RE: Dell Latitude 3470

@Chubert Have you tried to do a hardware compatibility test on these computer (I think its the last menu item on the iPXE boot menu)

If that 3470 is similar to the 7270s we have you will need to update the kernel.

BUT, we need to know where it is getting stuck at? If you could snap a clear picture with your mobile phone if the error or stuck message that would help us help you.

@Wayne-Workman I agree what we are seeing in the picture below is the results of some error not what caused it. It could be (if the fog client is installed) that the fog client service was not disabled when the system was captured which caused the FOG client to do stuff while OOBE was running.

This error (based on the picture) could be a windows OOBE issue and not related to FOG pushing the image to the computer.

I agree having a picture of the exact error will give us a better understanding of where (in the deployment process) the error is being generated.

What iPXE kernel image are you sending to the yoga? This would be set by dhcp option 67? For uefi mode you will want to send ipxe.efi.

If the system is failing to boot, please take a picture of the screen with a mobile phone and post it here. Its easier to find the error when you can see the other messages around the error.

@sbenson The easiest way may not be the direct way. The easiest way is to deploy your clonezilla image to a target computer then immediately pxe boot that system and capture it with fog. This will be the quickest and surest way to ensure the files are in the correct format.

@wcheung said in How to update kernel on an isolated network:

So bzImage32 is the 32 bit and 64 = bzImage. Since I was able to clone the image.

Yes that is correct for 1.2.0 trunk or 1.3.0. Its been so long since I used 1.2.0 stable I don’t remember exactly of that is the case.

@wcheung Well I can say I’m not sure. If you look at /var/www/html/fog/service/ipxe. Are there two files with bzImage? Like bzImage and bzImage32. If there is only one file there then that is the 32 bit version and you will need to rename the downloaded bzImage32 to bzImage. In this case you don’t need to download bzImage (that is the 64 bit kernel, its a bit confusing but the way it is)

In the current release of fog bzImage32 is the 32bit and bzImage is the 64 bit version.

@wcheung OK I would go ahead and download the ones from the links. Save your original ones just in case. Those will be the latest kernels with the latest hardware support.

As a fall back position you can download the latest ones specifically targeted for FOG 1.2.0 from here: https://sourceforge.net/projects/freeghost/files/KernelList/

@sbenson Well we both know that’s not right. The page is complete.

Can you check the apache error log. Since you are using ubuntu the file should be titled error.log Tail that file and see if apache threw an error when that happened. I do have to say I’ve seen this before, but I can’t remember off the top of my head the cause. Hopefully the apache error log will give us the path.

@sbenson Hmm it should be working (obvious statement).

lets see if what you get when you do this from a browser.

http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=<mac_address_of_target>

What that will do is tell FOG to create the iPXE menu specifically for that target computer (where you’ve told it to capture/deploy). You need the mac address of that specific target in the form of 00:00:00:00:00:00 post the output here.

@sbenson I can move it to the right section for you.

So from the FOG iPXE menu have you tested the hardware compatibility? I think its the last menu item on the iPXE menu.

Before we can answer that question, we need to know what version of FOG you’re using? Look about the cloud on the FOG management gui page. There should be a version number up there. The version of FOG will dictate which kernels you can use.

Now that I think about it, if you are using FOG 1.2.0 or newer you “should” be able to download these:
https://fogproject.org/kernels/bzImage
https://fogproject.org/kernels/bzImage32

These are the latest kernels 4.7.3 (at the time of this post) which were created for FOG 1.3.0. I will say these might not work with 1.2.0, but I think the developers updated them to support the older version of FOG too.

So where do they go? On your fog server in this directory /var/www/html/fog/service/ipxe just rename the original files and place these in their place.

Ok just so I understand you can pxe boot the target computer into the FOG iPXE menu, from there you can register/inventory the target computer. From there when you schedule a capture or deploy task you get the above error message?

What version of FOG are you using?

The word “upload” is a bit confusing since its based on point of view. Are you capturing or deploying the image. Upload/download words makes me thing you are using fog 1.2.0 stable??

@sourcaffeine At the bottom of this document: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client search for sysprep.

I’m going to start a debugging session in a few minutes with this new ldap code. I would consider the current state as alpha code.

Todo items:

1. Review the code to ensure it still flows like I intended.
2. Load the modified code into my production environment and confirm it works as the proof of concept code does.
3. Work with changing case of groups, dn paths to make sure all case sensitivity is gone.
4. Clean up the web gui configuration page. Currently there are fields that don’t have any impact on the code (binddn, bindpass, searchscope). The elements were built in place in case we needed to create a more complex ldap auth.

