Dear Ondrej,
you are most probably affected by the issue related to the "Translator" module. The solution might be repair of the PROTECT server.
you can fix it by reverting to the previous build of the Translator module - this can be done by stopping the PROTECT/ESMC Server(I believe this is already done), create a backup of the following files/folder:
Windows:
C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Modules\em017_64\
Remove all folders/files which are in the following path(in case of Windows):
"C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Modules\em017_64\"
Execute the repair of the PROTECT server - it should re-create the "Translator" module file from the installation archive(it will be an older version of the Translator module which comes with the installers/is built in the installer)
For MS Windows just execute the MSI installer which can be found at "C:\ProgramData\ESET\RemoteAdministrator\Server\SetupData\Installer" and pick repair installation(you will be asked for DB credentials...) but please do not generate a new certificate, let them use the old ones(keep currently used certificates)
When the installation will be done, the server should be able again to start...
Dear Mrac,
in case your server is still not operable, you can fix it by reverting to the previous build of the Translator module - this can be done by stopping the PROTECT/ESMC Server(I believe this is already done), create a backup of the following files/folder:
Windows:
C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Modules\em017_64\
Linux
/var/opt/eset/RemoteAdministrator/Server/Modules/em017_64.dat
Remove all folders which are in the following path(in case of Windows):
"C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Modules\em017_64\"
In case of Linux remove the "em017_64.dat" file
Execute the repair of the PROTECT server - it should re-create the "Translator" module file from the installation archive(it will be older version of the Translator module which comes with the installers/is build in the installer)
Windows:
just execute the MSI installer which can be found at "C:\ProgramData\ESET\RemoteAdministrator\Server\SetupData\Installer" and pick repair installation(you will be asked for DB credentials...)
Linux:
execute the installation script: opt/eset/RemoteAdministrator/Server/setup/installer_backup.sh
It will automatically execute the "repair" and create deleted files...
I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required.
Let's assume we have the following environment:
ESMC Linux Distribution: Ubuntu Server 18.04 ESMC Hostname: esmc ESMC FQDN: esmc.test.local ESMC IP Address: 10.123.1.2
Active Directory Domain: test.local NetBIOS Domain: TEST Domain Controller: dc.test.local (10.123.1.1) ESET ESMC AD User Account: eset.esmc@test.local (eset.esmc)
Ensure the required Server prerequisites (v7.2) are installed.
sudo apt-get install krb5-user ldap-utils libsasl2-modules-gssapi-mit samba
Configure Samba at /etc/samba/smb.conf
Ensure you change workgroup to the NetBIOS Domain, netbios name to the ESMC Hostname and realm to the Active Directory Domain. The following configuration is based on one found in ESMC VA v7.2
[global]
workgroup = TEST
netbios name = esmc
server string = Samba Server Version %v
security = ads
realm = test.local
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client max protocol = SMB3
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
client ipc signing = auto
Configure Kerberos at /etc/krb5.conf
Ensure you change default_realm to Active Directory Domain (Must be capitalised) and the realm definition Active Directory Domain (Must be capitalised). Ensure you specify your Domain Controller as a kdc under the realm definition for your Active Directory Domain, if you have multiple Domain Controllers, specify multiple kdc's. Ensure you map Active Directory Domain (prefixed with ".") to the realm name (Your Active Directory Domain but capitalised) under domain_realm. The following configuration is based on one found in ESMC VA v7.2
[libdefaults]
default_realm = TEST.LOCAL
ticket_lifetime = 24h
forwardable = true
[realms]
TEST.LOCAL = {
kdc = dc.test.local
}
[domain_realm]
.test.local = TEST.LOCAL
Configure DNS Resolution. systemd-resolved can cause issues with Kerberos, it can probably be worked around but disabling it as follows also works.
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
Configure /etc/resolv.conf
Specify your Domain Controller as a nameserver, create additional nameserver definitions for each Domain Controller. Specify Active Directory Domain for search
nameserver 10.123.1.1
search test.local
Ensure Hostname is set correctly
If you need to change your hostname, you can use:
sudo hostnamectl set-hostname esmc.test.local
Configure /etc/hosts
Add your ESMC and your Domain Controllers to the hosts file. Take note of the ordering of FQDN and aliases after the IP Address as net join will use the first defined alias for your host as SPNs etc. when joining the system to the domain. All values are tab separated.
