Active Directory registration not working Windows 7 x64 client



  • I’m trying to image a set of new Lenovo 11E laptops we got in. Everything is working hunky-dory except for adding the machine to the domain. Our server (Ubuntu 12.04 running FOG 1.2.0) is doing a great job with all other clients (all Win 7 x86), but these never get added. In the fog log I’m seeing the following:

    [QUOTE] 8/23/2014 11:48 AM FOG::HostRegister Module is active…
    8/23/2014 11:48 AM FOG::MODDebug Module has finished work and will now exit.
    8/23/2014 11:48 AM FOG::AutoLogOut Module is active…
    8/23/2014 11:48 AM FOG::HostRegister No action was taken.
    8/23/2014 11:48 AM FOG::AutoLogOut Timeout value is Zero, disabling module.
    8/23/2014 11:48 AM FOG::HostnameChanger Attempting to connect to fog server…
    8/23/2014 11:48 AM FOG::HostnameChanger Module is active…
    8/23/2014 11:48 AM FOG::HostnameChanger Index was outside the bounds of the array.
    8/23/2014 11:48 AM FOG::HostnameChanger at FOG.HostNameChanger.changeHostName()
    8/23/2014 11:48 AM FOG::GUIWatcher Message found, attempting to notify GUI!
    8/23/2014 11:48 AM FOG::GUIWatcher The system cannot find message text for message number 0x%1 in the message file for %2
    8/23/2014 11:48 AM FOG::GUIWatcher at System.Windows.Forms.Form.UpdateLayered()
    at System.Windows.Forms.Form.set_Opacity(Double value)
    at FOG.AbstractFOGService.attemptPushToGUI()
    at FOG.GUIWatcher.startWatching()[/QUOTE]

    I have double-checked that the host has the auto-join feature checked in server’s gui as well as by inspecting the DB manually. As a last resort, since I’m uninterested in manually joining 100+ computers to the domain, I built a new FOG 1.2.0 install from scratch and still having the same issue, auto-join works on all clients but these… Any thoughts?



  • [quote=“Junkhacker, post: 43983, member: 21583”]btw, the domain\user issue is changed in the dev version of the code. in the current dev version of the code, the user field is checked for a \ or @. if either of those exist, the field is sent as is. if not, the domain is a added as domain\user.[/quote]

    Yes, Tom told me about that, and what you describe seems exactly the right behaviour.


  • Moderator

    [quote=“Berend de Boer, post: 43956, member: 28367”]One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.[/quote]

    Maybe Mono uses a different compiler or libraries for Windows and Linux?


  • Developer

    [quote=“Berend de Boer, post: 43956, member: 28367”]One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.[/quote]

    regarding issues with the client, here’s something you might have missed. [url]http://fogproject.org/forum/threads/new-client-progress.12136/[/url]
    the client is being rewritten from scratch.
    btw, the domain\user issue is changed in the dev version of the code. in the current dev version of the code, the user field is checked for a \ or @. if either of those exist, the field is sent as is. if not, the domain is a added as domain\user.



  • [quote=“Berend de Boer, post: 43941, member: 28367”]And here’s the very very nasty deal: you will have to run FOGCrypt.exe on the SAME computer as you want to decrypt on. I did run FOGCrypt.exe on different computers (Linux in this case), and it simply does not encrypt/decrypt the same. I don’t know why.

    This may be an implementation issue in mono, maybe 32/64 bit??[/quote]

    One thing to add here: note that I did run EXACTLY the same code on Linux or the Windows machine (compiled myself with Mono). Got different encryption values in both cases.



  • [quote=“Tom Elliott, post: 43939, member: 7271”]This completely depends on your set ups environment yes there are times were having the fully qualified domain name works perfectly and there are times where it doesn’t I don’t know the specific settings that cause these issues or how to fix them but they are completely environmental[/quote]

    Hi Tom, I think I know exactly why and when they work now. For 1.2 the issue is that the domain name is prepended to the user name.

