RE: Set up LDAP for FOG, but FOG activites aren't tracking AD users

In case anyone else has this question, the Reports tab serves this purpose. Once an AD user logs into FOG and starts doing things, the history report will log it.

Got it working! This worked for me after making sure the drive was changed to GPT and I also labeled the efi parition as “EFI”:
menuentry “Windows” {
insmod chain
insmod ntfs
insmod part_gpt
set root=(hd1,gpt2)
chainloader (hd1,gpt2)/efi/microsoft/boot/bootmgfw.efi
}

Just realized that the set root part is redundant. I am partitoning the drive now to copy the files from the FOG USB key then tell the UEFI on the PC to boot from this new GRUB partition first. Looking good!

@londonfog as long as you don’t put any custom files in /var/www/fog you should be good. I have pmagic on my fog ipxe menu and put the files in /var/www/pm11_winpe and the permissions for the files are correct.

This is what my ipxe menu item parameters look like:
set tftp-path tftp://${fog-ip}
set web-path http://${fog-ip}
set pe-path ${web-path}/pm11_winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name bootmgr ${pe-path}/bootmgr bootmgr
imgfetch --name boot.wim ${pe-path}/boot.wim boot.wim
boot || goto MENU

Try updating the Kernel drivers? I’ve seen varying ipxe performance from different hardware. For example, I’ve seen ipxe boot faster on an Optiplex 7020 vs 3020 which is a newer model.

Success! Dropped the files into /var/www and used set web-path to ${fog-ip}. In case anyone else has this issue this is my iPXE menu item parameters:
set tftp-path tftp://${fog-ip}/os
set web-path http://${fog-ip}
set pe-path ${web-path}/pm11_winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name bootmgr ${pe-path}/bootmgr bootmgr
imgfetch --name boot.wim ${pe-path}/boot.wim boot.wim
boot || goto MENU

@george1421 There wasn’t any doubt on my end…but I can imagine you read that and said to yourself “of course it did…”.

@sebastian-roth Sounds good. My NEW secondary FOG server is up and running on 20.04.

@george1421 I just tested it out on a PC outside of our IT vlan with success. I hard coded it already, but I have a habit of not disclosing our IP addresses even if they’re private. I get the Press ESC to show the menu option for one second, then it boots to the hard drive. Now I took the modified bootx64.efi from my usb drive and copied it to the Windows EFI partition, replacing the existing one (renamed the old to bootx64.efi.bak), made sure that the UEFI is pointing to the file, and now the PC boots the fog process without USB.

@mcana66 What I did was create a file in /tftproot called autoexec.ipxe and put this in:

#!ipxe
ifopen net0
dhcp net0

chain ${boot-url}/scripts/menu_EFI.ipxe

This is for my FreeNAS box that I use for other projects and testing. You can chain any ipxe script (or any boot script like boot.php on the fog server) you want from there. The ${boot-url} variable is set in the default.ipxe file also located in /tftproot.

@rogerbrowntdl dnsmasq runs on the FOG server to detect architecture and boot type then serve the boot files over tftp. This is my understanding of how it all works:
PC sends DHCP server a request for an IP address with a pxe packet.
DHCP assigns an IP address then directs (relays) the PC to the FOG server.
FOG Server handles this request by sending either undionly.kpxe or ipxe.efi depending on the architecture of the PC (dnsmasq tftp service).
PC downloads and executes the correct file.
After that FOG loads the boot menus.

@george1421 Ah I see. Run the dump from the secondary FOG server without having to dump on the primary to a share, mount the share on the secondary, then import. I currently don’t have creds set on mysql on either server. I’ll look into setting creds then try to run mysql -h<hostname> to test.

@Sebastian-Roth Challenge accepted!

@george1421 Those creds worked, but I was prompted for the password. Is there a way to put the password in-line with the command so it runs w/o interaction?

Nevermind found it here

@george1421 said in Does FOG use or install the log4s?:

Again don’t listen to a dude on the internet prove it to yourself.

“Think for yourself, question authority.” -Tim Leary

@george1421 We just re-enabled PXE on the SCCM server so it takes a minute to reinstall the features. I was going to run Wireshark to see what is being requested from where. I did that testing ipxe in my lab and found out that ipxe requests autoexec.ipxe if you don’t embed or specify a menu file. Learn something new everyday.

@george1421 said in Possible to secure /var/www/* ipxe boot contents?:

apache stop file browsing

Yes I will place this here to save a search for anyone who stumbles upon this post.
https://www.vultr.com/docs/how-to-disable-directory-browsing-on-apache/

Found the solution. I had to Create Task Sequence Media, Bootable ISO. Then took the files from the ISO put them in a folder. Followed the instructions https://ipxe.org/howto/sccm. It seems that when I did this, the boot image actually matches the one associated to the task sequence. I don’t see another way to make this work.

@george1421 As you said those ports are dynamic, however I found a way to lock some ports to make sure they don’t change from this thread

I did everything except RPCRQUOTADOPTS and the post init scripts ran fine without delay. I’m assuming this won’t change as I had to restart the nfs-kernel-server.service to apply the changes. Hopefully this will stick.

Small note at the bottom of the linked thread, make sure you allow the ports in ufw.

I would like to know if it is possible to restrict this page of the FOG server web UI to certain subnets as I don’t want it available everywhere
https://<fogserverip>//fog/management/index.php?node=client

Also these pages
https://<fogserverip>/fog/client/*