Jump to content

Cant Deploy Agents with ERA Appliance to Clients


Recommended Posts

Hello,

 

we have trouble to deploy the agents to our Clients. Everytime we get "NT_Status_Access_Denied" if we try to connect to a client with net rpc. We tried local user and Domain Admin, we are only successfull with Deployment on our Domain Controller, all other Servers and Clients fail.

(Firewall is off, era aplliance is in our domain)

 

I hope you can help us

 

Thanks

 

King regards

Link to comment
Share on other sites

  • ESET Staff

Hello,

 

we have trouble to deploy the agents to our Clients. Everytime we get "NT_Status_Access_Denied" if we try to connect to a client with net rpc. We tried local user and Domain Admin, we are only successfull with Deployment on our Domain Controller, all other Servers and Clients fail.

(Firewall is off, era aplliance is in our domain)

 

I hope you can help us

 

Thanks

 

King regards

 

Could you try to search targeted machine for failed connection attempts? There should be alerts in Event viewer -> Windows logs -> Security that could possibly contain reason why access was denied. In case they will be none record on client machine, deployment failed on SERVER side. Are you deploying to computers named by hostname or IP address? We have received reports that in certain cases deploying to IP address helps (you can try to rename certain client computer to its IP address).

 

You may also try to connect to problematic computer directly from root terminal on SERVER using commands:

mkdir /tmp/testdir
mount -t cifs -o username=<username_without_domain>,password=<password>,domain=<domain> //<computer_name>/ADMIN$ /tmp/testdir

and attempt to find suitable parameters. I would also suggest to change share name to some other, or even use non-existing share -> in case you will get different error, connection is working, but user has no access to administrative shares on target computer.

Link to comment
Share on other sites

I discovered the same problem.

In the Log (/var/log/eset/RemoteAdministrator/Server/) i find the following:

* Mounting remote share '//computer.domain/ADMIN$' to '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs'
+ mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs
+ LANG=
+ mount -t cifs -o domain=lvstga,username=domainadmin '//computer.domain/ADMIN$' /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs
* [Exit code = 0]
--------------------------------------------------------------------------

* Creating remote directory '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6'
+ LANG=
+ mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
--------------------------------------------------------------------------

* Copying files to remote dir '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6'
+ cp /tmp/b212-f983-309f-f4bb/EraAgentInstaller.bat /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
+ cp /opt/eset/RemoteAdministrator/Server/RemoteInstallService.exe /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
--------------------------------------------------------------------------

* Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computer.domain
Enter domainadmin's password:
Could not connect to server computer.domain
Connection failed: NT_STATUS_ACCESS_DENIED
--------------------------------------------------------------------------
...

It retries the last command 20 times and then aborts and removing the remote directory and share.

Because it is a new Windows 7 32bit installation there is no eset-remote-installer Service available on the target computer.

I also tried to connect directly with your provided command (mount -t -cifs...) and this works perfectly.

 

We use the ESET Remote Administrator Appliance (CentOS release 6.7).

Could it be a problem with CentOS Updates i installed? i remember there was a samba update.

 

 

Installing the Agent with Agent Live Installer it works to install, but the it can't connect do the ERA Server.

In the Agent Log i get the same errors like in the other topics:
https://forum.eset.com/topic/8154-agents-not-connecting-to-remote-administrator-no-errors/

and
https://forum.eset.com/topic/8114-era-agent-not-working/

Link to comment
Share on other sites

  • ESET Staff

I discovered the same problem.

In the Log (/var/log/eset/RemoteAdministrator/Server/) i find the following:

* Mounting remote share '//computer.domain/ADMIN$' to '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs'
+ mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs
+ LANG=
+ mount -t cifs -o domain=lvstga,username=domainadmin '//computer.domain/ADMIN$' /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs
* [Exit code = 0]
--------------------------------------------------------------------------

* Creating remote directory '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6'
+ LANG=
+ mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
--------------------------------------------------------------------------

* Copying files to remote dir '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6'
+ cp /tmp/b212-f983-309f-f4bb/EraAgentInstaller.bat /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
+ cp /opt/eset/RemoteAdministrator/Server/RemoteInstallService.exe /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
--------------------------------------------------------------------------

* Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computer.domain
Enter domainadmin's password:
Could not connect to server computer.domain
Connection failed: NT_STATUS_ACCESS_DENIED
--------------------------------------------------------------------------
...

It retries the last command 20 times and then aborts and removing the remote directory and share.

Because it is a new Windows 7 32bit installation there is no eset-remote-installer Service available on the target computer.

I also tried to connect directly with your provided command (mount -t -cifs...) and this works perfectly.

 

We use the ESET Remote Administrator Appliance (CentOS release 6.7).