    So you get domain fog.example.org, but the user name then becomes fog.example.org\Administrator. The [URL=‘https://msdn.microsoft.com/en-us/library/windows/desktop/aa370433(v=vs.85).aspx?f=255&MSPPError=-2147217396’]NetJoinDomain[/URL] domain call does not like that. [URL=‘http://www.fogproject.org/forum/threads/wiki-login.12416/#post-43951’]See my other post [/URL]where I touched upon this as well: I suggest FOG always uses the unqualified name for the domain name, and no domain name in the user name, far less confusing.

    But there may be setups where a difference is required?? Not sure, but then the prepending logic must become way smarter, and the GUI should check for users who enter this wrong too.

    You can lookup the Microsoft docs for [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/aa370433(v=vs.85).aspx?f=255&MSPPError=-2147217396’]what’s allowed as value for the account name[/URL]:
    [QUOTE][I]lpAccount[/I] [in]
    A pointer to a constant null-terminated character string that specifies the account name to use when connecting to the domain controller. The string must specify either a domain NetBIOS name and user account (for example, [I]REDMOND\user[/I]) or the user principal name (UPN) of the user in the form of an Internet-style login name (for example, “[EMAIL]someone@example.com[/EMAIL]”). If this parameter is [B]NULL[/B], the caller’s context is used.[/QUOTE]



  • And here’s the very very nasty deal: you will have to run FOGCrypt.exe on the SAME computer as you want to decrypt on. I did run FOGCrypt.exe on different computers (Linux in this case), and it simply does not encrypt/decrypt the same. I don’t know why.

    This may be an implementation issue in mono, maybe 32/64 bit??

    But that’s all that there was to it. Bummer, this whole thing cost me a big amount of time of getting fog up and running. I would love to contribute back some patches and knowledge. But can’t get access to the Wiki to cleanup some obsolete comments.

    And how do I propose patches? Is that against the git branch? For example the AbstractFOGService uses the wrong variable name, here’s patch:

    [CODE]diff --git a/FOGService/src/AbstractFogService/AbstractFOGService.cs b/FOGService/src/AbstractFogService/AbstractFOGService.cs
    index f7cbeae…332b029 100755
    — a/FOGService/src/AbstractFogService/AbstractFOGService.cs
    +++ b/FOGService/src/AbstractFogService/AbstractFOGService.cs
    @@ -265,9 +265,10 @@ namespace FOG
    f.Delete();
    }

    •                objReader = new StreamWriter(strLogPath, true);
      
    •                objReader.WriteLine(" " + DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + " " + moduleName + " " + strlog);
      
    •                objReader.Close();
      
    •      using (StreamWriter writer = new StreamWriter(strLogPath, true))
      
    •      {
      
    •        writer.WriteLine(" " + DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + " " + moduleName + " " + strlog);
      
    •      }
                }
            }
            catch
      

    [/CODE]

    And this one to give better logging on what is exactly wrong instead of an error code:

    [CODE]diff --git a/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs b/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
    index ae3de28…c39c315 100755
    — a/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
    +++ b/FOGService/src/FOG_HostNameChanger/MOD_HostNameChanger.cs
    @@ -47,6 +47,8 @@ namespace FOG
    public const int AccessDenied = 5;
    public const int BadNetPath = 53;
    public const int WrongPassword = 1323;

    •        public const int LogonFailure = 1326;
      
    •        public const int BadDomain = 1355;
            public const int UnknownDevDir = 2116;
            public const int TooManyItems = 2121;
            public const int RemoteErr = 2127;
      

    @@ -289,7 +291,7 @@ namespace FOG
    {
    try
    {

    •                            log(MOD_NAME, "Attempting to connect to fog server...");
      
    •                            log(MOD_NAME, "Connecting to fog server...");
                                WebClient wc = new WebClient();
                                String strPath = strURLModuleStatus + "?mac=" + macList + "&moduleid=hostnamechanger";
                                strDta = wc.DownloadString(strPath);
      

