015 09:43 RegistryHandler ERROR: Could not set SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerNameComputerName
 21/08/2015 09:43 RegistryHandler ERROR: Impossible de créer une sous-clé stable sous une clé parente volatile.

 21/08/2015 09:43 Power Power task already in-progress
------------------------------------------------------------------------------

 21/08/2015 09:43 Service Power operation being requested, checking back in 30 seconds
 21/08/2015 09:43 Bus Registering ParseBus in channel Power
 21/08/2015 09:43 Bus Became bus client
 21/08/2015 09:43 Bus Registering OnNotification in channel Notification
 21/08/2015 09:43 Bus Registering OnUpdate in channel Update
 21/08/2015 09:44 Service Power operation being requested, checking back in 30 seconds

Joe Schmitt

The second log you posted, did you edit it at all? Some things are happening in it that just aren’t possible with v0.9.4.

Matthieu Jacquart

Hi

In the second post I’ve just paste lines about section “hostname changer” from fog file in one host.
I have a lot of other problems since thursday (fog began to download images on hosts and the hosts reboot after few percent or I have no access to web console durnng downloading hosts…), so I’ve just restored an okd backup, I’ll make new test on monday.

Matthieu Jacquart

Ok, after restoring my fog VM, I’ve launch isntallation script with -C and -K parameters
After that, I desinstall and reinstalled fog client on two computers, and I’ve got he message

------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 24/08/2015 08:42 Client-Info Version: 0.9.4
 24/08/2015 08:42 HostnameChanger Running...
 24/08/2015 08:42 Middleware::Communication URL: http://192.168.10.60/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=00:1C:C0:3A:70:E4||00:00:00:00:00:00:00:E0&newService=1
 24/08/2015 08:42 Middleware::Communication Response: Success
 24/08/2015 08:42 Middleware::Communication URL: http://192.168.10.60/fog/service/hostname.php?moduleid=hostnamechanger&mac=00:1C:C0:3A:70:E4||00:00:00:00:00:00:00:E0&newService=1
 24/08/2015 08:42 Middleware::Communication Response: Invalid host certificate
 24/08/2015 08:42 Middleware::Communication URL: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 24/08/2015 08:42 Data::RSA CA cert found
 24/08/2015 08:42 Middleware::Authentication Cert OK
 24/08/2015 08:42 Middleware::Communication POST URL: http://192.168.10.60/fog/management/index.php?sub=authorize
 24/08/2015 08:42 Middleware::Communication Response: Invalid host certificate
------------------------------------------------------------------------------```

Tom Elliott

@Matthieu-Jacquart What does the log show in regards to the authenticate sequence?

Matthieu Jacquart

 24/08/2015 11:47 RegistryHandler ERROR: Could not retrieve Software\Wow6432Node\FOG\Server
 24/08/2015 11:47 RegistryHandler ERROR: Null key
 24/08/2015 11:47 RegistryHandler 32 bit registry detected
 24/08/2015 11:47 Middleware::Communication URL: http://192.168.10.60/fog/management/other/ca.cert.der
 24/08/2015 11:50 Bus Became bus server
 24/08/2015 11:50 Bus {
  "channel": "Status",
  "data": "{\r\n  \"action\": \"load\"\r\n}"
}
 24/08/2015 11:50 Bus Emmiting message on channel: Status

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 24/08/2015 11:50 Client-Info Version: 0.9.4
 24/08/2015 11:50 Middleware::Communication URL: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 24/08/2015 11:52 Data::RSA CA cert found
 24/08/2015 11:52 Middleware::Authentication Cert OK
 24/08/2015 11:52 Middleware::Communication POST URL: http://192.168.10.60/fog/management/index.php?sub=authorize
 24/08/2015 11:52 Middleware::Communication Response: Invalid host certificate
 24/08/2015 11:52 Bus Registering ParseBus in channel Power

Tom Elliott

@Matthieu-Jacquart is there any corresponding apache error logs?

