Is this Nethserver module helpful to you?
Please consider donating to the author

Thank you kindly!

2019/03/04 05:32 · HF

WAPT 1.8

Available for NS7: BETA stage

WAPT installs, updates and removes software and configurations on Windows devices. Software deployment (Firefox, MS Office, etc.) can be carried out from a central server using a graphical console. WAPT is taking many ideas from Debian Linux apt package management tool, hence its name.

WAPT is intended to help IT administrators manage their deployed base of computer desktops, laptops, tablets running a Microsoft Windows client (from XP to 10), their deployed base of Windows servers (from 2003 to 2019) or their deployed base of Windows Intel tablets.

WAPT exists in two versions, the community and the enterprise, you can list the differences: https://www.wapt.fr/en/doc/wapt-enterprise-community-comparison.html

WAPT must be installed on a dedicated server, you cannot use it on a gateway, httpd is stopped to be replaced by nginx on 80 and 443 TCP port. see the documentation statements

This work is based on the community version, the enterprise version offers more functionality that I could not work on it by now

Stephane de Labrusse at stephdl@de-labrusse.fr

Statements of network schema if you want a kerberos authentication.

  • a server to install the AD (nethserver-dc): DNS name ns7dev13.nethservertest.org
  • the AD is ad.nethservertest.org
  • the DNS name of the AD container is nsdc-ns7dev13.ad.nethservertest.org
  • a server bound to the AD to install WAPT: dns name ns7dev8.nethservertest.org

The samba AD must be the DNS server of the network, the time must be synchronized among all computers

on ns7dev8.nethservertest.org

1-You need to install my repository, see how to do it

2-You ned to install the WAPT repository

 cat > /etc/yum.repos.d/wapt.repo <<EOF
[wapt]
name=WAPT Server Repo
baseurl=https://wapt.tranquil.it/centos7/wapt-1.8/
enabled=1
gpgcheck=0
EOF

3- Install the account provider (optionnal)

WAPT can protect the agent by several manners, either the admin password or by a kerberos authentication. For the kerberos authentication you need to enable the Samba AD account provider (nethserver-dc) locally or remotely.

4-You can install wapt

yum install nethserver-wapt --enablerepo=stephdl

Once installed the services are up, but the authentication to the server is not protected and the password is randomly created. In the terminal of your server (you can find it in /var/log/messages)

/opt/wapt/waptserver/scripts/postconf.sh --force-https
  • Reset the password
  • Choose the authentication (free/kerberos/password)

    For kerberos the client must join a valid microsoft/Samba AD domain, the NethServer server must be bound to a locally/remote AD

  • Configure nginx
  • Restart the waptserver/wapttasks

Windows console

Use your browser and reach the default page of the wapt server, download the WAPT SETUP and install it

  • Give the url of the server with a DNS name that can be resolved
https://ns7dev8.nethservertest.org/wapt
https://ns7dev8.nethservertest.org
  • launch the wapt console
  • login in the console with the user admin and the password set in the server with /opt/wapt/waptserver/scripts/postconf.sh
  • create the certificate for the user of the console (each admin gets a certificate to sign the package)
  • create the wapt-agent (must be done at least one time) You can secure the wapt server by verifying the certificate or by using kerberos (the client must join a valid Samba AD)
  • upload the wapt-agent to the server (automatic)

Windows wapt client

Easy, download, install, verify the URL

Deploy the window agent with GPO

An official documentation exists, Deploying the waptagent with waptdeploy via GPO from NethServer Samba AD works well.

You just need to add the correct waptsetup url to the script parameters because waptdeploy defaults to http and we use https:

--hash=AGENTHASH --minversion=1.8.2.7267 --wait=15 --waptsetupurl=https://WAPT_IP/wapt/waptagent.exe

Reconfigure wapt

You can change the admin password or the authentication method

/opt/wapt/waptserver/scripts/postconf.sh --force-https

Samba AD

The samba AD (either the Microsoft server or the NethServer) must be the DNS server of the network, the time must be synchronized among all computers

Client

  • You can check in a client the log at C:\Program Files (x86)\wapt\log\waptservice
  • Check if the Client has joined the domain

On the server the command account-provider-test dump output the necessary settings to bind the AD

account-provider-test dump
   "host" : "nsdc-ns7dev13.ad.nethservertest.org",

the hostname must be resolved, in the cmd.exe of your client

nslookup nsdc-ns7dev13.ad.nethservertest.org

With a windows 10 in the cmd.exe of the client, try : klist get HTTP/nsdc-ns7dev13.ad.nethservertest.org

You must have a success to continue

C:\Users\stephane>klist get HTTP/nsdc-ns7dev13.ad.nethservertest.org

LogonId est 0:0x8d14f
Un ticket pour HTTP/nsdc-ns7dev13.ad.nethservertest.org a été récupéré.

