Fog Active Directory autofill issues

neodawg

Having some issues with the latest (7498). I noticed that after upgrading from 1.2.0 that for every host it changed the AD join username from what I had set to “fog” thus breaking every clients domain join function.

So I thought I would create a group of ALL hosts like I have done in the past and update the AD info for them, however when check the box it autofills everything like it should but the New Fog Client password appears to be different that what is set in the Fog Settings page defaults. So I paste in the clear text password for it and hit update, says it updated all the clients. Am I wrong to update with the cleartext password? (my theory being that encrypting the already encrypted password)

But if I go look at any of the clients, nothing got updated.

Then under each host, if I clear everything out and hit the check box to autofill it only fills in the legacy client password.
EDIT: appears, that it only does this for some hosts, a newly registered one works the same as the group autofill above.

Thanks for your thoughts

Wayne Workman

While there might actually be some sort of issue going on - I should first bring you up to speed with the specific differences in AD credentials between 1.2.0 and the current FOG Trunk (what will be 1.3.0).

1. There is a default domain username and a default password, and a default legacy password. These fields are inside of FOG Configuration -> FOG Settings.

2. The regular password is typed in as clear text. When you save the entry, it’s encrypted. If you view the password in the future, you just see the encrypted string.

3. The legacy password field requires fogcrypt still. It works, but is generally advised against due to security concerns.

4. The default username/password fields are just place-holders. You apply them to a host or group simply by checking the “Join domain” checkbox as you already have found, or by saying “Yes” to joining a domain during network booting full registration. The fields populate with whatever you have set as the defaults. However, you may specify individual credentials and domains per host or group as you wish. Same principals still apply - legacy password requires usage of fogcrypt, and the new password is typed plaintext and encrypted upon saving.

5. When the regular (the new) AD password is applied to a individual host, it’s re-encrypted. This makes it just that much more secure. It’s not re-encrypting the already encrypted password, but rather decrypting and re-encrypting using the host’s public key I think. @jbob @Tom-Elliott clarification?

6. Many browser’s auto-fill functionality is an on-going issue. It’s because of how browsers are designed. They assume you have only one set of credentials for a site. But, the FOG web interface has quite numerous username and password fields. So autofill has bitten all of us at some point. There are ways to work around it - just being careful and thoughtful being number one. I don’t click save on ANY page in FOG that has a username / password field exposed unless I type it in myself right then and there - even if that’s not the field I came to edit. Another way is to use the FOG Interface in your browser’s “anonymous/incognito/private” mode. This way, it doesn’t have any stored credentials to fill into fields for you.

Now that those things are out of the way, how do you know that after updating a group, the hosts are not updated? What exactly is your work-flow (click for click)? Where are you checking? Just in the web interface or in the database itself?

neodawg

Thanks replying @Wayne-Workman
Some background on me, I have been dabbling with 1.3.0 as you guys have been working on for the last year.

1 . Yep, got it, thats where I am setting the correct passwords. Took me a little clicking around to realize the new client was using a AD password yet.
2. yep, got it.
3. yep, used it many times.
4. Ok, so your saying that no matter what the host fields have in them it will just use the defaults from the Fog Settings page? Previously it would autofill these ‘placeholders’ in so that you know it was set.
5. This, make sense, as each time I clear fields on a host and then check the box and watch the autofill, the new AD password changes its encrypted form. Default=6da1956736 HostField1=64a7977 HostField2=d0506078 (All truncated for security)
6. I have experienced this issue around the site, I am aware of it the issues and use the private/incognito modes when needed.

I am only checking in the web interface, however I did just install phpMyAdmin and checked the newly registered host(at bottom) and that shows the same as the web interface.
My work flow is this:
Make a group with All the hosts.
Goto the ‘All’ group I just created
Goto the AD page of the group
Check the Join Domain box
I see today its pulling everything from the defaults.
It auto-filled, the domain, domain username, and both new AD password (different again) and the legacy
Hit update
Page refreshes in about 1 second and says Group Info updated at the top of the page
Goto any host
Goto the AD settings page for said host
see that the box is checked to join, domain is there, domain username is wrong, its ‘fog’ and should have either been ‘fogadd’ or now ‘fogjoin’ (never used the username fog, this was changed when i updated from 1.2.0)
The new AD password field has the old legacy password in it (daa5c) which was used with the ‘fogadd’ account
the legacy password field is blank. This password is NOT set anywhere on the defaults page.

