WAPT 1.8 (software update repository)
Available for NS7: BETA stage
WAPT installs, updates and removes software and configurations on Windows devices. Software deployment (Firefox, MS Office, etc.) can be carried out from a central server using a graphical console. WAPT is taking many ideas from Debian Linux apt package management tool, hence its name.
WAPT is intended to help IT administrators manage their deployed base of computer desktops, laptops, tablets running a Microsoft Windows client (from XP to 10), their deployed base of Windows servers (from 2003 to 2019) or their deployed base of Windows Intel tablets.
WAPT exists in two versions, the community and the enterprise, you can list the differences: https://www.wapt.fr/en/doc/wapt-enterprise-community-comparison.html
WAPT must be installed on a dedicated server, you cannot use it on a gateway, httpd is stopped to be replaced by nginx on 80 and 443 TCP port. see the documentation statements
This work is based on the community version, the enterprise version offers more functionality that I could not work on it by now
Maintainer
Stephane de Labrusse at stephdl@de-labrusse.fr
Installation
Statements of network schema if you want a kerberos authentication.
- a server to install the AD (nethserver-dc): DNS name ns7dev13.nethservertest.org
- the AD is ad.nethservertest.org
- the DNS name of the AD container is nsdc-ns7dev13.ad.nethservertest.org
- a server bound to the AD to install WAPT: dns name ns7dev8.nethservertest.org
The samba AD must be the DNS server of the network, the time must be synchronized among all computers
on ns7dev8.nethservertest.org
1-You need to install my repository, see how to do it
2-You ned to install the WAPT repository
cat > /etc/yum.repos.d/wapt.repo <<EOF [wapt] name=WAPT Server Repo baseurl=https://wapt.tranquil.it/centos7/wapt-1.8/ enabled=1 gpgcheck=0 EOF
3- Install the account provider (optionnal)
WAPT can protect the agent by several manners, either the admin password or by a kerberos authentication. For the kerberos authentication you need to enable the Samba AD account provider (nethserver-dc) locally or remotely.
4-You can install wapt
yum install nethserver-wapt --enablerepo=stephdl
First access
Once installed the services are up, but the authentication to the server is not protected and the password is randomly created. In the terminal of your server (you can find it in /var/log/messages)
/opt/wapt/waptserver/scripts/postconf.sh --force-https
- Reset the password - Choose the authentication (free/kerberos/password)
For kerberos the client must join a valid microsoft/Samba AD domain, the NethServer server must be bound to a locally/remote AD
- Configure nginx - Restart the waptserver/wapttasks
Windows console
Use your browser and reach the default page of the wapt server, download the WAPT SETUP and install it
- Give the url of the server with a DNS name that can be resolved
https://ns7dev8.nethservertest.org/wapt https://ns7dev8.nethservertest.org
- launch the wapt console
- login in the console with the user admin and the password set in the server with /opt/wapt/waptserver/scripts/postconf.sh
- create the certificate for the user of the console (each admin gets a certificate to sign the package)
- create the wapt-agent (must be done at least one time)
You can secure the wapt server by verifying the certificate or by using kerberos (the client must join a valid Samba AD)
- upload the wapt-agent to the server (automatic)
- Read the documentation of the console https://www.wapt.fr/en/doc/wapt-usage/index.html and https://www.wapt.fr/en/doc/wapt-usage/wapt-console-detail.html
Windows wapt client
Easy, download, install, verify the URL
Deploy the window agent with GPO
An official documentation exists, Deploying the waptagent with waptdeploy via GPO from NethServer Samba AD works well.
You just need to add the correct waptsetup url to the script parameters because waptdeploy defaults to http and we use https:
–hash=AGENTHASH –minversion=1.8.2.7267 –wait=15 –waptsetupurl=https://WAPT_IP/wapt/waptagent.exe
Debug
Reconfigure wapt
You can change the admin password or the authentication method
/opt/wapt/waptserver/scripts/postconf.sh --force-https
Samba AD
The samba AD (either the Microsoft server or the NethServer) must be the DNS server of the network, the time must be synchronized among all computers
Client
- You can check in a client the log at C:\Program Files (x86)\wapt\log\waptservice
- Check if the Client has joined the domain
On the server the command account-provider-test dump output the necessary settings to bind the AD
account-provider-test dump "host" : "nsdc-ns7dev13.ad.nethservertest.org",
the hostname must be resolved, in the cmd.exe of your client
nslookup nsdc-ns7dev13.ad.nethservertest.org
With a windows 10 in the cmd.exe of the client, try : klist get HTTP/nsdc-ns7dev13.ad.nethservertest.org
You must have a success to continue
C:\Users\stephane>klist get HTTP/nsdc-ns7dev13.ad.nethservertest.org
LogonId est 0:0x8d14f
Un ticket pour HTTP/nsdc-ns7dev13.ad.nethservertest.org a été récupéré.
