RE: Modifying Boot Menu

@george1421 said in Modifying Boot Menu:

Now when you select a iPXE menu item it then “should” transfer the bzImage (kernel) and init.zx (the virtual hard drive) to the target computer. That error message you posted is the kernel not understanding the format of the virtual hard drive.

You have to understand that imaging with FOG is a complex dance between 4 different technologies and you went to hard mode right away. This does work we just need to identify what happened.

edit: The bzImage and init.zx are the 64 bit images and bzImage32 and init32.xz are the 32 bit images they are a match pair. If somehow these pairings got messed up it would create the error you posted too.

@mbarker Well I can say you jumped right into a complex issue where you don’t have access to the dhcp server and are trying proxy dhcp.

Just browsing through the dnsmasq log everything looks great. Default ipxe should be the product. The results should be the fog iPXE menu from this. The undionly.kpxe is the iPXE kernel that gets loaded onto the target computer. What you should see from there should be the fog ipxe menu.

@mbarker said in Modifying Boot Menu:

…this is an x64 system, but I can’t find in the menu setups where to change to init32.xz (if I remember the documentation correctly, that should be used on x64 systems)

Just for clarity the iPXE menu determines what kernel to send to the target computer. You can force a specific kernel if you manually register the host, but in general the iPXE kernel will decide what the target needs and send the right FOS Engine kernel/vhd pair to the target.

@mbarker OK so you are using FOG 1.3.0-RCx series and dnsmasq, what are you ending out for dhcp option 67? You have to remember that there are two different pxe boot kernels one for bios (legacy) and one for uefi. You need to ensure you send the right file to the target computer.

Your error almost sounds like you are either sending an old syslinux kernel or an old iPXE kernel to the target computer. You should NOT be sending pxelinux.0 to the target computer. Use undionly.kpxe or ipxe.efi

@2cool4me4 put an unmanaged (dumb) switch between the building switch and the target computer.

@mbarker said in Modifying Boot Menu:

Are the phones and target systems in the same subnet? If they are on different subnets then you can just create different scopes for each subnet.

For your clients, what is their dhcp server? If its server 2012 there are a few more options you can use.

Lastly you can setup a usb boot option, but that adds an additional layer of complexity.

You can have spanning tree enabled (and should), but you need to enable one of the fast stp protocols (port fast, fast stp, rstp, and a few others I can’t remember). Standard spanning tree takes 27 seconds to start to forward data while it listens for other infrastructure devices.

And yes (depending on what version of fog you’re running the boot process has changed greatly).

@adukes40 yes you can have more than one. Just keep the kernel parameters stuck together pci=noacpi and then a space between the kernel parameters pci=noacpi video=vga magic=tom and so on.

@jflanagin In your case since you have a 100MB pipe between the remote sites and your HQ and you only have a few hundred computers the best way to set this up is to use a full FOG server at HQ and then FOG Storage nodes at each location. Then within the FOG Master node (at HQ) you will install the location plugin. Then with the location plugin create 4 locations and assign a storage node to that location. Configure the dhcp server at each location to send dhcp 66 and 67 to the local storage node. Your images (that can only be captured on the FOG master node at HQ) will automatically replicate to each storage node. If you update an image at HQ it will automatically replicate to all storage nodes in the same storage group. You will probably want to change the fog client check in interval to be something like 15 minutes or more from the default 5 minute check in to reduce wan traffic. This way there is only one fog server and no need to mess with the FOG config file on the target computers.

I don’t have an immediate answer for you but a few comments.

1. It would be interesting to know if (now) you pxe boot one these systems and run through full registration, would it add the wifi mac address?

2. Its interesting that deploy a printer uses the mac address at all. I would expect it to use either the hostname or the hostid when deploying to the target computers.

3. As for the pci=noacpi if it was me (being the lazy person i am) I would have updated the global kernel arg setting with this value, then registered all of these systems with the normal process. Actually you can probably leave that setting in the global kernel boot settings for all systems. It shouldn’t (just guessing) have any impact on other models, since this kernel switch is disabling acpi that seems to be broken on this 40 dell laptops. I would test this, but it would probably be safe to leave it in, or leave it in while you are registering these systems then use the fog group function to deploy this settings to the specific hosts that require it. Then remove it from the global kernel args.

I’ve started a feature request here to document the process of reviewing the current LDAP plugin.
https://forums.fogproject.org/topic/8575/extend-ldap-plugin-to-support-ad-authentication

After reviewing the current ldap plugin there are only about 30 lines of code that is used for authentication. I believe that if I can add a few database fields to remove some of the assumptions that the code CAN be converted to support AD authentication.