127.0.0.1 localhost
10.123.1.2 esmc.test.local esmc
10.123.1.1 dc.test.local dc
Configure Time Synchronisation
By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos Key Distribution Center (KDC; in our case, the Domain Controller) to operate correctly. If ESMC is in a VM, you may already be using a Hypervisor with some VM Agent that handles this but, if not, then systemd-timesyncd should suffice or you can use ntpd. Let's assume you use systemd-timesyncd:
Configure /etc/systemd/timesyncd.conf
NTP Server addresses are separated by spaces. specify each of your Domain Controllers
[Time]
NTP=10.123.1.1
Ensure systemd-timesyncd is set to sync and force it to resync. You should see a log entry that it "Sychronized to time server 10.123.1.123" as per your configuration.
sudo timedatectl set-ntp on
sudo timedatectl status
sudo systemctl restart systemd-timesyncd.service
systemctl status systemd-timesyncd.service
Join System to Domain
If you have Webmin you can use Rejoin Domain (VA v7.2) but it more or less just runs the following command (Replace Administrator with an authorised AD User that can join systems to the domain):
sudo net join ads join -U Administrator
This relies on a correctly configured /etc/smb.conf
You will probably want to move the resulting Computer object this creates in your domain from the default Computers OU to a more relevant OU given your OU hierarchy design in your domain.
Setup Mapped Domain Security Groups under Access Rights in ESMC
Configure Active Directory under Advanced Settings in Server Settings (v7.2)
Map Domain Security Groups and assign Permission Setting Map Domain Security Group users (v7.2)
Setup a Static Group Synchronization Server Task in ESMC Synchronization mode - Active Directory / Open Directory / LDAP (v7.2)
Setup a User Synchronization Server Task in ESMC User Synchronization (v7.2)
Troubleshooting
The following can be used to test Kerberos login and LDAP GSSAPI whilst showing debug information, useful for troubleshooting. It destroys and existing Kerberos tickets for your user, obtains a Kerberos ticket for the specified AD user, lists obtained Kerberos tickets then performs LDAP Search by authenticating with GSSAPI.
When troubleshooting Kerberos, you should always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default).
Replace eset.esmc with the AD User Account that ESET ESMC will connect under.
Replace dc.test.local with your Domain Controller.
Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects of.
kdestroy
KRB5_TRACE=/dev/stdout kinit eset.esmc
klist -f
KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'
@tomasS @Peter Randziak
Hello, could you please try to clear the Kerberos cache by "kdestroy". Afterwards, please try to obtain the TGT(by "kinit") and use the same command just replace the "ldaphost" with the IP:
KRB5_TRACE=/dev/stderr ldapsearch -LLL -Y GSSAPI -h 10.123.123.1 -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName'
Is there any chance to provide us with the "krb5.conf" and settings of user "eset.esmc" from the AD >> I mean "Account options" from "AD Users and Computers" >> particular user >> "Properties" >> "Account"
Dear Camilo,
is there any chance to provide log files from the ESMC Server?
If possible please try to replicate the situation with enabled "trace" verbosity (https://help.eset.com/esmc_admin/70/en-US/admin_server_settings.html?admin_server_settings.html) and please provide us with logs - we are curious about the "trace.log" from the ESMC Server. Logs can be collected by ESET Log Collector (https://support.eset.com/kb3466/?locale=en_US&viewlocale=en_US)
Dear Camilo,
is there any chance to provide log files from the ESMC Server?
If possible please try to replicate the situation with enabled "trace" verbosity (https://help.eset.com/esmc_admin/70/en-US/admin_server_settings.html?admin_server_settings.html) and please provide us with logs - we are curious about the "trace.log" from the ESMC Server. Logs can be collected by ESET Log Collector (https://support.eset.com/kb3466/?locale=en_US&viewlocale=en_US)