• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    snappin doesn't work

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    6
    39
    9.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Tom ElliottT
      Tom Elliott @lebrun78
      last edited by

      @lebrun78 Well, if it’s “installing MS Office, as the file kind of suggests” I’m guessing the PS1 has to either download the installer files and/or start the installer files across a network share. Are you setting the installation in a “silent” mode? Does running it manually on the command line cause you to do user inputs or not?

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      L 1 Reply Last reply Reply Quote 0
      • L
        lebrun78 @lebrun78
        last edited by

        Should it be a path problem ? Should fog client install the script from c:\program file x86\fog\tmp ?

        Fog Version: Fog 1.5.10
        Server OS: AlmaLinux release 8.8

        1 Reply Last reply Reply Quote 0
        • L
          lebrun78 @Tom Elliott
          last edited by

          @Tom-Elliott
          No because it was not working with office2010, I try it with a script to install videolan player which is very lighter

          Fog Version: Fog 1.5.10
          Server OS: AlmaLinux release 8.8

          1 Reply Last reply Reply Quote 0
          • Tom ElliottT
            Tom Elliott
            last edited by

            So what is the point of the fog_instoffice2010.ps1 file?

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            1 Reply Last reply Reply Quote 0
            • L
              lebrun78
              last edited by

              fog_inst_office2010.ps1 is a script to mount p: with authentication and call a bat script

              Fog Version: Fog 1.5.10
              Server OS: AlmaLinux release 8.8

              L 1 Reply Last reply Reply Quote 0
              • L
                lebrun78 @lebrun78
                last edited by lebrun78

                here is this extract of windows powershell log in windows events viewer
                1st run by snap in:
                alt text

                2nd by manual command line that works:
                alt text

                I don’t understand !

                Witch trigger mark snapin task ended in web console ?

                Fog Version: Fog 1.5.10
                Server OS: AlmaLinux release 8.8

                1 Reply Last reply Reply Quote 0
                • J
                  Joe Schmitt Senior Developer
                  last edited by

                  @lebrun78 snapins run as SYSTEM (this is like a limited root on unix). If a script works when run manually but not as a snapin, then your script is not SYSTEM compliant. Usually its an issue when someone tries to use network shares, which it appears you are doing. SYSTEM is an non domain user, so if your network share requires someone to be domained user to access it, that’s one potential issue. Ultimately this is a network share issue, and without see exactly how you are mounting / using it, we cannot help.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                  L 1 Reply Last reply Reply Quote 0
                  • Wayne WorkmanW
                    Wayne Workman @lebrun78
                    last edited by Wayne Workman

                    @Joe-Schmitt he’s using the powershell script to mount & then call another script. But yes, how it’s being done matters and we need to know.

                    @lebrun78 said in snappin doesn't work:

                    hello
                    -programme is an option of the script fog_inst_office2010.ps1

                    fog_inst_office2010.ps1 is a script to mount p: with authentication and call a bat script

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                    Daily Clean Installation Results:
                    https://fogtesting.fogproject.us/
                    FOG Reporting:
                    https://fog-external-reporting-results.fogproject.us/

                    1 Reply Last reply Reply Quote 0
                    • L
                      lebrun78
                      last edited by

                      Here is the power shell code.
                      We have no domain

                      param (
                          [String] $programme
                      )
                      $user = "install"
                      $pwd = "1234500000000000000000000000000000000000000000000000000000AAAA="
                      $serveur = "\\fileserver.istic.univ-rennes1.fr\partage"
                      $cert = $(Get-ChildItem cert:\CurrentUser\TrustedPublisher | where {$_.Subject -eq "CN=ISTIC/ESIR Signature"})
                      $tab_key = @()
                      foreach ($i in $cert.SerialNumber.ToCharArray()){$tab_key += [convert]::ToInt16($i,16)}
                      $password = ConvertTo-SecureString -key $tab_key -string $pwd
                      $credential = New-Object -TypeName system.management.Automation.PSCredential -ArgumentList $user, $password
                      
                      #net use p: $dossier_partage /p:n /u:$($credential.GetNetworkCredential().username) $($credential.GetNetworkCredential().password)
                      if (!(Test-Path -Path p:)){
                          $net = new-object -ComObject WScript.Network
                          $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
                      }
                      
