RE: Select multiple partition to deploy/capture

@Sebastian-Roth So then is this something that can be scripted into the FOG console? Rewrite that file based on the partition you want to deploy and then rewrite it properly after the deploy is done?

I can’t say how many people “need” this feature vs the developers time to implement. If it is only a handful of people then a wiki page would be in order to explain what needs to be done. If its 10 or more then it may be worth the developers time to see if its possible (since the process has already been confirmed by Thiago).

I don’t have the answer only raising the question of should it be considered.

@kenneth.sisco Make sure that your network switches have igmp forwarding or snooping enabled. If you have vlans in your network the igmp settings are typically set on a per vlan basis. The igmp settings allows the switch ports to subscribe to the multicast channel. The multicast stream will only be sent to ports and switches that subscribe to the multicast request. This keeps multicast traffic off switches where there are no subscribers.

@RobTitian16 said in Driver Issues With Dell Latitude 7280 - No Bootable Devices:

heoretically, couldn’t I edit the script to put the drivers in the driver store?

That’s precisely what were were doing with Win7. From your code:

# Add the driver location on the PC to devicepath in Registry: 
regfile="/ntfs/Windows/System32/config/SOFTWARE"
key="\Microsoft\Windows\CurrentVersion\DevicePath"
devpath="%SystemRoot%\inf;%SystemRoot%\DRV";
reged -e "$regfile" &>/dev/null <<EOFREG
ed $key

That path is the same one that is referenced in the document you linked. But that doesn’t work with Win10 (at least in my experience).

But Tom is right with the disk detection. Remember you have 2 issues here and not to get them confused.

@JJ-Fullmer Well done!! I wish I could upvote your post more that just +1.

Well here is my proof of concept code. In AD I setup two groups FOG_Admins and FOG_Users. The script outputs the following
false := user is not authorized
1 := User is authorized and is in the FOG_Users group
2 := User is authorized and is in the FOG_Admins group

I was going to go with the whole bindDN and bindPassword route, but that also meant that I would have to save the bindPass value in the database. To do that I would have to come up with a way to protect (encrypt) the password and all that. So I flipped the script around to use the person who is logging, their credentials to query AD.

The next steps here are to intergrate the script below into ldapAuth (which shouldn’t be hard at all) then update the database fields, and other creations bits. The last part will be to mess with the ldap gui interface which has me a bit confused on the layout.

But at the end of the day this is surely possible to get fog to authenticate against AD.

<?php

    function ldapParseDn($dn) {
        /**
         * Returns array of: array (
         *     [CN] => array( username )
         *     [OU] => array( UNITNAME, Region, Country )
         *     [DC] => array ( subdomain, domain, com )
         * )
        **/

        $parsr=ldap_explode_dn($dn, 0);
        $out = array();
        foreach($parsr as $key=>$value) {
            if(FALSE !== strstr($value, '=')) {
                list($prefix,$data) = explode("=",$value);
                $prefix = strtoupper($prefix);
                $data=preg_replace("/\\\([0-9A-Fa-f]{2})/e", "''.chr(hexdec('\\1')).''", $data);
                if(isset($current_prefix) && $prefix == $current_prefix) {
                    $out[$prefix][] = $data;
                } else {
                    $current_prefix = $prefix;
                    $out[$prefix][] = $data;
                }
            }
        }
        return $out;
    }

    $user = 'testuser';
    $pass = 'testuser.1';
    $server = '192.168.1.5';

        // clean up user name we only want the user's short name without any domain component
        // note I did not try to understand the regex expression but I expect there to be
        // issues with non-us english characters, just saying.
        $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));

        // open connection to the server
        $ldapconn = ldap_connect($server,389);
        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

        $accessLevel = 0;
        // test to confirm that script will handle mixed case
        $userSearchDN = 'ou=nyc,dc=domain,DC=com';
        $adminGroup = 'FOG_Admins';
        $userGroup = 'FOG_Users';
        // test to confirm that script will handle mixed case
        $grpMemberAttr = strtolower('memberOf');