The current ldap plugin is missing the capability to authenticate via AD using LDAP. This request will document the changes needed to add this capability.

I agree, upgrade to the 1.3.0-RCx series then you have a few more options, the wiki you referenced will work or there is a way to use a grub boot usb drive that doesn’t use iPXE. But for you usb booting into the iPXE menu is a cleaner way to go about it.

A slight alteration on Thiago’s process (which is spot on) is in step 3 to not configure the target computer to boot through the FOG server. Have the local hard drive default and have the client just press the F12 key during booting and then pick the Network adapter as the boot device. That way FOG will only be used during image.

Let me first say, welcome to the FOG Project.

Second lets make sure we understand what version of FOG you are using and let me also say if you are not on FOG 1.3.0-RCx then you need to be then you can do away with all of the messing around with pxe boot menus.

From there if you don’t want to take advantage of all of the features of FOG then you don’t need to register them. With the new version of fog there is a pxe boot menu item already called quick image (or maybe they changed it to quick or immediate deploy, I can’t remember) but from that menu you can select the image type and then FOG will deploy that image to the target computer right away. You don’t need to touch the fog console, that can all be done right from the target computer.

Now from the Windows side, you need to decide if you will create a hardware specific image with all of the proper drivers in the sysprep image, or you will create a single windows image and then deploy the proper windows drivers based on the hardware model of the system you are deploying to. There are different approaches depending on the direction you want to go with.

@Wayne-Workman said in Microsoft Surface Pro 4 with Surface Docking Station - Unable to get boot file:

I just wish I had one of these things to test with. They are just so expensive…

Just remember that the FOG Project team is always willing to accept donations of a surface pro 4, if getting FOG 1.3.0 fully compatible with a surface pro 4 is mandatory for the posters environment.

@Wayne-Workman Do you think we have enough discrete bits of information to make a wiki page on the surface pro 4? As these devices become more popular I can see the volume of quesitons increase. Having one location (you look here->) would add real value from a support perspective.

@davido38 Thank you this confirms my concept that its possible to make the ldap code work generally with AD. I’ve been looking at the ldap plugin code over my lunch hour, and I see what they are doing. There are several assumptions (i.e. your LDAP should be setup in a certain way) in the code to fill in the missing fields, which may not work in all situations.

But, in concept the code should be able to be updated to support AD.

The ldap query might look something like this

ref: http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group

(&(objectClass=user)(sAMAccountName=yourUserName)
  (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

Translated into fields

(&(objectClass=user)({User naming attribute}={UserID})
  ({Group member attribute}={Group naming attribute}={Group name},{Base DN}))

I do have to say I have not looked at the php code yet to see if this can be reverse engineered into the code. I’m just collecting examples of the process right now.

Use php to query ldap with group membership
ref: https://samjlevy.com/use-php-and-ldap-to-get-a-users-group-membership-including-the-primary-group/

This is ref is a bit more onpoint than the above ref: https://samjlevy.com/php-login-script-using-ldap-verify-group-membership/

<?php
// Initialize session
session_start();
 
function authenticate($user, $password) {
	if(empty($user) || empty($password)) return false;
 
	// Active Directory server
	$ldap_host = "server.college.school.edu";
 
	// Active Directory DN
	$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";
 
	// Active Directory user group
	$ldap_user_group = "WebUsers";
 
	// Active Directory manager group
	$ldap_manager_group = "WebManagers";
 
	// Domain, for purposes of constructing $user
	$ldap_usr_dom = '@college.school.edu';
 
	// connect to active directory
	$ldap = ldap_connect($ldap_host);
 
	// verify user and password
	if($bind = @ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
		// valid
		// check presence in groups
		$filter = "(sAMAccountName=".$user.")";
		$attr = array("memberof");
		$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
		$entries = ldap_get_entries($ldap, $result);
		ldap_unbind($ldap);
 
		// check groups
		foreach($entries[0]['memberof'] as $grps) {
			// is manager, break loop
			if(strpos($grps, $ldap_manager_group)) { $access = 2; break; }
 
			// is user
			if(strpos($grps, $ldap_user_group)) $access = 1;
		}
 
		if($access != 0) {
			// establish session variables
			$_SESSION['user'] = $user;
			$_SESSION['access'] = $access;
			return true;
		} else {
			// user has no rights
			return false;
		}
 
	} else {
		// invalid name or password
		return false;
	}
}
?>