                      #lorsque l'on lance un script powershell, si il y avait des espaces dans le nom, cela ne passait pas 
                      #lorsque l'on faisait un start-process et ce nom en argument. Donc on utilise plutot le nom court
                      $prog_court = (New-Object -ComObject Scripting.FileSystemObject).GetFile($programme).ShortPath
                      					
                          write-host "$(hostname):Dossier de l'installer $($dossier_installer)"
                      	write-host ""
                      	write-host "$(hostname):lancement de $($programme)"
                          write-host "$(hostname):lancement de $($prog_court)"
                      
                      #start-process -FilePath $programme -wait -NoNewWindow
                      $dossier_installer = $((get-item -path $programme).DirectoryName)
                      
                      if (!(Test-Path -Path "$dossier_installer\logs_fog_install")){New-Item -ItemType directory -Path "$dossier_installer\logs_fog_install"}
                      $extension = (get-item -path $programme).Extension
                      if ($extension -eq ".bat" -or $extension -eq ".cmd") {
                      	#write-host "$env:COMPUTERNAME:C'est un script bat"
                      	start-process -FilePath $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
                      }
                      if ($extension -eq ".ps1") {
                      	#write-host "$env:COMPUTERNAME:C'est un script powershell"
                      	$policy = Get-ExecutionPolicy
                      	Set-ExecutionPolicy AllSigned
                      	start-process -FilePath PowerShell -Arg $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
                      	Set-ExecutionPolicy $policy
                      }
                      
                      #net use p: /delete
                      $net.RemoveNetworkDrive("p:")
                      
                      # SIG # Begin signature block
                      # MIIECAYJKoZIhvcNAQcCoIID+TCCA/UCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
                      # gjcCAQSgWzBZM888888888888888888888888888888888888888sITrck0sYpfvNR
                      # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUtCNKzTzpJy5lu9elxjbUrgg6
                      # IN6gggIiMIICHjCCAYugAwIBAgIQ1lzBhsDQvaJIVRttke8WMjAJBgUrDgMCHQUA
                      # MBwxGjAYBgNVBA0000000000000000000000000000000MDEyMDE0NDkzMloX
                      # DTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUSVNUSUMvRVNJUiBTaWduYXR1cmUw
                      # gZ8wDQY555555555555555555555555555555555555555555555555555555eWWBCfR
                      # uEdEBxWynlykfLTyteMRiJO3TywGgvhoGX0V+hZpUBeqQLD7q3Qs0npuhWr9COSt
                      Insert Code Here
                      

                      Fog Version: Fog 1.5.10
                      Server OS: AlmaLinux release 8.8

                      JJ FullmerJ 1 Reply Last reply Reply Quote 0
                      • L
                        lebrun78 @Joe Schmitt
                        last edited by

                        @Joe-Schmitt ght.
                        I changed the user account joined to fogservice and it works now.
                        Install is now the user account used by fogservice

                        Thanks

                        Fog Version: Fog 1.5.10
                        Server OS: AlmaLinux release 8.8

                        Wayne WorkmanW 1 Reply Last reply Reply Quote 0
                        • Wayne WorkmanW
                          Wayne Workman @lebrun78
                          last edited by

                          @lebrun78 said in snappin doesn't work:

                          I changed the user account joined to fogservice and it works now.
                          Install is now the user account used by fogservice

                          So you changed the user account to SYSTEM ?

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                          Daily Clean Installation Results:
                          https://fogtesting.fogproject.us/
                          FOG Reporting:
                          https://fog-external-reporting-results.fogproject.us/

                          L 1 Reply Last reply Reply Quote 0
                          • L
                            lebrun78 @Wayne Workman
                            last edited by

                            @Wayne-Workman
                            I changed the account associated to fogesevrvice from local system account to install
                            alt text

                            Fog Version: Fog 1.5.10
                            Server OS: AlmaLinux release 8.8

                            1 Reply Last reply Reply Quote 0
                            • J
                              Joe Schmitt Senior Developer
                              last edited by Joe Schmitt

