• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Invalid Token.dat with Deep Freeze

    Scheduled Pinned Locked Moved
    General Problems
    3
    7
    700
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PCF24
      last edited by

      Hello everyone,
      We would like to install software on the student computers in the future. Unfortunately we have a problem with the FOG Client Token. We use Deep Freeze as protection software. This software does not allow changes to be retained on the hard drive. After a restart, all changes to the operating system are reset.
      The token.dat is also reset and the FOG client can no longer communicate with the server. Invalid Token.dat appears in the log.
      If we go to “Reset Encryption Data” on the host in the FOG server, it works again.
      Can you switch off token renewal on the client?
      Or perhaps you can simply use the FOG API to automatically “Reset Encryption Data” on all clients every DAY.
      Or can you switch off the checking of the token?
      Thanks in advance.
      Heinz

      Tom ElliottT 1 Reply Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott @PCF24
        last edited by

        @PCF24 The whole point of the “token” is to ensure the system is a “known” device from fogs perspective. This way it’s a 2 way trust between the FOG server and the FOG client.

        Since there’s exchange of information such as Hostname, AD join, Printer installs, Snapins, etc…, we wouldn’t want that being exchanged in plain text to just any ol’ system.

        If you configure your base image to have all the software/drivers/printers, necessary, then work with Deep Freeze, you shouldn’t need the FOG Client on the image at all.

        Just my 2 cents.

        The whole point of the Client is to allow changes using the UI. Since you’re using a system to prevent changes the FOG Client (in my opinion) is basically pointless to have on your machines.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        P 1 Reply Last reply Reply Quote 0
        • P
          PCF24 @Tom Elliott
          last edited by

          @Tom-Elliott
          Thank you very much for your reply.
          The Fog Client definitely makes sense for software distribution. The image is rolled out once, after which the software should be kept up to date via the software distribution. This means that the software on the computers is more up-to-date and you hardly have to do any work. This is how we currently do it with a different software distribution. But I would like to use the software distribution from FOG.

          I just don’t understand why the FOG client has to update the token every time the computer starts.
          If the Fog Client only did this once at the very beginning (first commissioning), security would also be guaranteed. The Token.dat is currently updated every time a user logs in.
          Even with Windows you can define that the computer account should not be updated so that the computer does not fall out of the domain. Otherwise Deep Freeze would not work at all in a Windows domain.
          If necessary, I have to move the FOGClient to an unprotected partition. But that would be a lot of work with 1500 computers.

          Is there perhaps a way that I could automatically run “Reset Encryption Data”. That would save me a lot of work.
          Thanks

          Tom ElliottT 1 Reply Last reply Reply Quote 0
          • Tom ElliottT
            Tom Elliott @PCF24
            last edited by

            @PCF24 you could create a trigger I suppose, or a crontab that runs form the fog server to clear all the hosts sec token data. I can’t give you the exact commands but that would do the trick. Maybe somebody with more backend knowledge of the mysql and sending queries as part of the shell script could help out a lot more?

            Not that I couldn’t figure it out, but I’m unable to at the moment.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            P 1 Reply Last reply Reply Quote 0
            • P
              PCF24 @Tom Elliott
              last edited by

              @Tom-Elliott
              Something like that would be extremely helpful to me. I don’t know enough about the backend. Maybe some of you have more information about this.
              Thanks

              1 Reply Last reply Reply Quote 0
              • P
                PCF24
                last edited by

                Hello everyone,
                I would also pay for the effort if one of you sent me a script that I could run via crontab.
                Thanks

                R 1 Reply Last reply Reply Quote 0
                • R
                  rodluz Developer @PCF24
                  last edited by

                  @PCF24 Here is a quick and dirty script to reset all your hosts.
                  I tested it with two hosts and it is working for me. I don’t want to reset all my hosts.

                  You will have to paste your FOG server IP, FOG user api token, and FOG settings api token to the script.
                  You will also need to install jq in your FOG server.
                  Debian base: sudo apt install jq. RHEL based: sudo dnf install jq

                  #!/bin/bash

server_ip="http://10.10.10.10"
fog_user_token="PASTE_YOUR_USER_API_TOKEN_HERE"
fog_api_token="PASTE_YOUR_FOG_SETTINGS_API_TOKEN_HERE"

all_hosts=$(curl -S -s -X GET -H 'content-type: application/json' -H "fog-user-token: $fog_user_token" -H "fog-api-token: $fog_api_token" $server_ip/fog/host/ | jq '.hosts[]')
all_ids=$(echo "$all_hosts" | jq '.id')
all_ids=${all_ids//\"/}

for host_id in $all_ids
do
        curl -S -s -o /dev/null -H "fog-user-token: $fog_user_token" -H "fog-api-token: $fog_api_token" -X PUT -d '{"pub_key":""}' $server_ip/fog/host/$host_id/edit
        curl -S -s -o /dev/null -H "fog-user-token: $fog_user_token" -H "fog-api-token: $fog_api_token" -X PUT -d '{"sec_tok":""}' $server_ip/fog/host/$host_id/edit
        curl -S -s -o /dev/null -H "fog-user-token: $fog_user_token" -H "fog-api-token: $fog_api_token" -X PUT -d '{"sec_time":"0000-00-00 00:00:00"}' $server_ip/fog/host/$host_id/edit
done
                  1 Reply Last reply Reply Quote 0
                  • 1 / 1
                  • First post
                    Last post

                  159

                  Online

                  12.0k

                  Users

                  17.3k

                  Topics

                  155.2k

                  Posts
                  Copyright © 2012-2024 FOG Project