        $entries = ldapParseDN($userSearchDN);
        $userDomain = implode(".",$entries['DC']);
        $userDN = sprintf('%s@%s', $user, $userDomain);

        if ( ldap_bind($ldapconn, $userDN, $pass) ) {
            // If we get to here the user is authorized, now lets get the group membership
            $filter = sprintf('(&(objectCategory=person)(%s=%s))', 'sAMAccountName', $user);

            $attr = array( $grpMemberAttr );
            $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);

            // count the number of entries returned
            $retcount = ldap_count_entries($ldapconn, $result);

            if ($retcount > 0) {
                $entries = ldap_get_entries($ldapconn, $result);

                // check groups for membership
                foreach($entries[0][$grpMemberAttr] as $grps) {
                    // is admin user, set level and break loop
                    if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }

                    // is user, set level and keep looking just incase user is in both groups
                    if(strpos( $grps, $userGroup )) $accessLevel = 1;
                }
            }
            // close our connection as bindDN
            ldap_unbind( $ldapconn );

            print $accessLevel;

        } else {
            print 'unable to bind using user info, user is not authorized in ldap';

        }
 ?>

@nbuursma OK, that is where lenovo is hiding all of that malware lol.

I think that should be a question for the @Developers but the structure of the drives /dev/sda (etc) should not trow off FOG. But that 14GB empty hard drive might.

@RobTitian16 said in Driver Issues With Dell Latitude 7280 - No Bootable Devices:

I’ll now have to inject the drivers into the reference image from now on (thereby having multiple images for different types of systems)?

What am I missing here?? As I see it…

Win7 == update registry location to search for drivers in c:\drivers (or where ever) and use sysprep
Win10 == Create entry in unattend.xml in golden image to search in c:\drivers or use postinstall script to copy in updated unattend.xml and use sysprep

Its just a different method to achieve the same goal no change in overall process.

We do this for both Win7 and Win10. We have a single universal image for all different models of computers we use on our campus. These are all Dell systems but the process would work for other hardware platforms as long as you can get the drivers for the models in inf format and not as a self extracting archive.

The key is to make your reference image on a virtual machine (I use vmware) with the mimimal number of drivers, sysprep and capture that image with FOG. That becomes your golden/master/mother image. We use MDT to create that reference image so it is consistently built every time since we update our reference image every quarter with the latest OS and application updates. MDT helps us do this so that it is repeatable each time.

Then during image deployment to the target computers we use fog’s post install script function to write a custom post install script that determines the target computer’s hardware model and then we inject the proper drivers into the target system before the target computer boots into OOBE.

There are a few discussion/tutorials on this subject.

https://forums.fogproject.org/topic/8889/fog-post-install-script-for-win-driver-injection
https://forums.fogproject.org/topic/4278/utilizing-postscripts-rename-joindomain-drivers-snapins
https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script
https://forums.fogproject.org/topic/7391/deploying-a-single-golden-image-to-different-hardware-with-fog

In our environment we use the sysprep / unattend.xml file to name the computer, connect it to the domain instead of the fog client. We have some deployment time unique settings that our post install scripts inject into the unattend.xml file that’s not possible to do with the fog client so that method works out best for us.

@Wayne-Workman Not sure I understand?

The intent is to make/change the ldap plugin to work with AD/OpenLDAP/and the novel one. Unfortunately I have to add some fields to the database to fill in the assumptions in the code. So one I prove it out (we) need to decide if I update the current ldap plugin code (requiring users that have it installed already, to uninstall and reinstall+configure it) or to create a whole new (enhanced) ldap plugin. That decision will be up to the developers on how they want to handle it. Right now I’m doing a proof of concept (on my production server) to answer can it work.

Testing so far has been very positive. Right now I ran into a roadblock with the hooks that I need to work through. But the problem here is my ignorance of how hooks work not a coding problem.