                              @lebrun78 that indicates it’s a network share permission issue or a script issue, as we have been saying. While that may work, you have to alter every machine and is a work-a-round for the underlying issue. If its a network share permission, fixing the network share permissions to allow for SYSTEM access (even if just to a single public folder) is the route we recommend. If its an issue with how you mount/decrypt your share, then it just needs to be made SYSTEM compatible. The client was built with SYSTEM permissions in mind, and therefore I cannot vouch for the security, or functionality, of the client running as a different user.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                              L 1 Reply Last reply Reply Quote 1
                              • L
                                lebrun78 @Joe Schmitt
                                last edited by

                                @Joe-Schmitt
                                My cisf server is a samba server.
                                How could it be accessible by a client system account ?

                                Fog Version: Fog 1.5.10
                                Server OS: AlmaLinux release 8.8

                                1 Reply Last reply Reply Quote 0
                                • J
                                  Joe Schmitt Senior Developer
                                  last edited by Joe Schmitt

                                  @lebrun78 We had no idea this wasn’t a windows network share (if you already mentioned that, I overlooked it, sorry). Most people use them, so we assume that by default. I may be wrong here, but that would point to more of a script issue. I think @JJ-Fullmer is working on a post in this thread about mounting a share in powershell using SYSTEM. It could also be how you get your Certificate from the cert store (cert:\CurrentUser\TrustedPublisher). SYSTEM is sometimes not considered a user, and is instead considered the LocalMachine in the cert store. Basically I would recommend adding some debugging statements to your script and see where its failing (e.g. if its getting the cert correctly, or if its just the mounting code thats going wrong).

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                  JJ FullmerJ 1 Reply Last reply Reply Quote 0
                                  • JJ FullmerJ
                                    JJ Fullmer Testers
                                    last edited by

                                    @lebrun78
                                    So looking at how you map the drive, I think that may be where the problem lies. With Powershell scripts mounting a drive defaults to stay in the scope of the script running it. So in other words it won’t persist once the script ends.
                                    My recommendation is you change it up a little bit by using the New-PSDrive method with a few specific arguments.

                                    Anyway…
                                    Instead of doing this

                                    if (!(Test-Path -Path p:)){
                                        $net = new-object -ComObject WScript.Network
                                        $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
                                    }
                                    

                                    Try this

                                    if (!(Test-Path -Path p:)){
                                        New-PSDrive -Name "P:" -Scope Global -PSProvider FileSystem -Persist -Root $serveur -Credential $credential;
                                    #The -Persist switch and setting the scope to Global ensure that your drive is mounted outside of the script. 
                                    #This also lets you use your PowerShell Credential object without converting it to plain text when its used in the command (Which is what .GetNetworkCredential().password does
                                    }
                                    

                                    Then at the end of the script you do this to remove the PSDrive

                                    Remove-PSDrive -Force -Scope Global -Name "P:"; 
                                    

                                    One other thing you may need to do is enablelinkedconnections. It’s a registry key at
                                    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\enablelinkedconnections

                                    If you create and set that key as a REG_DWORD with Value data 0x1 (1) it will make it so you can see all mounted drives from an admin prompt. By default, drives mounted by a user in standard mode won’t show up if you run get-psdrive in an admin prompt and vice versa. Setting that reg key makes it so they can see one another which will ensure the system account that runs the fog service will be able to access the mounted drive. This security “feature” of the drives not being visible to elevated/non-elevated is a part of windows UAC.

                                    You can create this key with powershell like so

                                    $regKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\enablelinkedconnections";
                                    if (!(Test-Path $regKey) {
                                        New-Item -Path $regKey -Force
                                    }
                                    New-ItemProperty -Path $regKey -Name "enableLinkedConnections" -Value "1" -PropertyType DWORD -Force;
                                    

                                    Also, a side note, you can pipe the secure pw to a file stored on the local machine to make it so you don’t have to create the secure string and have any sort of password in plain text. Just make sure that it can only be read by the System and admin accounts. i.e. add a hidden folder to the fog service called keys, or secure, or even just ~, and lock it down to only allow admin access. Then as part of your image you can store secure pw files for mounting drives with powershell without needing to put your password in plain text in a file anywhere. You just do the key the same way since its needed for decryption, and you just put the path to the password file. And you have to be an admin to run the secure string commands and an admin to access the pw file and the cert file, so there’s not really a risk of a non admin being able to see the decrypted password. Just a thought that might help simplify writing scripts. Personally I made a module for mounting shares with powershell I use in my install scripts.
                                    The contents of the password file would look like what you are putting into your $pwd string variable, so you could essentially copy and paste that into a text file.
                                    Or run $pwd | ConvertFrom-SecureString -key $tab_key | Out-File "C:\Program Files (x86)\Fog\secure" You could put the pw file anywhere you want really.

