Remote Administrator on Linux - Help File Changes

[short_bus4 3]

Yesterday I tried installing Remote Admin on CentOS 7, it was like pulling teeth every step of the way. I'm using Hyper-V so I couldn't use the available virtual appliance.

 

First I started off with the minimal install, but that didn't install the developer package for SELinux which blocked the installation.

 

Then when I got to the web console installation I couldn't install QT5-Webkit because it isn't in the repository and it turns out the only way I could figure out how to install it was with a .run file which required me to install GNOME. I didn't want to have to install a bunch of libraries and compiler and build it from scratch and I didn't want to have to install the GUI, but the GUI ended up being the easier option.

 

Near the end of the day I finally got things up and running, although I never got an AD scan to run. So I rebooted to try to get the scan to trigger and it never would load up again after that, all services were running but I would get a "Not connected" on the web console login screen.

 

So this morning I wiped out the VHD and started from scratch with Ubuntu 14.04 server. Well it turns out the mysql and libmyodbc don't install any MySQL driver in /etc/odbcinst.ini

 

So after manually configuring that file I finally have the server installed.

 

Just wanted to vent a bit, I'm not very strong with Linux, so this is taking forever.

 

 

 

[short_bus4 3]

More on my Ubuntu Server 14.04 install.

 

Thanks to my troubles with CentOS things have gone a little more smoothly with Ubuntu. The Server, Agent, Web Console, and Rogue Detection Sensor installs all went fairly smoothly.

 

A few things:

 

Web console is a pre requisite for Agent install, why is Agent first in the Linux installation help file? Nitpicky, but it seemed like an odd choice.

 

As mentioned above ODBC doesn't install the driver information into /etc/odbcinst.ini. Here is what mine looks like (Obviously this is 64 bit, don't try this on 32 bit):

[MySQL]
Description = ODBC for MySQL
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.so
Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so
FileUsage = 1

After that the server installation worked fine.

 

The web console instructions say:

sudo cp era.war /var/lib/tomcat/webapps/

but on Ubuntu 14.04 with Tomcat 7 the Tomcat folder has a 7.

sudo cp era.war /var/lib/tomcat7/webapps/

The agent install requires a password for the agent certification, but the server install creates an agent cert. So I assume the first step after installing the server is to revoke the default agent license? Kind of confusing. I have left the server and CA certs alone, but created a new agent cert so I knew what the password was for the Agent installer.

 

Post install AD sync would not work at all and I had to take several steps to enable Kerberos authentication. Here's what I sent in to ESET support. Let me tell you it would be nice to know where trace.log is stored, if it is stored somewhere. Having to run the Diagnostic Tool and then unzip and open the log file every time I wanted to see what errors I was getting was a pain in the ######!

 

klist wasn’t part of default install or any of the prerequisites from the install instructions, so I added krb5-user (ubuntu said klist is also part of the  heimdal-clients package)

 

apt-get install krb5-user

 

Then it needed ldapsearch so I added

 

apt-get install ldap-utils

 

Now I’m getting:

 

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

                additional info: SASL(-4): no mechanism available: No worthy mechs found

 

So I ran:

 

apt-get install libsasl2-modules-gssapi-heimdal

 

And I finally got a successful AD Sync.

 

 

So that is where I am now, I'll work on agent and endpoint deployment this weekend. Still gotta deal with Symantec uninstalls on all my clients too

Edited February 6, 2015 by short_bus4

[short_bus4 3]

Another issue I found, and this may not be specific to the linux version of RA6.

 

The last run status of the AD sync for one of my static group syncs is displaying the wrong status.

 

I have 3 ad sync groups, all have completed successfully if you go into the details, but one says last status "failed" for some reason.

 

The other two haven't ever failed though.

Edited February 7, 2015 by short_bus4

[short_bus4 3]

Agent and Client deployments went pretty smooth. Kind of slow though. Tasks don't trigger very fast, see my other topic. Still can't figure out how to force a policy/sync between RA and an Agent.

 

The web console is pretty fast though. Definitely an improvement over the Symantec Endpoint Manager piece of junk I have been using for years.

[bbraunstein 27]

I believe I read on another comment in a different thread that if you select a client and then click on "Send Wake-up Call", it will force the client to check in with the server. Although, I do not know if it's merely updating its own information or if it performs policy/config syncs.