This code does make a few assumptions about the target environment. I did use less complex logic to keep the lines of code down. It should work well for the different ldap backends. Only testing will tell.

@Lee-Rowlett Thank you for the offer. Tom offered to look at the code last night. I think he found out what I did wrong/needed.

@Wayne-Workman Not sure I understand?

The intent is to make/change the ldap plugin to work with AD/OpenLDAP/and the novel one. Unfortunately I have to add some fields to the database to fill in the assumptions in the code. So one I prove it out (we) need to decide if I update the current ldap plugin code (requiring users that have it installed already, to uninstall and reinstall+configure it) or to create a whole new (enhanced) ldap plugin. That decision will be up to the developers on how they want to handle it. Right now I’m doing a proof of concept (on my production server) to answer can it work.

Testing so far has been very positive. Right now I ran into a roadblock with the hooks that I need to work through. But the problem here is my ignorance of how hooks work not a coding problem.

Well here is my proof of concept code. In AD I setup two groups FOG_Admins and FOG_Users. The script outputs the following
false := user is not authorized
1 := User is authorized and is in the FOG_Users group
2 := User is authorized and is in the FOG_Admins group

I was going to go with the whole bindDN and bindPassword route, but that also meant that I would have to save the bindPass value in the database. To do that I would have to come up with a way to protect (encrypt) the password and all that. So I flipped the script around to use the person who is logging, their credentials to query AD.

The next steps here are to intergrate the script below into ldapAuth (which shouldn’t be hard at all) then update the database fields, and other creations bits. The last part will be to mess with the ldap gui interface which has me a bit confused on the layout.

But at the end of the day this is surely possible to get fog to authenticate against AD.

<?php

    function ldapParseDn($dn) {
        /**
         * Returns array of: array (
         *     [CN] => array( username )
         *     [OU] => array( UNITNAME, Region, Country )
         *     [DC] => array ( subdomain, domain, com )
         * )
        **/

        $parsr=ldap_explode_dn($dn, 0);
        $out = array();
        foreach($parsr as $key=>$value) {
            if(FALSE !== strstr($value, '=')) {
                list($prefix,$data) = explode("=",$value);
                $prefix = strtoupper($prefix);
                $data=preg_replace("/\\\([0-9A-Fa-f]{2})/e", "''.chr(hexdec('\\1')).''", $data);
                if(isset($current_prefix) && $prefix == $current_prefix) {
                    $out[$prefix][] = $data;
                } else {
                    $current_prefix = $prefix;
                    $out[$prefix][] = $data;
                }
            }
        }
        return $out;
    }

    $user = 'testuser';
    $pass = 'testuser.1';
    $server = '192.168.1.5';

        // clean up user name we only want the user's short name without any domain component
        // note I did not try to understand the regex expression but I expect there to be
        // issues with non-us english characters, just saying.
        $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));

        // open connection to the server
        $ldapconn = ldap_connect($server,389);
        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

        $accessLevel = 0;
        // test to confirm that script will handle mixed case
        $userSearchDN = 'ou=nyc,dc=domain,DC=com';
        $adminGroup = 'FOG_Admins';
        $userGroup = 'FOG_Users';
        // test to confirm that script will handle mixed case
        $grpMemberAttr = strtolower('memberOf');

        $entries = ldapParseDN($userSearchDN);
        $userDomain = implode(".",$entries['DC']);
        $userDN = sprintf('%s@%s', $user, $userDomain);

        if ( ldap_bind($ldapconn, $userDN, $pass) ) {
            // If we get to here the user is authorized, now lets get the group membership
            $filter = sprintf('(&(objectCategory=person)(%s=%s))', 'sAMAccountName', $user);

            $attr = array( $grpMemberAttr );
            $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);

            // count the number of entries returned
            $retcount = ldap_count_entries($ldapconn, $result);

            if ($retcount > 0) {
                $entries = ldap_get_entries($ldapconn, $result);

                // check groups for membership
                foreach($entries[0][$grpMemberAttr] as $grps) {
                    // is admin user, set level and break loop
                    if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }

                    // is user, set level and keep looking just incase user is in both groups
                    if(strpos( $grps, $userGroup )) $accessLevel = 1;
                }
            }
            // close our connection as bindDN
            ldap_unbind( $ldapconn );

            print $accessLevel;

        } else {
            print 'unable to bind using user info, user is not authorized in ldap';

        }
 ?>