snappin doesn't work



  • Server
    • FOG Version: 1.3.4
    • OS: centos6.8
    Client
    • Service Version:
    • OS: win10
    Description

    Hello
    Snappin doesn’t work
    Here is the log file:

    -----------------------------------------------------------------------------
    --------------------------------HostnameChanger-------------------------------
    ------------------------------------------------------------------------------
     09/02/2017 11:47 Client-Info Client Version: 0.11.9
     09/02/2017 11:47 Client-Info Client OS:      Windows
     09/02/2017 11:47 Client-Info Server Version: 1.3.4
     09/02/2017 11:47 Middleware::Response Success
     09/02/2017 11:47 HostnameChanger Checking Product Key Activation
     09/02/2017 11:47 HostnameChanger Already activated with correct key
     09/02/2017 11:47 HostnameChanger Checking Hostname
     09/02/2017 11:47 HostnameChanger Hostname is correct
    ------------------------------------------------------------------------------
    
    
    ------------------------------------------------------------------------------
    ---------------------------------SnapinClient---------------------------------
    ------------------------------------------------------------------------------
     09/02/2017 11:47 Client-Info Client Version: 0.11.9
     09/02/2017 11:47 Client-Info Client OS:      Windows
     09/02/2017 11:47 Client-Info Server Version: 1.3.4
     09/02/2017 11:47 Middleware::Response Success
     09/02/2017 11:47 SnapinClient Snapin Found:
     09/02/2017 11:47 SnapinClient     ID: 5755
     09/02/2017 11:47 SnapinClient     Name: test_arnaud3
     09/02/2017 11:47 SnapinClient     Created: 2017-02-09 11:39:24
     09/02/2017 11:47 SnapinClient     Action: 
     09/02/2017 11:47 SnapinClient     Pack: False
     09/02/2017 11:47 SnapinClient     Hide: False
     09/02/2017 11:47 SnapinClient     Server: 
     09/02/2017 11:47 SnapinClient     TimeOut: 0
     09/02/2017 11:47 SnapinClient     RunWith: powershell.exe
     09/02/2017 11:47 SnapinClient     RunWithArgs: -ExecutionPolicy allsigned -File
     09/02/2017 11:47 SnapinClient     Args: -programme "P:\packages\audio video\vlc\inst_vlc.bat"
     09/02/2017 11:47 SnapinClient     File: -ExecutionPolicy allsigned -File
     09/02/2017 11:47 Middleware::Communication Download: http://coconus.istic.univ-rennes1.fr/fog/service/snapins.file.php?mac=52:54:00:CE:A1:DD||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&taskid=5755
     09/02/2017 11:47 SnapinClient C:\Program Files (x86)\FOG\tmp\fog_inst_office2010.ps1
     09/02/2017 11:47 Bus {
      "self": true,
      "channel": "Notification",
      "data": "{\r\n  \"title\": \"Installation de test_arnaud3\",\r\n  \"message\": \"Ne pas éteindre l'ordinateur tant que la tâche n'est pas terminée\"\r\n}"
    }
     09/02/2017 11:47 Bus Emmiting message on channel: Notification
     09/02/2017 11:47 SnapinClient Starting snapin...
    

    I checked powershell.exe -ExecutionPolicy allsigned -File -ExecutionPolicy allsigned -File “P:\packages\audio video\vlc\inst_vlc.bat” on the client it works.

    Where could I find the error ?


  • Testers

    Also, for debugging.
    If you put the script into a function and add [cmdletBinding()] you can run it with -debug
    which means you can add lines like Write-Debug “variables is $variable”; that will only show up when -debug is specified and will pause for you. You can also add Write-Verbose “messages”; that only show
    i.e. to do it while still running it as a ps1 script with arguments you’d have to be a little tricky. If you mad the script a .psm1 and added a export-modulemember -function funcName; line at the end and then ran this in a ps console ipmo -Force -Global \path\to\psm1; you could then run your script as a function that you can import into any script or console and add the -Debug and or -Debug lines directly when running the function

    param (
        [String]$programme, [switch]$debug, [switch]$verbose
    )
    
    function installProgramme {
        [CmdletBinding()]
        param (
            [String] $programme
        )
        $user = "install"
        $pwd = "1234500000000000000000000000000000000000000000000000000000AAAA="
        $serveur = "\\fileserver.istic.univ-rennes1.fr\partage"
        $cert = $(Get-ChildItem cert:\CurrentUser\TrustedPublisher | where {$_.Subject -eq "CN=ISTIC/ESIR Signature"})
        $tab_key = @()
        foreach ($i in $cert.SerialNumber.ToCharArray()){$tab_key += [convert]::ToInt16($i,16)}
        $password = ConvertTo-SecureString -key $tab_key -string $pwd
        $credential = New-Object -TypeName system.management.Automation.PSCredential -ArgumentList $user, $password
    