If I look at a host I registered and uploaded an image from on the new version 7498, this is what I see on that hosts AD settings page:
join box is not checked
all other boxes are blank

Hopefully this helps, there is 1700+ hosts on here so maybe there is too many to update all at once?

Wayne Workman

@neodawg said in Fog Active Directory autofill issues:

Ok, so your saying that no matter what the host fields have in them it will just use the defaults from the Fog Settings page? Previously it would autofill these ‘placeholders’ in so that you know it was set.

When the fields are set for an individual host, you should see “stuff” in those fields.

neodawg

@Wayne-Workman

I have no need to set any host individually, they all need to join the same domain. Other than checking or unchecking ‘join domain’ box.

Would you like me to gather a video or some screen shots?

Wayne Workman

@neodawg said in Fog Active Directory autofill issues:

@Wayne-Workman

I have no need to set any host individually, they all need to join the same domain. Other than checking or unchecking ‘join domain’ box.

Would you like me to gather a video or some screen shots?

A video would help illustrate exactly what’s happening. Also - I don’t individually mess with client settings either, except when building an image. I temporarily disable the AD stuff for the golden machine. But, when setting AD settings through groups, those settings get applied to the hosts in the group, not the group itself. The best way I’ve described it to people is - when you set settings on a group, those settings fall through the group and land on the hosts. Nothing in the group itself is preserved or persistent currently.

neodawg

Right,

Thats what I remember and have experienced with groups. But in this case those AD settings are not being applied to the hosts.

I will work on a video for you.

Wayne Workman

@neodawg No need, we understand what is happening now. Apache error logs immediately after you try to set the setting through groups?

What OS is FOG running on?

neodawg

@Wayne-Workman

Fresh install of CentOS 7 x64

Also on that note, the installer doesnt seem to install PHP 5.6 from webtastic repo instead just uses PHP from base/epel. Thus I just modified the packages it was looking for be php56w* instead of php*

Anything you need from me?

Wayne Workman

@neodawg Yes, immediately after you set AD settings via a group on hosts, please provide your apache error logs. This is available here:
Web Interface -> FOG Configuration -> Log Viewer -> Apache Error Logs

Please be sure that the logs you copy are from the correct time.

neodawg

I dont see any errors related to trying to update the group infomation, this is what I have:

[Mon May 09 15:21:35.303216 2016] [:error] [pid 13319] [client 10.0.10.188:51225] PHP Warning: array_map(): An error occurred while invoking the map callback in /var/www/html/fog/lib/fog/fogcontroller.class.php on line 197
[Mon May 09 15:16:32.934303 2016] [:error] [pid 13452] [client 10.0.10.188:51217] PHP Warning: array_map(): An error occurred while invoking the map callback in /var/www/html/fog/lib/fog/fogcontroller.class.php on line 197```

Wayne Workman

@neodawg How are you sure your group has all hosts?

neodawg

Yep, checked that several times and checked several hosts. Here is a video clip of what I am doing:

Video

Wayne Workman

@neodawg can you try to replicate using a group with two hosts? A video isn’t necnecessary for this test.

I’m just wondering if the issue is due to the number of hosts somehow, and this simple test would tell us.

Tom Elliott

@neodawg can you try updating? I cannot replicate.

neodawg

@Tom-Elliott

Thanks, seems to be working great now, the update fixed the issue with setting the All group AD settings. Now running 7591.

On a side note I was able to fix the install issues by getting rid of the webtastic repo and using remi and replacing PHP from webtastic to remi.

neodawg

Sorry to bring this up again, but having the same issue. Different fog server however. using build 8179.

I created a small group of hosts ~25 and went to the group page, checked the box and it didn’t autofill the form, thought OK, remembering this thread that didn’t necessarily matter. Then went to a host and saw the box was checked to join and the old information that was in there was now gone. I then tried to update the individual host by clearing the fields and hitting the join box, still didn’t autofill, checked the defaults in Settings and that was still there and correct. I believe this was working on SVN5675.

Browser is Chrome 51. (Now that I think about it I think my chrome updated last week sometime)(perhaps chrome issue?)
Tried MS Edge, Works as expected.

Can someone verify my results?