    @@ -437,7 +439,11 @@ namespace FOG

                                                    strUser = strU;
                                                    if (strP != null && strP != "")
    
    •                                                {
      
    •                                                    FOGCrypt c = new FOGCrypt(PASSKEY);
                                                        strPass = new FOGCrypt(PASSKEY).decryptHex(strP);
      
    •                                                }
                                                    else
                                                        strPass = "";
      

    @@ -599,6 +605,10 @@ namespace FOG
    return "Domain Error! (‘Bad Netpath’ Code: " + code + ") ";
    case NERR.WrongPassword:
    return "Domain Error! (‘Wrong Password’ Code: " + code + ") ";

    •            case NERR.LogonFailure:
      
    •                return "Domain Error! ('Logon failure, unknown user name or bad password' Code: " + code + ") ";
      
    •            case NERR.BadDomain:
      
    •                return "Domain Error! ('The specified domain either does not exist or could not be contacted' Code: " + code + ") ";
                case NERR.DCNotFound:
                    return "Domain Error! ('DCNotFound' Code: " + code + ") ";
                case NERR.SetupAlreadyJoined:
      

    [/CODE]

    And I would love to be allowed to add a patch that forbids people to use a DNS domain name in the active directory settings, or forbids to use the ‘’ character in the user name, both won’t work.


  • Senior Developer

    This completely depends on your set ups environment yes there are times were having the fully qualified domain name works perfectly and there are times where it doesn’t I don’t know the specific settings that cause these issues or how to fix them but they are completely environmental



  • The error, as everyone expected, was indeed in the encryption key. Somehow there is a difference between how HostnameChange encrypts/decrypts. I put in some debug code to encrypt my password and the encrypted hex is completely different. When I enter this encrypted hex in the active domain settings, everything works. Now tracking down why HostnameChange encrypts differently from the standard FOGCrypt (recompiled that from scratch as well, same output as standard binary).



  • One thing I found out is that you cannot use the fully qualified name as domain in the active domain settings of a client. It must be in NetBios format. The reason is that the backend returns the user name as “<DOMAIN><username>” and if you have as domain “fog.example.org” you get a user name “fog.example.org\Administrator” for example, which won’t work.



  • [quote=“Tom Elliott, post: 43893, member: 7271”]And your username field is not in the format domain/username?[/quote]

    No, it wasn’t. The domain name is automatically appended I saw already. The problem is that the password is garbled. When I hard-code it, everything works. Narrowing down to the culprit.



  • Wow, compiliation actually works if I compile the FOGService.exe as well and copy that first. That’s great, can now do development on Linux.


  • Senior Developer

    And your username field is not in the format domain/username?



  • And to repeat, with the original HostnameChange.dll I get this:

    [CODE] 16/03/2015 9:21 p.m. FOG Service Engine Version: 3
    16/03/2015 9:21 p.m. Starting all sub processes
    16/03/2015 9:21 p.m. 1 modules loaded
    16/03/2015 9:21 p.m. * Starting FOG.HostNameChanger
    16/03/2015 9:21 p.m. FOG::HostnameChanger Starting hostname change process…
    16/03/2015 9:21 p.m. FOG::HostnameChanger Yielding to other subservices for 7 seconds.
    16/03/2015 9:21 p.m. FOG::HostnameChanger Attempting to connect to fog server…
    16/03/2015 9:21 p.m. FOG::HostnameChanger Module is active…
    16/03/2015 9:21 p.m. FOG::HostnameChanger AD mode requested, confirming settings.
    16/03/2015 9:21 p.m. FOG::HostnameChanger Hostname is up to date
    16/03/2015 9:21 p.m. FOG::HostnameChanger Attempting to join domain if not already a member…
    16/03/2015 9:21 p.m. FOG::HostnameChanger Domain Error! (‘Unknown Error’ Code: 1355)[/CODE]

    That’s the same error [URL='http://www.fogproject.org/forum/threads/fog-service-register-no-longer-working.10703/#post-29215’]that’s mentioned here[/URL].