        Write-Verbose "Attempting to mount $serveur...";
    
        #net use p: $dossier_partage /p:n /u:$($credential.GetNetworkCredential().username) $($credential.GetNetworkCredential().password)
        if (!(Test-Path -Path p:)){
            $net = new-object -ComObject WScript.Network
            $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
        }
    
        Write-Debug "Check if P is mounted...";
    
        #lorsque l'on lance un script powershell, si il y avait des espaces dans le nom, cela ne passait pas 
        #lorsque l'on faisait un start-process et ce nom en argument. Donc on utilise plutot le nom court
        $prog_court = (New-Object -ComObject Scripting.FileSystemObject).GetFile($programme).ShortPath
                            
            write-host "$(hostname):Dossier de l'installer $($dossier_installer)"
            write-host ""
            write-host "$(hostname):lancement de $($programme)"
            write-host "$(hostname):lancement de $($prog_court)"
    
        #start-process -FilePath $programme -wait -NoNewWindow
        $dossier_installer = $((get-item -path $programme).DirectoryName)
    
        if (!(Test-Path -Path "$dossier_installer\logs_fog_install")){New-Item -ItemType directory -Path "$dossier_installer\logs_fog_install"}
        $extension = (get-item -path $programme).Extension
        if ($extension -eq ".bat" -or $extension -eq ".cmd") {
            #write-host "$env:COMPUTERNAME:C'est un script bat"
            start-process -FilePath $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
        }
        if ($extension -eq ".ps1") {
            #write-host "$env:COMPUTERNAME:C'est un script powershell"
            $policy = Get-ExecutionPolicy
            Set-ExecutionPolicy AllSigned
            start-process -FilePath PowerShell -Arg $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
            Set-ExecutionPolicy $policy
        }
    
        #net use p: /delete
        $net.RemoveNetworkDrive("p:")
    }
    #create string to run function
    $runFunc = "installProgramme $programme";
    
    if($debug){
        $runFunc += " -Debug";
    }
    if($verbose) {
        $runFunc += " -Verbose";
    }
    $runFunc += ";";
    Invoke-Expression $runFunc;
    

  • Testers

    @Joe-Schmitt said in snappin doesn't work:

    @lebrun78 We had no idea this wasn’t a windows network share (if you already mentioned that, I overlooked it, sorry). Most people use them, so we assume that by default. I may be wrong here, but that would point to more of a script issue. I think @JJ-Fullmer is working on a post in this thread about mounting a share in powershell using SYSTEM. It could also be how you get your Certificate from the cert store (cert:\CurrentUser\TrustedPublisher). SYSTEM is sometimes not considered a user, and is instead considered the LocalMachine in the cert store. Basically I would recommend adding some debugging statements to your script and see where its failing (e.g. if its getting the cert correctly, or if its just the mounting code thats going wrong).

    If the SYSTEM account isn’t able to access the cert store. You can also create a AES key instead of a cert that can be stored like the secure password file I mentioned in my other post. Thus keeping the security of the ps credential objects
    i.e.

    $pth = "C:\path\to\locked\down\local\folder";
    $keyFile1="$pth\~.key";
    $AESkey1 = New-Object Byte[] 32;
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESkey1);
    $AESkey1 | out-file $keyFile1;
    

    You can then use a variable pointing to that file in place of $tab_key in your script.

    Also something else I just remembered. A great way to troubleshoot powershell and batch scripts being run as the system account is using psexec to run a powershell prompt as the system user.
    You can download Psexec as part of PSTools from here https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
    Then you can run the following to open a interactive powershell console as the System user to test your scripts

    cd C:\Path\To\Downloaded\Extracted\PSTools
    .\Psexec.exe -i -s powershell.exe # opens powershell console as system user, confirm it with the whoami command, should say NT Authority\system
    .\PSexec.exe -i -s cmd.exe # Opens command prompt as system user, confirm with whoami command.
    

  • Testers

    @lebrun78
    So looking at how you map the drive, I think that may be where the problem lies. With Powershell scripts mounting a drive defaults to stay in the scope of the script running it. So in other words it won’t persist once the script ends.
    My recommendation is you change it up a little bit by using the New-PSDrive method with a few specific arguments.