Matthieu Jacquart

@Tom-Elliott I have tons of error in my apache2 error.log, all due to fog
for example :

[Mon Aug 24 08:31:14.683337 2015] [:error] [pid 30298] [client 192.168.8.77:49463] PHP Warning:  mysqli::reap_async_query(): MySQL server has gone away in /var/www/html/fog/lib/db/MySQL.class.php on line 76

[Mon Aug 24 08:31:14.683376 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::reap_async_query(): Error reading result set's header in /var/www/html/fog/lib/db/MySQL.class.php on line 76

[Mon Aug 24 08:31:14.683389 2015] [:error] [pid 30298] [client 192.168.8.77:49463] PHP Warning:  mysqli::reap_async_query(): Error reading result set's header in /var/www/html/fog/lib/db/MySQL.class.php on line 76

[Mon Aug 24 08:31:14.699162 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::mysqli(): (HY000/2002): Connection refused in /var/www/html/fog/lib/db/MySQL.class.php on line 37

[Mon Aug 24 08:31:14.699273 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::mysqli(): (HY000/2002): Connection refused in /var/www/html/fog/lib/db/MySQL.class.php on line 39

[Mon Aug 24 08:31:14.699360 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::query(): Couldn't fetch mysqli in /var/www/html/fog/lib/db/MySQL.class.php on line 63

[Mon Aug 24 08:31:14.706534 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::mysqli(): (HY000/2002): Connection refused in /var/www/html/fog/lib/db/MySQL.class.php on line 37

[Mon Aug 24 08:31:14.706628 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::mysqli(): (HY000/2002): Connection refused in /var/www/html/fog/lib/db/MySQL.class.php on line 39

[Mon Aug 24 08:31:14.706696 2015] [:error] [pid 30308] [client 192.168.8.79:49467] PHP Warning:  mysqli::query(): Couldn't fetch mysqli in /var/www/html/fog/lib/db/MySQL.class.php on line 63

[Mon Aug 24 08:52:00.327952 2015] [:error] [pid 8707] [client 192.168.10.100:57295] PHP Fatal error:  Call to a member function get() on null in /var/www/html/fog/lib/pages/DashboardPage.class.php on line 118, referer: http://192.168.10.60/fog/management/index.php?node=client

[Mon Aug 24 12:12:31.750576 2015] [:error] [pid 5159] [client 192.168.10.100:52084] PHP Warning:  mcrypt_encrypt(): Key of size 0 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported in /var/www/html/fog/lib/fog/FOGBase.class.php on line 225

Tom Elliott

@Matthieu-Jacquart The mysqli problems you see being thrown look to me to be from an installation, rather than a consistent problem. By installation, I mean something was being requested when web services were active, but mysql or files were being updated. Meaning things simply weren’t “available” when those get thrown into the logs. Those, I think, are non-issues and should be expected but only during the time of updates/upgrades of the fog system. This could also happen in the case of your disk being 100% as the mysql process will usually die without the web server services dying. That does not look to the be the case here.

I do see the error (get() on line 118 of the DashboardPage.class.php) but that isn’t the problem with AD joining.

Matthieu Jacquart

Thanks

Since I restored my VM, I suppose AD joining will be ok, but the problem is certificate error, hostname changer didn’t work. do you know how to fix it ?
For information, I install the lastest svn with -C -K argument, after that I downloaded the new client and install it on 2 clients, but always error “Invalid host certificate”

And now with my own computer (win 10), I’ve got this

 24/08/2015 13:09 RegistryHandler 64 bit registry detected
 24/08/2015 13:09 Middleware::Communication URL: http://192.168.10.60/fog/management/other/ca.cert.der
 24/08/2015 13:43 Bus Became bus server
 24/08/2015 13:43 Bus {
  "channel": "Status",
  "data": "{\r\n  \"action\": \"load\"\r\n}"
}
 24/08/2015 13:43 Bus Emmiting message on channel: Status

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 24/08/2015 13:43 Client-Info Version: 0.9.4
 24/08/2015 13:43 Middleware::Communication URL: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 24/08/2015 13:43 Middleware::Communication ERROR: Could not download file
 24/08/2015 13:43 Middleware::Communication ERROR: Impossible de se connecter au serveur distant
 24/08/2015 13:43 Middleware::Authentication ERROR: Could not authenticate
 24/08/2015 13:43 Middleware::Authentication ERROR: Le fichier spécifié est introuvable.

