hostnamechanger access denied

kickers56

Hi,
I am using the new client version 0.10.6 with the latest trunk as of last week and within the log file it gives me access denied error

specifically:
Hostnamechanger Checking hostname
Hostnamechanger Hostname is correct
Hostnamechanger Access Denied, code = 5

This is the first time I imaged and deployed since upgrading the same system from 1.2.0 using legacy client (which was working fine for joining domain) I manually, through windows joined the domain just to check the username and password were correct for joining and they are. I think I did all the usual things like making sure the service is activated everywhere (which kept the settings from 1.2.0) and not using fogcrypt etc (as thats for the legacy client). Just a bit stuck as to what to try as not much info I can find on the new client.

Thanks

kickers56

Just as added info

when checking this

http://<fog_ip>/fog/service/hostname.php?mac=<my_mac>

it returns my ADDom fine and the username fine (with the domain before the password automatically) but the ADPass= is empty and thats it nothing else after, I know it won’t show the password but wanted to check that is correct? Because access denied seems to me the username or password is wrong, but I have entered it many times now, and it does join if I do it manually through windows

Tom Elliott

Your ADPassword field needs to be set. Type the plaintext password for the account that is trying to associate to the domain and it will encrypt it.

Tom Elliott

This also, I’m just guessing, what you’re seeing for the legacy URL. The new client accesses the information by:

http://<fog_ip>/fog/service/hostname.php?mac=<my_mac>&newService&json

kickers56

Thanks,

Using the http://<fog_ip>/fog/service/hostname.php?mac=<my_mac>&newService&json in the browser shows the correct ADPass now. All seems fine except maybe this has two slashes, is that ok (mercia is the domain name and scmmacadmin is the correct user)?

“ADUser”:“mercia\scmmacadmin”

kickers56

Sorry forgot to mention it still isn’t working, in the fog log it still says access denied.

Thanks for the help.

kickers56

It won’t post the two slashes, so to be clears its between mercia and scmmacadmin there are two slashes not one.

Tom Elliott

@kickers56 What version of FOG are you running?

The 2 slashes is fine, but you should NOT be able to discern ANY data out of the url.

kickers56

Well thats what I thought actually the version is 7845

I can even read the password unencypted as is from the browser which obviously is bad. Why would it be doing that?

falko

I am also seeing this issue, on 7945.
Seems intermittent though, as I deployed an image to a machine in the office and to virtualbox and they were fine. But I am now in an IT suite and have just seen this access denied code 5 in one of the logs

Tom Elliott

@falko Find the related host and and reset encrypted data. You’re not seeing unencrypted data in the browser though, correct?

falko

@Tom-Elliott
With this, I can see the AD password…
http://<fog_ip>/fog/service/hostname.php?mac=<my_mac>&newService&json

Tom Elliott

Alright, I’m trying to understand, why are we accessing using hostname.php? 0.10.6 does not make a call to this link. At least not that I’m aware of ( @joe-schmitt let me know if I’m wrong?)

It’s most likely left there for debugging purposes, though I will most likely need to get this corrected.

kickers56

So thank you the query through the browser now shows “Not allowed here” so no more information being visible.

Regards the other problem I am having, I upgraded to latest trunk today (7953) and still having the same problem with Access denied on windows 7 and FOG Server ubuntu 14.04

---

--------------------------------HostnameChanger-------------------------------

01/06/2016 09:26 Client-Info Client Version: 0.10.6
01/06/2016 09:26 Client-Info Client OS: Windows
01/06/2016 09:26 Client-Info Server Version: 7953
01/06/2016 09:26 Middleware::Response Success
01/06/2016 09:26 HostnameChanger Checking Hostname
01/06/2016 09:26 HostnameChanger Hostname is correct
01/06/2016 09:26 HostnameChanger Access Denied, code = 5

Also if I change the AD password to anything else on FOG server it then issues a logon failure unknown username or password, So it knows the username and password is correct.

Is this something to do with how my FOG server is set up or my AD?

Thanks for any help, if it is my AD I just don’t know what to change as I can manually join the domain and it used to work with the legacy client.

Quazz

@kickers56 Sounds like permission issues to me. That’s generally what Access Denied leads to anyway.

I’m curious why it was looking for access when it already states the hostname to be correct already, though.

kickers56

What is it that the new client does different to the legacy client (as that worked). I am not in charge of our AD directly so will see about what permissions I have on my credentials and post back when I know more.

Quazz

@kickers56 Is it possible they altered something behind the screens concerning AD?

kickers56

@Quazz I am now in the process of asking and will report back, thanks

kickers56

So my account has permissions to join machines but cannot create new accounts, or take them off presumably. Would this cause a problem with the new client? Would it be trying to remove and then create the account on the AD again? There shouldn’t be a problem if I can manually join through Windows right?

Tom Elliott

@kickers56 I’m not 100% sure on how things work, but if the account that’s doing the domain joining is NOT allowed to view information from the AD server to verify if it is joined or not, I imagine this might be one of the things a person may see. Again, I’m not 100% sure but it seems to point this way to me.