  • PS: it would be great if someone had a tip on how to compile HostnameChange.dll on Linux and produce a .dll that’s recognised. Then I could do some actual debugging!



  • OK, I had both the old dll and new dll in the directory, and it seems the service picks up both. That’s confusing. When using the new dll, I get this output (as already posted):

    [CODE] 16/03/2015 9:04 p.m. FOG Service Engine Version: 3
    16/03/2015 9:04 p.m. Starting all sub processes
    16/03/2015 9:04 p.m. 2 modules loaded
    16/03/2015 9:04 p.m. * Starting FOG.HostNameChanger
    16/03/2015 9:04 p.m. * Starting FOG.MODDebug
    16/03/2015 9:04 p.m. FOG::MODDebug Start Called
    16/03/2015 9:04 p.m. FOG::MODDebug Sleeping for 100 Seconds
    16/03/2015 9:04 p.m. FOG::HostnameChanger Starting hostname change process…
    16/03/2015 9:04 p.m. FOG::HostnameChanger Yielding to other subservices for 5 seconds.
    16/03/2015 9:04 p.m. FOG::HostnameChanger Attempting to connect to fog server…
    16/03/2015 9:04 p.m. FOG::HostnameChanger Module is active…
    16/03/2015 9:04 p.m. FOG::HostnameChanger AD mode requested, confirming settings.
    16/03/2015 9:04 p.m. FOG::HostnameChanger Padding is invalid and cannot be removed.
    16/03/2015 9:04 p.m. FOG::HostnameChanger at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte
    [] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode,
    Boolean fLast)
    at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset,
    Int32 inputCount)
    at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
    at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing)
    at System.IO.Stream.Close()
    at FOG.FOGCrypt.decrypt(Byte[] cipherData, Byte[] Key, Byte[] IV)
    at FOG.FOGCrypt.decrypt(Byte[] cipherData, String Password)
    at FOG.FOGCrypt.decryptHex(String hex)
    at FOG.HostNameChanger.changeHostName()[/CODE]

    I’ve tried to fire up MonoDevelop, an IDE on Linux and to recompile this, but it seems my dll is not recognised unfortunately.



  • [quote=“Tom Elliott, post: 42293, member: 7271”]Which new one are you referring to?

    The one from the github fogproject repo? Or the one from the fogservice repo?[/quote]

    The one I downloaded [URL=‘http://www.fogproject.org/forum/threads/active-directory-registration-not-working-windows-7-x64-client.11514/#post-42039’]from here in this thread[/URL].


  • Senior Developer

    Which new one are you referring to?

    The one from the github fogproject repo? Or the one from the fogservice repo?



  • [quote=“Tom Elliott, post: 42287, member: 7271”]Look them up and you may have a better/clearer answer. The error codes you see are not FOG generated[/quote]

    Yep, they are generated by the old HostnameChanger. But the new one says this:

    [CODE]16/02/2015 2:41 p.m. FOG::HostnameChanger Padding is invalid and cannot be removed.
    16/02/2015 2:41 p.m. FOG::HostnameChanger at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte
    [] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode,
    Boolean fLast)
    at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset,
    Int32 inputCount)
    [/CODE]

    As this is a different error message, does that mean that perhaps the encryption key of the new HostnameChanger is not the default one?

    The old dll error message may seem to indicate I really have a problem with username/password, and I’ll check that again.


  • Testers

    The error codes appear to be as per [url]http://www.hiteksoftware.com/knowledge/articles/049.htm[/url]
    [SIZE=4][FONT=arial][COLOR=#000000]1326 Logon failure: unknown user name or bad password.[/COLOR][/FONT][/SIZE]
    [SIZE=4][FONT=arial][COLOR=#000000]1791 A remote procedure call is already in progress for this thread.[/COLOR][/FONT][/SIZE]


Log in to reply
 

860
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.