 

Just be aware, sending Wake-Up Calls through the Web Console is performed by the server sending out a broadcast on the network. So it should only work if your infrastructure supports it.

[short_bus4 3]

I'm trying to configure a Domain security group. I'm the only IT person, but I've got a slow day so I figured I'd try and get this security group thing working, well it was just giving me a connection error, so I ran the diagnostic tool and I'm getting this:

2015-02-12 13:54:38 Error: ConsoleApiModule [Thread 7fc9ea7d4700]: Untranslatable CInterModuleException: boost::process::find_executable_in_path: 
file not found: No such file or directory: "wbinfo"

I love how Ubuntu helps idiots like me. I typed in wbinfo and it told be to install "winbind"

apt-get install winbind

So I'm not getting an error any more. It doesn't find anything though, there is nowhere to specify a domain or authentication or anything. Do I need to track down the LDAP connection string and manually type it in there? What is the select button even for?

[pkutzner 0]

At the risk of sounding like a noob, can someone point me to where the Linux installation help file is?  I can't seem to locate it on ESET's site or here in the forums.  I have the multi-installer ISO, but there are no help files located on it either.  I'm trying to install Remote Administrator 6 on Ubuntu.  I'm posting this here because I saw reference to it in the second post in this thread.

[short_bus4 3]

Here ya go:

 

hxxp://help.eset.com/era/6/en-US/index.html?component_installation_linux.htm

 

 

 

[anthonyh 15]

I'm trying to configure a Domain security group. I'm the only IT person, but I've got a slow day so I figured I'd try and get this security group thing working, well it was just giving me a connection error, so I ran the diagnostic tool and I'm getting this:

2015-02-12 13:54:38 Error: ConsoleApiModule [Thread 7fc9ea7d4700]: Untranslatable CInterModuleException: boost::process::find_executable_in_path: 
file not found: No such file or directory: "wbinfo"

I love how Ubuntu helps idiots like me. I typed in wbinfo and it told be to install "winbind"

apt-get install winbind

So I'm not getting an error any more. It doesn't find anything though, there is nowhere to specify a domain or authentication or anything. Do I need to track down the LDAP connection string and manually type it in there? What is the select button even for?

 

 

Are you able to run authconfig.tui to join the machine to the domain?  After that, Remote Administrator should be able to read the AD structure.

[pkutzner 0]

More on my Ubuntu Server 14.04 install.

 

Thanks to my troubles with CentOS things have gone a little more smoothly with Ubuntu. The Server, Agent, Web Console, and Rogue Detection Sensor installs all went fairly smoothly.

 

A few things:

 

Web console is a pre requisite for Agent install, why is Agent first in the Linux installation help file? Nitpicky, but it seemed like an odd choice.

 

As mentioned above ODBC doesn't install the driver information into /etc/odbcinst.ini. Here is what mine looks like (Obviously this is 64 bit, don't try this on 32 bit):

[MySQL]
Description = ODBC for MySQL
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.so
Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so
FileUsage = 1

After that the server installation worked fine.

 

The web console instructions say:

sudo cp era.war /var/lib/tomcat/webapps/

but on Ubuntu 14.04 with Tomcat 7 the Tomcat folder has a 7.

sudo cp era.war /var/lib/tomcat7/webapps/

The agent install requires a password for the agent certification, but the server install creates an agent cert. So I assume the first step after installing the server is to revoke the default agent license? Kind of confusing. I have left the server and CA certs alone, but created a new agent cert so I knew what the password was for the Agent installer.

 

Post install AD sync would not work at all and I had to take several steps to enable Kerberos authentication. Here's what I sent in to ESET support. Let me tell you it would be nice to know where trace.log is stored, if it is stored somewhere. Having to run the Diagnostic Tool and then unzip and open the log file every time I wanted to see what errors I was getting was a pain in the ######!

 

klist wasn’t part of default install or any of the prerequisites from the install instructions, so I added krb5-user (ubuntu said klist is also part of the  heimdal-clients package)

 

apt-get install krb5-user

 

Then it needed ldapsearch so I added

 

apt-get install ldap-utils

 

Now I’m getting:

 

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

                additional info: SASL(-4): no mechanism available: No worthy mechs found

 

So I ran:

 

apt-get install libsasl2-modules-gssapi-heimdal

 

And I finally got a successful AD Sync.