Could it be a problem with CentOS Updates i installed? i remember there was a samba update.

 

 

Installing the Agent with Agent Live Installer it works to install, but the it can't connect do the ERA Server.

In the Agent Log i get the same errors like in the other topics:

https://forum.eset.com/topic/8154-agents-not-connecting-to-remote-administrator-no-errors/

and

https://forum.eset.com/topic/8114-era-agent-not-working/

 

In case there was no previous remote installation attempt, mentioned call to net -i -k rpc service delete eset-remote-installer will be attempted 20 times to be sure there are no remnant of previous installation. After this, there should be attempt to start service regardless of previous 20 delete attempts. I think it fails on starting - could you search for it in log output? There is high probability it will be also failing with access denied, as is common when using domain user instead of local admin (Administrator) account.

Link to comment
Share on other sites

I don't even find the command that ERA is trying to install.

...
+ net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computer.domain
Enter domainadmin's password:
Could not connect to server computer.domain
Connection failed: NT_STATUS_ACCESS_DENIED
* [Exit code = 255]
--------------------------------------------------------------------------

* Removing remote directory '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6'
+ LANG=
+ rm -r /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6
* [Exit code = 0]
--------------------------------------------------------------------------

* Umounting remote share '//computer.domain/ADMIN$' from '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs'
+ LANG=
+ umount /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs
* [Exit code = 0]
--------------------------------------------------------------------------

* Removing command input/ouput redirection pipes
+ unlink /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cmd.in.pipe
+ unlink /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cmd.out.pipe
--------------------------------------------------------------------------
* Removed temporary directory /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76

2016-04-21 08:00:47 Error: CRemoteInstallModule [Thread 7f95223c9700]: Executing remote deployment of agent 579b73bf-c8be-4573-93c4-2a653230cae7 on 'computer.domain'
Windows network remote deployment failed.
- Verify that 'computer.domain' is responding to 'ping'.
- Verify that 'computer.domain' can be resolved with 'nslookup' if it is a DNS name.
- Verify that firewall is not blocking communication and file sharing between server and the target machine.
- Verify that "File and Print Sharing for Microsoft Networks" is enabled on the target machine.
- Verify that "Remote Procedure Call (RPC)" service is running on the target machine.
- Make sure that simple file sharing is turned off on the target machine.
- Activate sharing resource ADMIN$ on the target machine.
- Verify that 'lvstga\domainadmin' has administrator rights or use local 'Administrator' account that is enabled on the target machine.
- Verify that 'lvstga\domainadmin' password is not blank.
- Verify that you can remotely log on to the workstation from the server.
- Verify that from server machine you can access 'net use \\computer.domain\IPC$' from the Command Prompt.
- Change 'ESET Remote Administrator Server' service credentials from 'Network Service' to user with domain administrator permissions temporarily for deployment.
* Error details: UnixWindowsNetworkRemoteInstall: remote deployment to 'computer.domain' terminated with 255
SSH remote deployment failed because CONNECTION CAN NOT BE ESTABLISHED to the target LINUX or MAC machine.
- Verify that 'computer.domain' is responding to 'ping'.
- Verify that SSH daemon is enabled on the target machine and is running on the port 22.
- Verify that firewall is not blocking SSH communication between server and the target machine.
* Error details: connect: Connection refused

Agent deployment failed. Please go through the checklist above for specific platform (WINDOWS, LINUX or MAC) that is on the target machine.
2016-04-21 08:00:47 Error: CRemoteInstallModule [Thread 7f95255ce700]: Remote deployment failed on 1 targets

On the target i don't find a ESET Log.

Link to comment
Share on other sites

  • ESET Staff

I don't even find the command that ERA is trying to install.

On the target i don't find a ESET Log.

 

Is there any chance there is message like this "Creating remote installer service" in omitted section of log? It was most probably first call after "Removing previous instance of remote installer service".

Link to comment
Share on other sites

Yeah i found an entry for creating remote installer service:

* Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computername.domain
Enter domainadmin's password:
Could not connect to server computername.domain
Connection failed: NT_STATUS_ACCESS_DENIED
--------------------------------------------------------------------------

* Creating remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service create eset-remote-installer 'ESET Remote Administrator 6 Remote Installation Service' '%SYSTEMROOT%\era_rd_AKiKWg8O\RemoteInstallService.exe' -W lvstga -U domainadmin -S computername.domain
Enter domainadmin's password:
Could not connect to server computername.domain
Connection failed: NT_STATUS_ACCESS_DENIED
* [Exit code = 255]

I found an old Log (23.03.2016) which looks different:

2016-03-23 15:01:05 Error: CRemoteInstallModule [Thread 7f8bddfcf700]: UnixWindowsNetworkRemoteInstall: remote deployment to 'oldcomputer.domain' terminated with 1
2016-03-23 15:01:05 Error: CRemoteInstallModule [Thread 7f8bddfcf700]: UnixWindowsNetworkRemoteInstall: output of '"/var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh" 2>&1':
* Created temporary directory /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC

* Creating command input/ouput redirection pipes
+ mkfifo /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cmd.in.pipe
+ mkfifo /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cmd.out.pipe
--------------------------------------------------------------------------

* Mounting remote share '//oldcomputer.domain/ADMIN$' to '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs'
+ mkdir /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs
+ LANG=
+ mount -t cifs -o domain=lvstga,username=domainadmin '//oldcomputer.domain/ADMIN$' /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs
* [Exit code = 0]
--------------------------------------------------------------------------

* Creating remote directory '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd'
+ LANG=
+ mkdir /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd
* [Exit code = 0]
--------------------------------------------------------------------------

* Copying files to remote dir '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd'
+ cp /tmp/a9a1-56aa-a2bc-0ea4/EraAgentInstaller.bat /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd
* [Exit code = 0]
+ cp /opt/eset/RemoteAdministrator/Server/RemoteInstallService.exe /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd
* [Exit code = 0]
--------------------------------------------------------------------------

* Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S oldcomputer.domain
Enter domainadmin's password:
Failed to open service.  [WERR_NO_SUCH_SERVICE]
--------------------------------------------------------------------------

* Creating remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service create eset-remote-installer 'ESET Remote Administrator 6 Remote Installation Service' '%SYSTEMROOT%\era_rd_3Ms9R5Jd\RemoteInstallService.exe' -W lvstga -U domainadmin -S oldcomputer.domain
Enter domainadmin's password:
Successfully created Service: eset-remote-installer
* [Exit code = 0]
--------------------------------------------------------------------------

* Creating remote installer arguments file '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/eset-remote-installer.args'
+ echo '%SYSTEMROOT%\era_rd_3Ms9R5Jd\EraAgentInstaller.bat'
+ echo '%SYSTEMROOT%\era_rd_3Ms9R5Jd\EraAgentInstaller.bat'
* [Exit code = 0]
--------------------------------------------------------------------------

* Starting remote installer service 'ESET Remote Administrator 6 Remote Installation Service'
+ LANG=
+ net -i -k rpc service start eset-remote-installer -W lvstga -U domainadmin -S oldcomputer.domain
Enter domainadmin's password:
.
Successfully started service: eset-remote-installer
* [Exit code = 0]
--------------------------------------------------------------------------

i used the same domain-admin user.

 

In the Event Log of the target computer there is no error or any other log at the installation time, except for the successfully login of the domainadmin user.

The local firewall is disabled.

Link to comment
Share on other sites

after testing a lot of things i reverted my ERA to an older state from backup and everything worked well. Then i looked for all the changes and found that samba update with CentOS 6.7 has a problem.

after downgrading to 3.5.23-25 everything is working again.

command to downgrade:

yum downgrade samba-3.6.23-25.el6_7.x86_64 samba-common-3.6.23-25.el6_7 samba-winbind-clients-3.6.23-25.el6_7 samba-client-3.6.23-25.el6_7 samba-winbind-3.6.23-25.el6_7

source: hxxp://serverfault.com/questions/771163/update-to-samba-3-6-23-30-on-redhat-server-6-7-breaks-connections-from-clients-o


Nevertheless, many thanks for your help, MartinK

Link to comment
Share on other sites

  • ESET Staff

For some reason, SERVER is able to successfully connect to target machine, but used user has no rights to open service manager remotely - that is mentioned NT_STATUS_ACCESS_DENIED error. Unfortunately we are seeing this error quite often but we are not able to find out what could possibly be wrong. In most cases, using local administrator account (= user with name "Administrator" that is mostly disabled by default) helps. Sometimes also connection from computer in domain helps (is appliance connected to domain?).

 

EDIT: glad to hear you were able to solve this. Maybe it was only temporary issue related to latest Samba security vulnerabilities -> maybe windows was not updated...

Edited by MartinK
Link to comment
Share on other sites

In my case an update from centos was responsible for the error (samba). After downgrading to the older version, the problem is fixed. :)

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

it's issue on Samba side due CVE-2016-2016. Is needed modify /etc/samba/smb.cnf and add parameter client ipc signing = auto

More info: https://servis.eset.cz/Knowledgebase/Article/View/598/0/po-aktualizaci-samby-nefunguje-push-instalace-era-agenta#.VzBx6nM0-q8or hxxp://support.eset.com/kb6039/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...