Tickets mis en cache : (2)

#0>     Client : stephane @ AD.NETHSERVERTEST.ORG
        Serveur : krbtgt/AD.NETHSERVERTEST.ORG @ AD.NETHSERVERTEST.ORG
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40e00000 -> forwardable renewable initial pre_authent
        Heure de démarrage : 8/30/2020 12:19:50 (Local)
        Heure de fin :   8/30/2020 22:19:50 (Local)
        Heure de renouvellement : 9/6/2020 12:19:50 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0x1 -> PRIMARY
        KDC appelé : nsdc-ns7dev13.ad.nethservertest.org

#1>     Client : stephane @ AD.NETHSERVERTEST.ORG
        Serveur : HTTP/nsdc-ns7dev13.ad.nethservertest.org @ AD.NETHSERVERTEST.ORG
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40ac0000 -> forwardable renewable pre_authent ok_as_delegate 0x80000
        Heure de démarrage : 8/30/2020 12:19:50 (Local)
        Heure de fin :   8/30/2020 22:19:50 (Local)
        Heure de renouvellement : 9/6/2020 12:19:50 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : nsdc-ns7dev13.ad.nethservertest.org

Server

  • Logs
/var/log/wapttasks.log
/var/log/waptserver.log
/var/log/nginx/access.log
/var/log/nginx/error.log
  • Keytab

The keytab is the key that allows nginx to bind the DN, it is an important piece of authentication

[root@ns7dev8 ~]# ll /etc/nginx/http-krb5.keytab 
lrwxrwxrwx 1 root root 16 Aug 30 14:14 /etc/nginx/http-krb5.keytab -> /etc/krb5.keytab
[root@ns7dev8 ~]# ll /etc/krb5.keytab
-rw-r----- 1 root nginx 2252 Aug 30 12:13 /etc/krb5.keytab

you must be able to read the keytab, the url inside are the URL of the account provider

[root@ns7dev13 ~]# ktutil
ktutil:  read_kt /etc/nginx/http-krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
   2    1      host/NS7DEV13@AD.NETHSERVERTEST.ORG
   3    1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
   4    1      host/NS7DEV13@AD.NETHSERVERTEST.ORG
   5    1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
   6    1      host/NS7DEV13@AD.NETHSERVERTEST.ORG
   7    1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
   8    1      host/NS7DEV13@AD.NETHSERVERTEST.ORG
   9    1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  10    1      host/NS7DEV13@AD.NETHSERVERTEST.ORG
  11    1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  12    1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG
  13    1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  14    1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG
  15    1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  16    1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG
  17    1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  18    1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG
  19    1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
  20    1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG
  21    1          NS7DEV13$@AD.NETHSERVERTEST.ORG
  22    1          NS7DEV13$@AD.NETHSERVERTEST.ORG
  23    1          NS7DEV13$@AD.NETHSERVERTEST.ORG
  24    1          NS7DEV13$@AD.NETHSERVERTEST.ORG
  25    1          NS7DEV13$@AD.NETHSERVERTEST.ORG

the dns names must be resolved. In the terminal of the server do

[root@ns7dev8 ~]# host ns7dev13.ad.nethservertest.org
ns7dev13.ad.nethservertest.org has address 192.168.12.183
[root@ns7dev8 ~]# host AD.NETHSERVERTEST.ORG
AD.NETHSERVERTEST.ORG has address 192.168.12.184
[root@ns7dev8 ~]# host nsdc-ns7dev13.ad.nethservertest.org
nsdc-ns7dev13.ad.nethservertest.org has address 192.168.12.184
  • display the kerberos ticket
    in the terminal of the server do
[root@ns7dev8 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: NS7DEV8$@AD.NETHSERVERTEST.ORG

Valid starting       Expires              Service principal
08/30/2020 12:13:16  08/30/2020 22:13:16  krbtgt/AD.NETHSERVERTEST.ORG@AD.NETHSERVERTEST.ORG
	renew until 09/06/2020 12:13:16
08/30/2020 12:13:16  08/30/2020 22:13:16  ldap/nsdc-ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
	renew until 09/06/2020 12:13:16
08/30/2020 12:13:16  08/30/2020 22:13:16  ldap/nsdc-ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG
	renew until 09/06/2020 12:13:16
[root@ns7dev8 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
NS7DEV8$@AD.NETHSERVERTEST.ORG FILE:/tmp/krb5cc_0

After the removal of nethserver-wapt tis-waptserver tis-waptsetup postgresql96\* nginx\* we must restart httpd

yum remove nethserver-wapt tis-waptserver tis-waptsetup postgresql96\* nginx\*
config setprop httpd status enabled
config setprop nginx status disabled
signal-event runlevel-adjust

Please raise Issues on github