 

 

So that is where I am now, I'll work on agent and endpoint deployment this weekend. Still gotta deal with Symantec uninstalls on all my clients too

 

Found where the trace logs are stored in Ubuntu 14.04.  Looks like all RA logs are stored at /var/log/eset/RemoteAdministrator/  There are 2, one for the Server process and one for the Agent under respective subdirs below the main RA log path.

 

On a side-note, I'm still not able to sync against AD.  I keep getting a 'Reading AD structure failed'.  I've done what you've mentioned in your post, but no luck so far.  Trace logs aren't yielding much either.

[pkutzner 0]

So, I can tell that it's connecting to my AD server just fine because when I click the 'Browse' button next to the 'Distinguished Name' field while editing my synchronization task, I can see my AD structure.  However, the sync task always fails.  What am I missing?

[pkutzner 0]

Looks like I needed to restart the server component for it to clear out stale kerberos credentials.  Upon restart, I was able to get the task to complete successfully (at least according to it).  However I still have no computers listed in my static group.

 

UPDATE:  Finally got them to show up.

Edited February 20, 2015 by pkutzner

[anthonyh 15]

We currently have an inquiry in with the development team asking where we can find further information on the sync task errors.  With the static groups, do the computers show up when you go to the All group, then click on the Subgroups checkbox?

[pkutzner 0]

We currently have an inquiry in with the development team asking where we can find further information on the sync task errors.  With the static groups, do the computers show up when you go to the All group, then click on the Subgroups checkbox?

 

They do not show up in the All group.  I went by the instructions and created a static group called 'Computers'.  They now show up under that group.  I found out, from the Server trace.log, that it was using stale credentials (I had changed them in the task) to attempt to connect to the domain, thus failing.  Restarting the Server service pulled in the correct credentials, and successfully pulled the computers in.

Edited February 20, 2015 by pkutzner

[ais 0]

Hi 

 

i have problems with AD connection in ubuntu 14 with samba4 AD

 

I have done all as in this posts but still have this errors (install apt packets and dependencies)

 

2015-03-12 11:47:24 Error: ConsoleApiModule [Thread 7fe900ff9700]: 82 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 49 exit code, stderr: 

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Invalid credentials (49)

additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE

 

 

of course i'm using right user and password in SERVER CONNECTION SETTINGS in era web console 

and before trying to connect to AD on ubuntu server i have run kinit user@domain and put right password (same user and pass as in srv con sett)

 

myby something wrong witch krb.conf ?

 

/etc/krb5.conf

[libdefaults]

default_realm = domain

dns_lookup_realm = false

dns_lookup_kdc = true

 

 

please help me guys

[michalp 20]

This is how ERA Server Appliance configures Kerberos for TEST domain.

[root@era ~]# cat /etc/krb5.conf 
[libdefaults]
    default_realm = TEST.COM
    ticket_lifetime = 24h
    forwardable = yes

[realms]
TEST.COM = {
    kdc = dc.test.com
}

[domain_realm]
    .test.com = TEST.COM

Then call to kinit:

kinit <username-from-domain>

should obtain a valid ticket.

Edited March 12, 2015 by michalp

[anthonyh 15]

I appreciate the patience on this issue, we have new steps for using the LDAP with simple authentication in order to get active directory to sync, which can be found here:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3665

 

This has been very successful in getting the active directory structure to sync within the Linux deployment of Remote Administrator, please let me know if you run into any issues.

[ais 0]

thanks for help, now it's working

 

but in username you should paste all binddn phrase cn=username,cn=users,dc=domain 

[michalp 20]

That should depend on configuration of Active Directory server you are using. For Windows domain controllers, just username is sufficient.

[Megachip 5]

I appreciate the patience on this issue, we have new steps for using the LDAP with simple authentication in order to get active directory to sync, which can be found here:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3665

 

This has been very successful in getting the active directory structure to sync within the Linux deployment of Remote Administrator, please let me know if you run into any issues.

Is there also such a solution for Mapped Domain Security Groups?

[Peter Randziak 946]

Hello,

 

the easiest way would be to deploy the appliance and take config files for samba and kerberos and use them in the system required.

Also a help file is available in the appliance.

 

P.R.