    Anyway…
    Instead of doing this

    if (!(Test-Path -Path p:)){
        $net = new-object -ComObject WScript.Network
        $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
    }
    

    Try this

    if (!(Test-Path -Path p:)){
        New-PSDrive -Name "P:" -Scope Global -PSProvider FileSystem -Persist -Root $serveur -Credential $credential;
    #The -Persist switch and setting the scope to Global ensure that your drive is mounted outside of the script. 
    #This also lets you use your PowerShell Credential object without converting it to plain text when its used in the command (Which is what .GetNetworkCredential().password does
    }
    

    Then at the end of the script you do this to remove the PSDrive

    Remove-PSDrive -Force -Scope Global -Name "P:"; 
    

    One other thing you may need to do is enablelinkedconnections. It’s a registry key at
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\enablelinkedconnections

    If you create and set that key as a REG_DWORD with Value data 0x1 (1) it will make it so you can see all mounted drives from an admin prompt. By default, drives mounted by a user in standard mode won’t show up if you run get-psdrive in an admin prompt and vice versa. Setting that reg key makes it so they can see one another which will ensure the system account that runs the fog service will be able to access the mounted drive. This security “feature” of the drives not being visible to elevated/non-elevated is a part of windows UAC.

    You can create this key with powershell like so

    $regKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\enablelinkedconnections";
    if (!(Test-Path $regKey) {
        New-Item -Path $regKey -Force
    }
    New-ItemProperty -Path $regKey -Name "enableLinkedConnections" -Value "1" -PropertyType DWORD -Force;
    

    Also, a side note, you can pipe the secure pw to a file stored on the local machine to make it so you don’t have to create the secure string and have any sort of password in plain text. Just make sure that it can only be read by the System and admin accounts. i.e. add a hidden folder to the fog service called keys, or secure, or even just ~, and lock it down to only allow admin access. Then as part of your image you can store secure pw files for mounting drives with powershell without needing to put your password in plain text in a file anywhere. You just do the key the same way since its needed for decryption, and you just put the path to the password file. And you have to be an admin to run the secure string commands and an admin to access the pw file and the cert file, so there’s not really a risk of a non admin being able to see the decrypted password. Just a thought that might help simplify writing scripts. Personally I made a module for mounting shares with powershell I use in my install scripts.
    The contents of the password file would look like what you are putting into your $pwd string variable, so you could essentially copy and paste that into a text file.
    Or run $pwd | ConvertFrom-SecureString -key $tab_key | Out-File "C:\Program Files (x86)\Fog\secure" You could put the pw file anywhere you want really.

    One other note that might be causing problems is that you should try not using $pwd as a custom variable because it is already a alias system variable for the Get-Location command. So it’s possible, although maybe not super likely, that the $pwd variable could be reset to your working directory. So maybe try changing that to $pw instead.

    Hopefully that’s all some helpful information.


  • Senior Developer

    @lebrun78 We had no idea this wasn’t a windows network share (if you already mentioned that, I overlooked it, sorry). Most people use them, so we assume that by default. I may be wrong here, but that would point to more of a script issue. I think @JJ-Fullmer is working on a post in this thread about mounting a share in powershell using SYSTEM. It could also be how you get your Certificate from the cert store (cert:\CurrentUser\TrustedPublisher). SYSTEM is sometimes not considered a user, and is instead considered the LocalMachine in the cert store. Basically I would recommend adding some debugging statements to your script and see where its failing (e.g. if its getting the cert correctly, or if its just the mounting code thats going wrong).



  • @Joe-Schmitt
    My cisf server is a samba server.
    How could it be accessible by a client system account ?


  • Senior Developer

    @lebrun78 that indicates it’s a network share permission issue or a script issue, as we have been saying. While that may work, you have to alter every machine and is a work-a-round for the underlying issue. If its a network share permission, fixing the network share permissions to allow for SYSTEM access (even if just to a single public folder) is the route we recommend. If its an issue with how you mount/decrypt your share, then it just needs to be made SYSTEM compatible. The client was built with SYSTEM permissions in mind, and therefore I cannot vouch for the security, or functionality, of the client running as a different user.



  • @Wayne-Workman
    I changed the account associated to fogesevrvice from local system account to install
    alt text


  • Moderator

    @lebrun78 said in snappin doesn't work:

    I changed the user account joined to fogservice and it works now.
    Install is now the user account used by fogservice

    So you changed the user account to SYSTEM ?



  • @Joe-Schmitt ght.
    I changed the user account joined to fogservice and it works now.
    Install is now the user account used by fogservice

    Thanks



  • Here is the power shell code.
    We have no domain

    param (
        [String] $programme
    )
    $user = "install"
    $pwd = "1234500000000000000000000000000000000000000000000000000000AAAA="
    $serveur = "\\fileserver.istic.univ-rennes1.fr\partage"
    $cert = $(Get-ChildItem cert:\CurrentUser\TrustedPublisher | where {$_.Subject -eq "CN=ISTIC/ESIR Signature"})
    $tab_key = @()
    foreach ($i in $cert.SerialNumber.ToCharArray()){$tab_key += [convert]::ToInt16($i,16)}
    $password = ConvertTo-SecureString -key $tab_key -string $pwd
    $credential = New-Object -TypeName system.management.Automation.PSCredential -ArgumentList $user, $password
    
