Append a prefix to computername based on group membership

I’m trying to figure out how to expand on the computer naming task while imaging.

I have a group called TestGroup. Let’s say this group is a department in my organization, and the department code is TG. The way we name our computers is DeptCode-serialnumber. So TG-1A2B3CD would be how we name a computer. In FOG, I create the group and see the option to join a domain. Great! However, I want to be able to add the prefix to the computer name BEFORE joining the domain. I already have a script in place during Full Reg that reads the system’s serial number from the BIOS and auto-populates it.

How can I tie that Full Reg script into Groups so that it will either automatically append the prefix or prompt me during Full Reg to specify a department code that is referenced in the Group?

@sebastian-roth One more question (I hope this is the last one) if I want to set up a trust between my prod environment and the cert that FOG is using, where can I find the FOG cert on the file system?

@sebastian-roth Game changer! Thanks! I’m testing the dev-branch install right now on a vm.

@george1421 I ran wireshark while pxe booting fog and logging in to the ipxe menu, saw that the creds were sent via HTTP, not LDAP. So I should upgrade to the latest trunk using the -s switch and all will be SSL? I’d still have to compile the ipxe kernel with a cert or is that done during setup?

@george1421 So the alternative would be to use SSL and embed the cert into the ipxe kernel right? I saw a post about this topic and a post pointed to this link https://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk about the latest build already has SSL set up? I’d just have to run installfog.sh -s and HTTPS would be working for the web gui as well as ipxe?

I have LDAP configured properly for logging into the FOG UI as well as authentication during the IPXE menu login. I’m trying to add security layers to the FOG server and environment. I ran wireshark to see how FOG sends LDAP credentials, and it appears to send them clear text over HTTP. If I use LDAPS, will FOG still send those clear credentials via HTTP or will it be secure?

In case anyone else has this question, the Reports tab serves this purpose. Once an AD user logs into FOG and starts doing things, the history report will log it.

Re: [LDAP with Access Control](default role assignment at first login)
I want to continue this conversation. I was looking at the “Mobile Group” in LDAP plugin settings, and I created an Security Group called FOGTechnicians-SG in my AD, and put that group in Mobile Group. I read that Mobile Group was deactivated (maybe I misunderstood that?). But is there a way to predefine AD users in FOG and put them in the appropriate roles so that when they log in, the proper rules will be applied?

I successfully set up the LDAP plugin for FOG, and can login to the Web UI with my AD creds as well as authenticate to the iPXE menu with my AD creds, but when I register a host, it still says
“Created by FOG Reg on October 25, 2022, 6:45 pm”. Also when I create an image, it doesn’t show that I created the image. Does FOG have this functionality? My intention of setting up LDAP was to be able to keep track of who captures, deploys, and registers hosts.

@mcana66 What I did was create a file in /tftproot called autoexec.ipxe and put this in:

#!ipxe
ifopen net0
dhcp net0

chain ${boot-url}/scripts/menu_EFI.ipxe

This is for my FreeNAS box that I use for other projects and testing. You can chain any ipxe script (or any boot script like boot.php on the fog server) you want from there. The ${boot-url} variable is set in the default.ipxe file also located in /tftproot.

@mcana66 autoexec.ipxe is the default script that the ipxe kernel looks for unless another file is specified by your DHCP server or if you compile the kernel with an embedded menu script.

@fog_newb It starts the ipxe and stops where exactly? Configuring Devices?

My settings in FOG Config>IPXE General Config>Menu Hide/No Menu settings:

And FOG Config>FOG Settings>FOG Boot Settings:

Problem is during ipxe boot, I still get prompted to hit the ESC key. I’d like to change it to F12 instead of ESC because ESC also cancels the boot process and some of my staff like to spam the ESC key…

@rrtern Just wondering, did you create a route between the two subnets? The firewall(s) may also need rules to allow pxe, http, and tftp traffic between those subnets. I didn’t see anything mentioned about routes so that’s why I asked. For instance in pfsense, by default different VLANs can communicate with each other. But at my job’s network environment they have to create routes so that vlans and subnets can communicate.

I can say that we aren’t constantly imaging and reimaging PCs in our environment. The FOG server does a lot of idling. I do the most because I’m always working on golden images and testing. But that’s about it. I don’t think I could make a solid proposal to my employer to pay a small team full-time for full support of FOG. It wouldn’t be feasible. If anything we need to get more people using FOG instead of other very expensive imaging solutions. If the community grows then you’ll have a higher chance of gaining a few more volunteers.

@george1421 Ah ok I misread the OP. Well last time I checked, True Image can still create a boot image ISO with Windows kernels in addition to Linux kernels. If I’m not mistaken I believe you need to have the Windows ADK suite installed in order to create a WinPE boot ISO.

@Pitohui
How big is the ISO file? Perhaps you can try the sanboot or memdisk methods?

What about the wimboot method?
This is my ipxe entry for booting PMagic11 that is WinPE.

set tftp-path tftp://${fog-ip}
set web-path http://${fog-ip}
set pe-path ${web-path}/pm11_winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name bootmgr ${pe-path}/bootmgr bootmgr
imgfetch --name boot.wim ${pe-path}/boot.wim boot.wim
boot || goto MENU

You’ll have to extract the files listed above from your Acronis ISO. Download the latest wimboot from here.

You can place wimboot in your /tftproot and download it via tftp, the rest of the files you can place in /var/www/acronis to download via http and make sure to change ownership to fogproject:www for all the files in /var/www/acronis.