Since most companies that have a proxy server in their environment restrict direct internet access we have to configure linux (and fog) to communicate with the internet over the company authorized proxy server(s).

Most command line utilities will inspect the environment variables to check to see if they need to use the proxy protocol when attempting to access files and services on the internet.

These environment variables are http_proxy, https_proxy, and ftp_proxy (I’ve also seen these variables referenced in all upper case like HTTP_PROXY, HTTPS_PROXY and so on. To date I’ve only use the lower case env variables so I can’t say if case is important for all linux distros)

You could add these env variables to each command invocation, but typically system admins will add them to a common logon script so they are available to anyone who logs into the linux system. Most common is to add them to the bash shell logon script /etc/bashrc To make these variables persistent in the environment they must be defined with the export function as below.

export http_proxy=http://<proxy_server_ip>:<proxy_server_port>
export https_proxy=http://<proxy_server_ip>:<proxy_server_port>
export ftp_proxy=http://<proxy_server_ip>:<proxy_server_port>

In the case of the fog installer, we need to tell the fog installer to not use the proxy protocol when attempting to connect to the fog server directly. So we must also include this env variable.

export no_proxy=“<fog_server_ip>”

During the fog installation the installer script makes wget calls back into the running fog server for specific actions. Without the no_proxy setting the installer script would make that request to the proxy server. Some proxy servers won’t proxy requests to internal networks. So this setting is required.

There are some command line commands that don’t inspect the env variables but require specific settings in their config files. These include FOG, svn (I assume git too), cpan, and pear. For these you will need to update the appropriate config file. For FOG (proper) you need to update the proxy server settings in the fog management console. For SVN you need to create a file in /etc/subversion called servers and then populate it with the required settings.

You are using a pretty old version of FOG. My bet is if you pxe booted into the FOG iPXE menu and selected the compatibility test it would fail on the network bits.

What hardware are you trying to deploy to?

You can try a newer kernel, but I suspect you will run into other issues like NVMe disks or GPT formatted disks, where you might be better off upgrading to FOG 1.4.3 anyway.

@asbenavides I can say these commands install Acrobat Reader DC very well. I don’t use snapins so you may need to translate that into snapin format. We use a different tool, but we deploy using the following commands in a batch file.

  start /wait msiexec.exe /i AcroRead.msi TRANSFORMS="AcroRead.mst" ALLUSERS=1 /qn /norestart
  start /wait msiexec.exe /i FontPack1500720033_XtdAlf_Lang_DC.msi ALLUSERS=1 /qn /norestart

There is a tool “adobe acrobat dc customization wizard” that allows you to customize the Acro Reader install (which creates the transform file used in the above command). It lets you accept the eula, makes customization to the reader install there are quite a few guides on the internet for this, just search. For example: http://www.itninja.com/software/adobe/reader-6/dc
We throw in the APAC font pack file because we do interact with Asian countries.

@Lee-Rowlett Thank you for the offer. Tom offered to look at the code last night. I think he found out what I did wrong/needed.

@Wayne-Workman Sure

The content of /etc/subversion/servers on my servers are like this:

[global]
http-proxy-host = 192.168.1.56
http-proxy-port = 3128

for git you can issue the following commands (from stackoverflow.com
git config --global http.proxy http://192.168.1.56:3128
git config --global https.proxy https://192.168.1.56:3128

If you really wanted to not use env variables, then wget has proxy settings in /etc/wgetrc just uncomment the proxy lines and add the appropriate values and save.

@cgauthier said in Windows 10 Upload:

Mount: Mounting 10.1.1.60: images/dev on /images failed: Network is Unreachable

Wow I read too quick on that one. I saw old FOG, network is unreachable and jumped to the conclusion old kernel and new hardware.

