RE: Active Directory after image deployment not working.

Is the domain information you put at the top a copy and paste from your config? Because I see a comma misplaced.

AD DEFAULT OU	- OU=Imaged,DC=haw,DC=k,12DC=nj,DC=us

should read

AD DEFAULT OU	- OU=Imaged,DC=haw,DC=k12,DC=nj,DC=us

@Sebastian-Roth I make all my EFI images in virtual box. My workflow has me enable efi. Do the base install and when I go to pxe I switch off efi and do my capture. The os is still an efi os and won’t boot in vbox until you reenable efi. Has worked fine for me with images going back to windows 7 all the way up to our current testing of 1903

It would be helpful for the client to be able to pull and report inventory information on machines without needing them to reboot.

I am deploying the client to machines that are already out in the field to get them into my host list for later. Forcing a reboot is disruptive to the current users, and right now I can’t even use the PXE inventory task as they aren’t set for PXE to be their primary boot device. adding this feature to the client would be really helpful.

One option for limiting support to reduce workload would be to limit to LTS branches only. So only 18.04 and 20.04 for Ubuntu and skipping the intermediary releases and dropping those that go out of support by their vendor (eg ubuntu 14.04, 16.04).

@Wayne-Workman

I know this thread is old but I am following the guide now and have a question.

I am in the process of building a new host. On my old host I have SSL setup (./installfog.sh -S). Do I set up the new machine with SSL and replace the certs with the one from the old machine? following the se instructions: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_Server

Thanks

Nevermind I got it all sorted. Just wanted to make a note that the wiki needs to be update to reflect that the user that needs to be added and given permissions is now fogproject rather than fog

@Quazz

In K12 its pretty common to treat many of your internal users as hostile (right or wrong) since students seem to always try to mess with things whether with malice or just screwing around.

Also with some of the other changes in security on FOG (DB and HTTPS etc) pointing toward the outside to manage devices via the client doesn’t sound impossible for small deployments. Again, it’s not what I’m doing or planning to do, but it would be possible if measures like these were in place.

@Sebastian-Roth

To be clear I’m mostly speaking about the web UI right now. But the client would be important too. The way JAMF handles the migration is that it continues to use its internal CA and distributes the new cert to the machines on check in. It keeps track of those that have received the cert and compares that to its list of enrolled machines. When all machines have received the cert there is a UI element that goes from red to green letting you know that the server can now be switched to communicate via the external CA.

@Sebastian-Roth
Works fine for me on all the flavors of 10 we use. LTSB LTSC and 1703 1803

@Sebastian-Roth
Good to know. I’m using FOG with HTTP so it hasn’t been an issue (I’ve moved it several times as virtual environments shifted). It might be worth looking into adding a feature in the installer to ask for the DNS name of the machine so it can generate the cert with that as the CN rather than the machine’s IP.

Might be useful for FOS login too. Shouldn’t be impossible to implement. Add Fail2Ban to list of apps to get from the repo and point it to the login logs. I’m sure I’m way over simplifying it (not a dev obviously). As FOG moves to a more secure standard install (SQL password, HTTPS etc) this would be another great feature to have.

@Tom-Elliott

Thanks. I’ll give it a shot.

I’ve searched but haven’t found a solution. I’m migrating machines from one Fog Server to another and want to uninstall the client that currently points to the old server so that I can re-install and point to the new server.

Does anyone have a script to remove the fog client? I already have a working installer script.

@anwoke8204

I think you’re misunderstanding what those fields are asking for. Those fields are asking which OU in which fog should look for the groups and users. Then you specify the groups with access in the admin group field.

From your screenshot you have some configuration errors.

Both Search Base DN and Group Base DN should be OU’s not CN’s.
Also you should likely have Search Scope set to Subtree and Below

If you want to use LDAPS you will need to have a publicly trusted Cert on your domain controller OR you will need to add the root cert to the cert store on your fog server.

@eazis

Did you make the changes for your admin group setting to be a group rather than an OU as you have it?

Can you go to Fog Configuration then to Fog Settings then Plugin: LDAP and screenshot what is there for LDAP ports and User Filter?

Also For “Admin Group”, that shouldn’t be the name of an OU but rather the name of a security group that your users are a member. That group should be located somewhere within the parameters set by the Group Search DN.

Nevermind. For whatever reason my host module settings were all deselected. No idea why. I am using persistent groups and these are set in that group.

Running 1.5.9 163 on Ubuntu 18.04.x
Imaging a Dell 5530 with windows 10 LTSC

Imaged a system with an existing image that has the client pre-installed. Host is registered, and has active directory settings set. System is never rebooting and not binding / renaming. I’ve reimaged it a couple times, and reset encryption. I’ve also disabled and re-enabled active directory settings for the host.

Fog log on the system shows.
Middleware: Response Module is disabled on host.

@jveronese

This is the expected behavior. What you want is persistent groups.

https://forums.fogproject.org/topic/8836/basic-persistent-groups-and-1-3-0rc16

Can you take a screenshot of your ldap configuration pane?