 24/08/2015 13:43 Bus Registering ParseBus in channel Power

------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 24/08/2015 13:43 Client-Info Version: 0.9.4
 24/08/2015 13:43 HostnameChanger Running...
 24/08/2015 13:43 Middleware::Communication URL: http://192.168.10.60/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=74:27:EA:6C:AA:0D|02:50:F2:00:00:01||00:00:00:00:00:00:00:E0&newService=1
 24/08/2015 13:43 Middleware::Communication Response: Success
 24/08/2015 13:43 Middleware::Communication URL: http://192.168.10.60/fog/service/hostname.php?moduleid=hostnamechanger&mac=74:27:EA:6C:AA:0D|02:50:F2:00:00:01||00:00:00:00:00:00:00:E0&newService=1
 24/08/2015 13:43 Middleware::Communication Unknown Response: 
------------------------------------------------------------------------------

Matthieu Jacquart

I’m sorry, but has somenone a solution ?
I’ve 300 computers to fog before wednesday, i began to stress a little ^^
Thanks a lot

Joe Schmitt

I just had another person report the same “Invalid host certificate” error to me. The one thing I am absolutely positive of is that this is a server issue. I’ll let you know when I learn more.

Matthieu Jacquart

I test with removing new client and installing the old one, and everything works fine (hostname changer + AD joining).
Certificate problem between fog client and fog server…

Tom Elliott

The certificate problem is mostly likely as simple as the srvpublic.crt file is non-existent for whatever reason. I’m unable to replicate. When I push a commit, I update two servers, one running Fedora and one running Ubuntu. Right now they’re Fedora 22 and Ubuntu 15.04 just so I can get as broad as possible in testing the GUI and installer function properly on even “current” releases of OS. Part of the initial installer is the creation of the server’s keys. After that, the only thing that is performed is a certificate generation.

I need more info if at all possible.

Matthieu Jacquart

Ok

This morning, I reinstall fog with 6C 6K parameters and thse file where created in “/var/www/fog/management/other/”

-rw-r--r--  1 www-data www-data  1287 août  25 08:01 ca.cert.der
-rw-r--r--  1 www-data www-data  1797 août  25 08:01 ca.cert.pem
-rw-r--r--  1 www-data www-data 35147 août  25 08:00 gpl-3.0.txt
-rw-r--r--  1 www-data www-data    89 août  25 08:00 hostimport.csv
-rw-r--r--  1 www-data www-data  4493 août  25 08:00 index.php
drwxr-xr-x  2 www-data www-data  4096 août  25 08:01 ssl

and in ssl folder, I’ve got

-rw-r--r-- 1 www-data www-data 1679 août  25 08:01 srvpublic.crt

With 0.3 client all is ok, with 0.9.4 client all is ok in log for printers or snapin, communication seems good with server, but certificate error…

Tom Elliott

@Matthieu-Jacquart If what I’m reading from the messages is correct, for the authorize section of the log you provided, it’s stating it could not download the .crt file. Followed by, failed to connect to server?

Does this sound accurate?

Tom Elliott

@Matthieu-Jacquart If what I’m reading from the messages is correct, for the authorize section of the log you provided, it’s stating it could not download the .crt file. Followed by, failed to connect to server?

Does this sound accurate?

Does the file exist:

/var/www/html/fog/management/other/ca.cert.der or /var/www/fog/management/other/ca.cert.der