Jump to content

Agent deployment fails with mount error(13) permission denied


Markovskij
 Share

Go to solution Solved by MartinK,

Recommended Posts

I have hard time deploying new linux server to manage our clients, as old server crashed.

I managed to solve most of the problems and installation steps with documentation, this forum and google.

Thank you for this post https://forum.eset.com/topic/4069-remote-administrator-on-linux-help-file-changes/

It's my first try, i'm using Ubuntu Desktop 14.04.3 at the moment.

 

I have two problems now. First, there are no status messages about server tasks. I saw in ESET videos, that after starting the task, there are statuses "running", "finished" etc. But there are none in my remote administrator web console. Though i managed to complete 'Static Group Synchronization' and i see all the computers from AD, but task details executions are empty, as though it never happened.

 

Second, server cannot deploy Agents to computers, web console shows no reports, no statuses, nothing at all. But the log file on the server Trace.log has messages about failed mount.

+ LANG= mount -t cifs -o username=Administrator //user-pc.domain.com/ADMIN$ /tmp/era_remote_deploy_wn_sdf654sdgf64/cifs
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
* [Exit code = 32]

With the help of linux forums i narrowed the problem. Mount command has to provide additional security mode for my shares "sec=ntlm", so this line works:

mount -t cifs -o username=Administrator,sec=ntlm //user-pc.domain.com/ADMIN$ /tmp/era_remote_deploy_wn_sdf654sdgf64/cifs

Question - how to make ESET to update its mount command? I did not find any settings files, or script files where i could edit this command. I think linux also cannot force to always use ntlm mode in mount by default.

Any help or links to help articles are appreciated.

Link to comment
Share on other sites

  • ESET Staff
I have two problems now. First, there are no status messages about server tasks. I saw in ESET videos, that after starting the task, there are statuses "running", "finished" etc. But there are none in my remote administrator web console. Though i managed to complete 'Static Group Synchronization' and i see all the computers from AD, but task details executions are empty, as though it never happened.

 

Hello,

 

we have seen similar symptoms in case MariaDB was used instead of supported MySQL .. could be your case? Are there any related errors in trace logs?

 

 

Question - how to make ESET to update its mount command? I did not find any settings files, or script files where i could edit this command. I think linux also cannot force to always use ntlm mode in mount by default.

Any help or links to help articles are appreciated.

 

Unfortunately there is currently no way how to configure remote installation task in such detail. Were you able to find out why default sec=ntlmssp does not work you? Targeted (client) computer is using older Windows?

Link to comment
Share on other sites

  • ESET Staff
  • Solution

 

Question - how to make ESET to update its mount command? I did not find any settings files, or script files where i could edit this command. I think linux also cannot force to always use ntlm mode in mount by default.

Any help or links to help articles are appreciated.

 

Unfortunately there is currently no way how to configure remote installation task in such detail. Were you able to find out why default sec=ntlmssp does not work you? Targeted (client) computer is using older Windows?

 

 

Hello,

 

just realized you can modify script file /var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh that is used to perform remote disk mounting, but be aware that repairing or updating of ERA Server will replace this file.

Edited by MartinK
Link to comment
Share on other sites

Hello, MartinK, both your suggestions worked!

I had installed mariadb from habit, and missed that it should be mysql. Could not switch mariadb to mysql, so i reinstalled the server, this time ubuntu-server, second time is much easier and smoother.

Now the status messages work.

I also added "sec=ntlm" to UnixWindowsNetworkRemoteInstall.sh script and agent was deployed succesfully!

This not default security option is probably needed because of our AD configuration, haven't digged deeper yet, because it works now this way.

 

Now i get handshake errors from agent, which cannot communicate with server, but i'll create another thread if i won't be able to find the problem myself.

 

Thank you very much for fast and accurate solutions!

2015-12-01 09:00:46 Error: CReplicationModule [Thread 4ef8]: CReplicationManager: Replication (network) connection to 'host: "192.168.100.120" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Handshake failed to complete.
2015-12-01 09:01:46 Error: CAgentSecurityModule [Thread 3a90]: Certificated user verification failed with: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (10.1.179.46,Ubuntu64-bb,Ubuntu64-bb.BB.LOCAL)
2015-12-01 09:01:46 Error: NetworkModule [Thread 53d8]: Receive: NodSslWriteEncryptedData: Handshake failed to complete., ResolvedIpAddress:192.168.100.120, ResolvedHostname:, ResolvedPort:2222
2015-12-01 09:01:46 Error: NetworkModule [Thread 53d8]: Protocol failure for session id 16, error:Receive: NodSslWriteEncryptedData: Handshake failed to complete.
Link to comment
Share on other sites

  • ESET Staff

Now i get handshake errors from agent, which cannot communicate with server, but i'll create another thread if i won't be able to find the problem myself.

 

Thank you very much for fast and accurate solutions!

2015-12-01 09:00:46 Error: CReplicationModule [Thread 4ef8]: CReplicationManager: Replication (network) connection to 'host: "192.168.100.120" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Handshake failed to complete.
2015-12-01 09:01:46 Error: CAgentSecurityModule [Thread 3a90]: Certificated user verification failed with: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (10.1.179.46,Ubuntu64-bb,Ubuntu64-bb.BB.LOCAL)
2015-12-01 09:01:46 Error: NetworkModule [Thread 53d8]: Receive: NodSslWriteEncryptedData: Handshake failed to complete., ResolvedIpAddress:192.168.100.120, ResolvedHostname:, ResolvedPort:2222
2015-12-01 09:01:46 Error: NetworkModule [Thread 53d8]: Protocol failure for session id 16, error:Receive: NodSslWriteEncryptedData: Handshake failed to complete.

 

This is quiet common problem: your ERA Server certificate was created for hostnames 10.1.179.46,Ubuntu64-bb,Ubuntu64-bb.BB.LOCAL, but AGENT is configured to connect to "192.168.100.120" ... you have to repair AGENT so that it connect to one of listed hostnames/IPs or you can create new server certificates that contains mentioned IP (or wildcard * for all)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...