                                    One other note that might be causing problems is that you should try not using $pwd as a custom variable because it is already a alias system variable for the Get-Location command. So it’s possible, although maybe not super likely, that the $pwd variable could be reset to your working directory. So maybe try changing that to $pw instead.

                                    Hopefully that’s all some helpful information.

                                    Have you tried the FogApi powershell module? It's pretty cool IMHO
                                    https://github.com/darksidemilk/FogApi
                                    https://fogapi.readthedocs.io/en/latest/
                                    https://www.powershellgallery.com/packages/FogApi
                                    https://forums.fogproject.org/topic/12026/powershell-api-module

                                    1 Reply Last reply Reply Quote 3
                                    • JJ FullmerJ
                                      JJ Fullmer Testers @Joe Schmitt
                                      last edited by JJ Fullmer

                                      @Joe-Schmitt said in snappin doesn't work:

                                      @lebrun78 We had no idea this wasn’t a windows network share (if you already mentioned that, I overlooked it, sorry). Most people use them, so we assume that by default. I may be wrong here, but that would point to more of a script issue. I think @JJ-Fullmer is working on a post in this thread about mounting a share in powershell using SYSTEM. It could also be how you get your Certificate from the cert store (cert:\CurrentUser\TrustedPublisher). SYSTEM is sometimes not considered a user, and is instead considered the LocalMachine in the cert store. Basically I would recommend adding some debugging statements to your script and see where its failing (e.g. if its getting the cert correctly, or if its just the mounting code thats going wrong).

                                      If the SYSTEM account isn’t able to access the cert store. You can also create a AES key instead of a cert that can be stored like the secure password file I mentioned in my other post. Thus keeping the security of the ps credential objects
                                      i.e.

                                      $pth = "C:\path\to\locked\down\local\folder";
                                      $keyFile1="$pth\~.key";
                                      $AESkey1 = New-Object Byte[] 32;
                                      [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESkey1);
                                      $AESkey1 | out-file $keyFile1;
                                      

                                      You can then use a variable pointing to that file in place of $tab_key in your script.

                                      Also something else I just remembered. A great way to troubleshoot powershell and batch scripts being run as the system account is using psexec to run a powershell prompt as the system user.
                                      You can download Psexec as part of PSTools from here https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
                                      Then you can run the following to open a interactive powershell console as the System user to test your scripts

                                      cd C:\Path\To\Downloaded\Extracted\PSTools
                                      .\Psexec.exe -i -s powershell.exe # opens powershell console as system user, confirm it with the whoami command, should say NT Authority\system
                                      .\PSexec.exe -i -s cmd.exe # Opens command prompt as system user, confirm with whoami command.
                                      

                                      Have you tried the FogApi powershell module? It's pretty cool IMHO
                                      https://github.com/darksidemilk/FogApi
                                      https://fogapi.readthedocs.io/en/latest/
                                      https://www.powershellgallery.com/packages/FogApi
                                      https://forums.fogproject.org/topic/12026/powershell-api-module

                                      1 Reply Last reply Reply Quote 2
                                      • JJ FullmerJ
                                        JJ Fullmer Testers @lebrun78
                                        last edited by

                                        Also, for debugging.
                                        If you put the script into a function and add [cmdletBinding()] you can run it with -debug
                                        which means you can add lines like Write-Debug “variables is $variable”; that will only show up when -debug is specified and will pause for you. You can also add Write-Verbose “messages”; that only show
                                        i.e. to do it while still running it as a ps1 script with arguments you’d have to be a little tricky. If you mad the script a .psm1 and added a export-modulemember -function funcName; line at the end and then ran this in a ps console ipmo -Force -Global \path\to\psm1; you could then run your script as a function that you can import into any script or console and add the -Debug and or -Debug lines directly when running the function