Sebastian may be right on the rpcbind issue, we saw that with Centos 7. If you key in showmount -e 127.0.0.1 that should show us the nfs shares that are available. And also run ps aux | grep rpcbind that will tell us if rpcbind is running in memory.

@chris.dees Replication happens right away. There isn’t a way to control the replicator in the way you want from inside FOG. You can do what you want if you use cron to start and stop the fog image replicator service.

So basically you would setup a cron job to launch the replicator at 11p and stop it at 6am. The drawback to this would be there is a potential for an incomplete image being setup on a remote storage node. Because the cron job runs asynchronous of the replicator service. The replicator would finish on the next cycle, but just be aware of this.

The same concept could be used if you want to throttle the replication speed during the day, but want 100% over night. You would setup a cron job to update the bandwidth setting in the sql server then restart the fog image replicator service, and so on.

It would be grand if FOG supported this internally, but with FOG 1.3.x its not possible. Possibly FOG 2.0 will support this capability, but that version is a few years away.

I’m going to start a debugging session in a few minutes with this new ldap code. I would consider the current state as alpha code.

Todo items:

1. Review the code to ensure it still flows like I intended.
2. Load the modified code into my production environment and confirm it works as the proof of concept code does.
3. Work with changing case of groups, dn paths to make sure all case sensitivity is gone.
4. Clean up the web gui configuration page. Currently there are fields that don’t have any impact on the code (binddn, bindpass, searchscope). The elements were built in place in case we needed to create a more complex ldap auth.

This code does make a few assumptions about the target environment. I did use less complex logic to keep the lines of code down. It should work well for the different ldap backends. Only testing will tell.

@Chris-Sodey said:

The computer has 2 SSDs. 500GB samsung 850 EVO and a soldered on 16GB SSD.

There was just another recent post where th OP was trying to deploy to a Lenovo (I think) and this built in drive was causing a problem with fog because it wasn’t formatted, it was just a blank drive. I think the OP was able to put a partition on that drive and then fog was happy enumerating it. If this is a systemic issue I do think the developers need to be aware of this built in drive.

[Edit] just for reference here is the thread I was thinking about: https://forums.fogproject.org/topic/6461/cannot-get-capture-to-work-new-server/37 There was no mention of what hardware, or any real answer on a resolution[/Edit]

@Sebastian-Roth FWIW: If that text exchange can be turned into a sed command in a bash script, its possible to have FOS patch itself each time FOS boots by using a postinit script. Then there would be no need to unpack, patch, and repack the inits each time there is a FOG upgrade.

EDIT: I’m not a sed expert so there may be a cleaner way to do this than escaping every bracket, but in testing it does work to exchange the text mentioned.

sed -i -e "s#\\[Rr\\]\\[Ee\\]\\[Ss\\]\\[Ee\\]\\[Rr\\]\\[Vv\\]\\[Ee\\]\\[Dd\\]#\\[Ss\\]\\[Yy\\]\\[Ss\\]\\[Tt\\]\\[Ee\\]\\[Mm\\]#gi" /bin/fog.upload

sed -i -e "s#\\[Rr\\]\\[Ee\\]\\[Ss\\]\\[Ee\\]\\[Rr\\]\\[Vv\\]\\[Ee\\]\\[Dd\\]#\\[Ss\\]\\[Yy\\]\\[Ss\\]\\[Tt\\]\\[Ee\\]\\[Mm\\]#gi" /usr/share/fog/lib/funcs.sh

EDIT2: It appears the forum eats the escape characters. Here are the commands in a text file.
[0_1498038914037_sysreserv.txt.bin](Uploading 100%)

EDIT3: WTF I can’t upload a frick’n text file either?
So for manual edits to the sed command, you need to add a back slash (i.e. windows path separator) character in front of each square bracket in the sed command.

EDIT4: Use double backslash…

@Sebastian-Roth Assuming the OP used git to replicate the fogproject repository as well as followed the instructions from the wiki page. Would the proper path be /opt/fogproject/bin/error_logs to find the log files?