    #net use p: $dossier_partage /p:n /u:$($credential.GetNetworkCredential().username) $($credential.GetNetworkCredential().password)
    if (!(Test-Path -Path p:)){
        $net = new-object -ComObject WScript.Network
        $net.MapNetworkDrive("p:", $serveur, $false, $credential.GetNetworkCredential().UserName,$credential.GetNetworkCredential().password)
    }
    
    #lorsque l'on lance un script powershell, si il y avait des espaces dans le nom, cela ne passait pas 
    #lorsque l'on faisait un start-process et ce nom en argument. Donc on utilise plutot le nom court
    $prog_court = (New-Object -ComObject Scripting.FileSystemObject).GetFile($programme).ShortPath
    					
        write-host "$(hostname):Dossier de l'installer $($dossier_installer)"
    	write-host ""
    	write-host "$(hostname):lancement de $($programme)"
        write-host "$(hostname):lancement de $($prog_court)"
    
    #start-process -FilePath $programme -wait -NoNewWindow
    $dossier_installer = $((get-item -path $programme).DirectoryName)
    
    if (!(Test-Path -Path "$dossier_installer\logs_fog_install")){New-Item -ItemType directory -Path "$dossier_installer\logs_fog_install"}
    $extension = (get-item -path $programme).Extension
    if ($extension -eq ".bat" -or $extension -eq ".cmd") {
    	#write-host "$env:COMPUTERNAME:C'est un script bat"
    	start-process -FilePath $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
    }
    if ($extension -eq ".ps1") {
    	#write-host "$env:COMPUTERNAME:C'est un script powershell"
    	$policy = Get-ExecutionPolicy
    	Set-ExecutionPolicy AllSigned
    	start-process -FilePath PowerShell -Arg $prog_court -wait -NoNewWindow -RedirectStandardOutput ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_log.txt -RedirectStandardError ${dossier_installer}\logs_fog_install\${env:COMPUTERNAME}_error.txt
    	Set-ExecutionPolicy $policy
    }
    
    #net use p: /delete
    $net.RemoveNetworkDrive("p:")
    
    # SIG # Begin signature block
    # MIIECAYJKoZIhvcNAQcCoIID+TCCA/UCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
    # gjcCAQSgWzBZM888888888888888888888888888888888888888sITrck0sYpfvNR
    # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUtCNKzTzpJy5lu9elxjbUrgg6
    # IN6gggIiMIICHjCCAYugAwIBAgIQ1lzBhsDQvaJIVRttke8WMjAJBgUrDgMCHQUA
    # MBwxGjAYBgNVBA0000000000000000000000000000000MDEyMDE0NDkzMloX
    # DTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUSVNUSUMvRVNJUiBTaWduYXR1cmUw
    # gZ8wDQY555555555555555555555555555555555555555555555555555555eWWBCfR
    # uEdEBxWynlykfLTyteMRiJO3TywGgvhoGX0V+hZpUBeqQLD7q3Qs0npuhWr9COSt
    Insert Code Here
    

  • Moderator

    @Joe-Schmitt he’s using the powershell script to mount & then call another script. But yes, how it’s being done matters and we need to know.

    @lebrun78 said in snappin doesn't work:

    hello
    -programme is an option of the script fog_inst_office2010.ps1

    fog_inst_office2010.ps1 is a script to mount p: with authentication and call a bat script


  • Senior Developer

    @lebrun78 snapins run as SYSTEM (this is like a limited root on unix). If a script works when run manually but not as a snapin, then your script is not SYSTEM compliant. Usually its an issue when someone tries to use network shares, which it appears you are doing. SYSTEM is an non domain user, so if your network share requires someone to be domained user to access it, that’s one potential issue. Ultimately this is a network share issue, and without see exactly how you are mounting / using it, we cannot help.



  • here is this extract of windows powershell log in windows events viewer
    1st run by snap in:
    alt text

    2nd by manual command line that works:
    alt text

    I don’t understand !

    Witch trigger mark snapin task ended in web console ?



  • fog_inst_office2010.ps1 is a script to mount p: with authentication and call a bat script


  • Senior Developer

    So what is the point of the fog_instoffice2010.ps1 file?



  • @Tom-Elliott
    No because it was not working with office2010, I try it with a script to install videolan player which is very lighter



  • Should it be a path problem ? Should fog client install the script from c:\program file x86\fog\tmp ?


  • Senior Developer

    @lebrun78 Well, if it’s “installing MS Office, as the file kind of suggests” I’m guessing the PS1 has to either download the installer files and/or start the installer files across a network share. Are you setting the installation in a “silent” mode? Does running it manually on the command line cause you to do user inputs or not?



  • @Tom-Elliott
    I manually restart it while the task is still marked as running


Log in to reply
 

455
Online

39.3k
Users

11.0k
Topics

104.5k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.