Jump to content

Cannot install Agent remotly in multi domain forest


Go to solution Solved by MartinK,

Recommended Posts

We have forest with two domains, full trust is configured, let it be 'domain1' and 'domain2'.

ERA server krb.conf:

[root@era Server]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default = SYSLOG:INFO:DAEMON
 kdc = SYSLOG:INFO:DAEMON
 admin_server = SYSLOG:INFO:DAEMON


[libdefaults]
 default_realm = DOMAIN2
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN2 = {
  kdc = dc.domain2
  admin_server = dc.domain2
 }

 DOMAIN1 = {
  kdc = dc.domain1
 }

[domain_realm]
 .domain2 = DOMAIN2
 domain2 = DOMAIN2
 .domain1 = DOMAIN1
 domain1 = DOMAIN1

Of cause "domain1" is something like "domain1.local" and "domain2" like "domain2.local".

All synchronizing tasks are working, we get all computers and OUs from ADs into static groups.

In Access Rights configured DOMAIN1\ESET_admins and DOMAIN2\ESET_admins groups, so we can login using DOMAIN1 and DOMAIN2 users in that groups.

Problems start when i'm trying to deploy remotely agents to PCs in DOMAIN1.

As we can see default_realm in krb5.conf is DOMAIN2. So when i'm deploying agents to DOMAIN2 PCs it's working like a charm.

But when i'm trying to deploy agent to PCs in DOMAIN1 it finishes with error.

In trace.log i see that ERA can connect and copy tmp files to ADMIN$ share, but everything crashing on 'net rpc service'.

Command is looking like 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S pc.domain1' and error is 'Failed to open Service Control Manager. [WERR_ACCESS_DENIED]'.

I tried to run it from shell and got very strange behaviour:

1) when i'm running command 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S pc.domain1' in PC Event Viewer Security logs i see connection from DOMAIN2\admin4, not from DOMAIN1!!!!

2) when i'm running command using nor FQDN computer name but IP everything is working: 'net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U admin4 -S 10.0.0.1'  :  Failed to open service.  [WERR_NO_SUCH_SERVICE] and in Event Viewer i see connection with DOMAIN1\admin4 login.

I'm not guru in linux, so i am a little bit confused on this.

Is this a problem with configuration of AD authorization, or this is a some bug?

And what we can do with this?

We have about 1200 workstations in company network and we are planning to migrate from ERA5 to ERA6.

 

Link to comment
Share on other sites

  • ESET Staff

Could you try command:

net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U DOMAIN1/admin4 -S pc.domain1

or perhaps also alternative domain delimiters in -U parameter?

 

Multi-domain environment was not considered (nor tested) scenario for ERA Appliance -> there is a chance we are not using properly samba commands in this case.

Link to comment
Share on other sites

Could you try command:

net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U DOMAIN1/admin4 -S pc.domain1

or perhaps also alternative domain delimiters in -U parameter?

 

Multi-domain environment was not considered (nor tested) scenario for ERA Appliance -> there is a chance we are not using properly samba commands in this case.

 

Result is the same: Failed to open Service Control Manager. [WERR_ACCESS_DENIED]

 

One more note: when i'm running this command and using not FQDN but Netbios name for pc anything works:

net -i -k rpc service list -W DOMAIN1 -U admin4 -S pc
Link to comment
Share on other sites

  • ESET Staff
  • Solution

 

Could you try command:

net -i -k rpc service delete eset-remote-installer -W DOMAIN1 -U DOMAIN1/admin4 -S pc.domain1

or perhaps also alternative domain delimiters in -U parameter?

 

Multi-domain environment was not considered (nor tested) scenario for ERA Appliance -> there is a chance we are not using properly samba commands in this case.

 

Result is the same: Failed to open Service Control Manager. [WERR_ACCESS_DENIED]

 

One more note: when i'm running this command and using not FQDN but Netbios name for pc anything works:

net -i -k rpc service list -W DOMAIN1 -U admin4 -S pc

 

Could you try also other domain name delimiters, i.e. -U DOMAIN1\admin4 or -U DOMAIN1+admin4

In case you find out solution, we may be able to modify file /var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh so that it will work even in your case.

Link to comment
Share on other sites

 

 

In case you find out solution, we may be able to modify file /var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh so that it will work even in your case.

 

Thank you for information! I make small tuning of UnixWindowsNetworkRemoteInstall.sh  script and now agent deploy working perfectly  :)

# get target client pc's IP address by it's name

ERA_RD_WN_COMPUTER_IP=$(dig +short $ERA_RD_WN_COMPUTER_NAME | awk '{ print ; exit }')
if [ "$ERA_RD_WN_COMPUTER_IP" != "" ]
    then
        #IP address found, changing pc name to it
        ERA_RD_WN_COMPUTER_NAME=$ERA_RD_WN_COMPUTER_IP
fi
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...