                                        param (
                                            [String]$programme, [switch]$debug, [switch]$verbose
                                        )
                                        
                                        function installProgramme {
                                            [CmdletBinding()]
                                            param (
                                                [String] $programme
                                            )
                                            $user = "install"
                                            $pwd = "1234500000000000000000000000000000000000000000000000000000AAAA="
                                            $serveur = "\\fileserver.istic.univ-rennes1.fr\partage"
                                            $cert = $(Get-ChildItem cert:\CurrentUser\TrustedPublisher | where {$_.Subject -eq "CN=ISTIC/ESIR Signature"})
                                            $tab_key = @()
                                            foreach ($i in $cert.SerialNumber.ToCharArray()){$tab_key += [convert]::ToInt16($i,16)}
                                            $password = ConvertTo-SecureString -key $tab_key -string $pwd
                                            $credential = New-Object -TypeName system.management.Automation.PSCredential -ArgumentList $user, $password
                                        
                                            Write-Verbose "Attempting to mount $serveur...";
                                        
                                            #net use p: $dossier_partage /p:n /u:$($credential.GetNetworkCredential().username) $($credential.GetNetworkCredential().password)
                                            if (!(Test-Path -Path p:)){
                                                $net = new-object -ComObject WScript.Network
                                                $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
                                            }
                                        
                                            Write-Debug "Check if P is mounted...";
                                        
                                            #lorsque l'on lance un script powershell, si il y avait des espaces dans le nom, cela ne passait pas 
                                            #lorsque l'on faisait un start-process et ce nom en argument. Donc on utilise plutot le nom court
                                            $prog_court = (New-Object -ComObject Scripting.FileSystemObject).GetFile($programme).ShortPath
                                                                
                                                write-host "$(hostname):Dossier de l'installer $($dossier_installer)"
                                                write-host ""
                                                write-host "$(hostname):lancement de $($programme)"
                                                write-host "$(hostname):lancement de $($prog_court)"
                                        
                                            #start-process -FilePath $programme -wait -NoNewWindow
                                            $dossier_installer = $((get-item -path $programme).DirectoryName)
                                        
                                            if (!(Test-Path -Path "$dossier_installer\logs_fog_install")){New-Item -ItemType directory -Path "$dossier_installer\logs_fog_install"}
                                            $extension = (get-item -path $programme).Extension
                                            if ($extension -eq ".bat" -or $extension -eq ".cmd") {
                                                #write-host "$env:COMPUTERNAME:C'est un script bat"
                                                start-process -FilePath $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
                                            }
                                            if ($extension -eq ".ps1") {
                                                #write-host "$env:COMPUTERNAME:C'est un script powershell"
                                                $policy = Get-ExecutionPolicy
                                                Set-ExecutionPolicy AllSigned
                                                start-process -FilePath PowerShell -Arg $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
                                                Set-ExecutionPolicy $policy
                                            }
                                        
                                            #net use p: /delete
                                            $net.RemoveNetworkDrive("p:")
                                        }
                                        #create string to run function
                                        $runFunc = "installProgramme $programme";
                                        
                                        if($debug){
                                            $runFunc += " -Debug";
                                        }
                                        if($verbose) {
                                            $runFunc += " -Verbose";
                                        }
                                        $runFunc += ";";
                                        Invoke-Expression $runFunc;
                                        

                                        Have you tried the FogApi powershell module? It's pretty cool IMHO
                                        https://github.com/darksidemilk/FogApi
                                        https://fogapi.readthedocs.io/en/latest/
                                        https://www.powershellgallery.com/packages/FogApi
                                        https://forums.fogproject.org/topic/12026/powershell-api-module

                                        1 Reply Last reply Reply Quote 1
                                        • 1
                                        • 2
                                        • 2 / 2
                                        • First post
                                          Last post

                                        148

                                        Online

                                        12.0k

                                        Users

                                        17.3k

                                        Topics

                                        155.2k

                                        Posts
                                        Copyright © 2012-2024 FOG Project