RE: Windows 10 Anonymous Share Issue Printer Management

@Wayne-Workman
@george1421

I figured this one out… I was having problems with security. One of Windows 10’s recent updates (as in the last 3 months or so) was blocking connections to anonymous shares. It allowed them but they needed to be authenticated. For those of you who stumble across this post…

Add your FOG server to your domain and configure Kerberos. After you do this you will need to configure your driver share. I have included the way I did mine and it works. This configuration is for using an existing domain controller. In our case, we use Windows Server 2012 to do domain control.

Do the following:

yum install samba*
yum install krb5-libs krb5-workstation

Confuguration Kerberos /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.TN = {
kdc = dns-name-your-domain-controller
}

[domain_realm]
netbiosnameyourdoamin = NETBIOSNAMEYOURDOMAIN
netbiosnameyourdomain = NETBIOSNAMETYOURDOMAIN
Configuration samba /etc/samba/smb.conf

[global]

workgroup = DOMAIN
password server = dns-name-your-domain-controller:88
realm = NETBIOSNAMETYOURDOMAIN
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true

log file = /var/log/samba/log.%m
max log size = 50

passdb backend = tdbsam

load printers = yes
cups options = raw

[homes]
comment = Home Directories
browseable = no
writable = yes

[printerdrivers]
comment = All FOG Printers
path = /PATHTODRIVERS
browseable = no
guest ok = no
writable = yes

Add dns name in /etc/hosts

Install and configuration ntp server (It’s important for use Kerborose authorization)

yum install ntpd
edit /etc/ntp.conf
server ip-address-your-ntp-server prefer
Create ticket
kinit account-admin-for-active-directory@NETBIOSNAMETYOURDOMAIN
Add server in domain

net ads join -S dns-name-your-domain-controller -U account-admin-for-active-directory
Create keytab for Kerberos

net ads keytab create -U account-admin-for-active-directory
Edit file /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind

Restart samba and windind

Test
net ads info
wbinfo -t

FOG Version: 1.5.7.1
FOG OS: CentOS
Client OS: Windows 10 PRO

Hello! I am currently having an issue deploying printers from an anonymous SMB share to any WIndows Host… I have been getting an error stating:

“You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe malicious devices on the network.”

I never use to get this message until the most recent Windows 10 update.

@Wayne-Workman do you have a work around for this?

Thanks!

@p4cm4n

Ding ding ding ding! I need to set my dhcp server settings for UEFI!!! Thanks!!!

@george1421

I just tried it with the Secure Boot off and it failed the same way it did before.

It never even begins to load the iPXE.

@george1421

The BIOS says:

Downloading NBP file...

NBP file downloaded successfully.

Than it returns to starting to load Windows. I never see a FOG PXE boot screen at all. I’m running the 4.19.48 32 and 64 Kernel Versions. I have secure boot enabled.

I have the following enabled in UEFI:

Boot Options:
Onboard NIC (IPV4)

System Configuration:
Integrated NIC
Enable UEFI Network Stack
Enabled with PXE

SATA Operation:
AHCI

Secure Boot:
Enable Secure Boot
Audit Mode (I tried this doesn’t make a difference)

POST Behavior:
FAST Boot Thorough

@p4cm4n

Did you manage to get this figured out? My coworker ordered a pile of these and I can’t get it to PXE using UEFI… Any advice there?

Thanks!

Cheers!

@Sebastian-Roth

My thought was to keep it simple. The INF file would remain on the server as it is currently with the printer module. The main goal with my idea is to make creating printers quicker and easier.

With the current setup you have to create a share directory on the FOG server (eg. SAMBA share) or locate an anonymously shared directory on an existing MS server where your inf files are located. Installing and setting up the SAMBA share is fairly straightforward. Getting the permissions correct the first time can be slightly challenging for some people. Why not incorporate the existing images directory share (as we do with snapins)? Have the very same upload option available when you upload INF files (the same as it is currently available for snapins). The upload feature would place the inf file in it’s own directory in the images directory.

It may be more code than it’s worth. I figured we could utilize the same code that is currently being used with the snapin feature (with a few mods). But I’m a novice coder. :-)

@Sebastian-Roth

I can understand that. What I mean is that in the printer feature where you enter in the location of the inf file it would be helpful if you could locate and upload the file in the same manner as you do a snappin. Hopefully that makes more since now. 😄

Hi all!

So I have been recently rebuilding my FOG server and thought of a feature that would be very handy to have. Is there any way we could have an option, in Snapins, to locate and select the inf file locally, like you can select the snapin file in the snapin addon? That would be super helpful.

I appreciate all you do!

Thanks!

Joe

I’m on fire today guys… I apologize for all of these mis-posts… The reason why my FOG hosts aren’t getting jobs is because my old server is still online… I was running an old image that had my previous server IP on it for the client…

Boy oh boy! Glad it was that simple. I believe that is the end of it.

Please mark this as solved.