Tickets mis en cache : (2)
#0> Client : stephane @ AD.NETHSERVERTEST.ORG
Serveur : krbtgt/AD.NETHSERVERTEST.ORG @ AD.NETHSERVERTEST.ORG
Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
Indicateurs de tickets 0x40e00000 -> forwardable renewable initial pre_authent
Heure de démarrage : 8/30/2020 12:19:50 (Local)
Heure de fin : 8/30/2020 22:19:50 (Local)
Heure de renouvellement : 9/6/2020 12:19:50 (Local)
Type de clé de session : AES-256-CTS-HMAC-SHA1-96
Indicateurs de cache : 0x1 -> PRIMARY
KDC appelé : nsdc-ns7dev13.ad.nethservertest.org
#1> Client : stephane @ AD.NETHSERVERTEST.ORG
Serveur : HTTP/nsdc-ns7dev13.ad.nethservertest.org @ AD.NETHSERVERTEST.ORG
Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
Indicateurs de tickets 0x40ac0000 -> forwardable renewable pre_authent ok_as_delegate 0x80000
Heure de démarrage : 8/30/2020 12:19:50 (Local)
Heure de fin : 8/30/2020 22:19:50 (Local)
Heure de renouvellement : 9/6/2020 12:19:50 (Local)
Type de clé de session : AES-256-CTS-HMAC-SHA1-96
Indicateurs de cache : 0
KDC appelé : nsdc-ns7dev13.ad.nethservertest.org
Server
- Logs
/var/log/wapttasks.log /var/log/waptserver.log /var/log/nginx/access.log /var/log/nginx/error.log
- Keytab
The keytab is the key that allows nginx to bind the DN, it is an important piece of authentication
[root@ns7dev8 ~]# ll /etc/nginx/http-krb5.keytab lrwxrwxrwx 1 root root 16 Aug 30 14:14 /etc/nginx/http-krb5.keytab -> /etc/krb5.keytab [root@ns7dev8 ~]# ll /etc/krb5.keytab -rw-r----- 1 root nginx 2252 Aug 30 12:13 /etc/krb5.keytab
you must be able to read the keytab, the url inside are the URL of the account provider
[root@ns7dev13 ~]# ktutil ktutil: read_kt /etc/nginx/http-krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 2 1 host/NS7DEV13@AD.NETHSERVERTEST.ORG 3 1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 4 1 host/NS7DEV13@AD.NETHSERVERTEST.ORG 5 1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 6 1 host/NS7DEV13@AD.NETHSERVERTEST.ORG 7 1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 8 1 host/NS7DEV13@AD.NETHSERVERTEST.ORG 9 1 host/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 10 1 host/NS7DEV13@AD.NETHSERVERTEST.ORG 11 1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 12 1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG 13 1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 14 1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG 15 1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 16 1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG 17 1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 18 1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG 19 1 restrictedkrbhost/ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG 20 1 restrictedkrbhost/NS7DEV13@AD.NETHSERVERTEST.ORG 21 1 NS7DEV13$@AD.NETHSERVERTEST.ORG 22 1 NS7DEV13$@AD.NETHSERVERTEST.ORG 23 1 NS7DEV13$@AD.NETHSERVERTEST.ORG 24 1 NS7DEV13$@AD.NETHSERVERTEST.ORG 25 1 NS7DEV13$@AD.NETHSERVERTEST.ORG
the dns names must be resolved. In the terminal of the server do
[root@ns7dev8 ~]# host ns7dev13.ad.nethservertest.org ns7dev13.ad.nethservertest.org has address 192.168.12.183 [root@ns7dev8 ~]# host AD.NETHSERVERTEST.ORG AD.NETHSERVERTEST.ORG has address 192.168.12.184 [root@ns7dev8 ~]# host nsdc-ns7dev13.ad.nethservertest.org nsdc-ns7dev13.ad.nethservertest.org has address 192.168.12.184
- display the kerberos ticket
in the terminal of the server do
[root@ns7dev8 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: NS7DEV8$@AD.NETHSERVERTEST.ORG Valid starting Expires Service principal 08/30/2020 12:13:16 08/30/2020 22:13:16 krbtgt/AD.NETHSERVERTEST.ORG@AD.NETHSERVERTEST.ORG renew until 09/06/2020 12:13:16 08/30/2020 12:13:16 08/30/2020 22:13:16 ldap/nsdc-ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG renew until 09/06/2020 12:13:16 08/30/2020 12:13:16 08/30/2020 22:13:16 ldap/nsdc-ns7dev13.ad.nethservertest.org@AD.NETHSERVERTEST.ORG renew until 09/06/2020 12:13:16 [root@ns7dev8 ~]# klist -l Principal name Cache name -------------- ---------- NS7DEV8$@AD.NETHSERVERTEST.ORG FILE:/tmp/krb5cc_0
Official manual
Documentation: https://www.wapt.fr/en/doc/
French forum : https://forum.tranquil.it/
English Forum : https://www.reddit.com/r/WAPT/
Uninstall
After the removal of nethserver-wapt tis-waptserver tis-waptsetup postgresql96\* nginx\* we must restart httpd
yum remove nethserver-wapt tis-waptserver tis-waptsetup postgresql96\* nginx\* config setprop httpd status enabled config setprop nginx status disabled signal-event runlevel-adjust
Bugs
Please raise Issues on github