WAPT Server 1.4.3 and Kerberos5 (CentOS)

[litew]

Hello,

At first, thank you for this great software, I hope I'll send you some PRs with localization files if I can get it working properly :)

WAPT Server version: 1.4.3.2 (CentOS 7.3.1611 (Core)) WAPT Agent version: 1.4.3.1 (Windows 7 x64 Pro SP1; Windows XP Pro SP3) WAPT Setup version: 1.4.3.1 (Windows 7 x64 Pro SP1) WAPT Deploy version: 1.4.3.0 (not using)

I've build WAPT Server from 1.4.3 branch, finally got it partially working on CentOS, but I have problems with host autoregistration -- after host registration via "wapt-get register" command i can see new host in waptconsole Host List, but it always has UNREACHABLE state, for every host I'm trying to add. After some lurking I found this lines:

https://github.com/tranquilit/WAPT/blob/branch-1.4.3/common.py#L4368

force register if computer has not been registered or hostname has changed this should work only if computer can authenticate on wapt server using kerberos (if enabled...)

Also there is /opt/wapt/waptserver/apache/httpd.conf.j2 template and these lines look interesting:

{% if use_kerberos %} <Location "/add_host" "/register"> AuthType Kerberos AuthName "Kerberos auth required for WAPT host registration" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms {{KRB5_REALM}} KrbLocalUserMapping On KrbServiceName HTTP/{{fqdn}}@{{KRB5_REALM}} Krb5KeyTab /etc/apache2/http-krb5.keytab require valid-user Order Allow,Deny Allow from all ProxyPass http://127.0.0.1:8080/add_host ProxyPassReverse http://127.0.0.1:8080/add_host {% endif %}

So should I consider to generate keytab file and turn on Kerberos auth for Apache? Or host registration is also designed to work with Kerberos turned off and there is something wrong with my configuration?

[ghost]

Make sure your windows machine accept incoming tcp connection port 8088 from the wapt server.

[agauvrit-tis]

Hi @Litew,

We're really interested into getting your localisation PR (Russian?)

Kerberos authentication is correctly supported in next WAPT version (1.5)

[litew]

@MikaelUrankar Sorry for such delay, I have already disabled all firewalls from the very beginning on both Windows and CentOS (allowed all INPUT OUTPUT in iptables for debug purpose).

@agauvrit-tis I've figured out that my problem has nothing to do with Kerberos enabled/disabled state. Just to be sure i'm doing it right -- is it working variant at all that I'm trying to make work WAPT agents on Windows and WAPT Server on CentOS from 1.4.3 branch? Maybe I should try to use 1.5 branch instead? I switched to 1.4.3 branch because it uses PostgreSQL which I already use on CentOS server I'm installing WAPT Server to. I'll provide more logs with exact errors I get, just stopped trying to make it work after numerous fails, but I'm still very interested to make it work. UPD: yes, Russian language.

[agauvrit-tis]

@Litew yes you should consider using branch 1.5 instead of branch 1.4, 1.4 is a test/unofficial release with migration from Mongodb to PostgreSQL in mind. 1.5 branch has PostegrSQL + WebSocket connections for agents (no more 8088 service listening on hosts) + security improvements. We're expecting a release date soon. Feel free to try nightly builds : http://wapt.tranquil.it/wapt/nightly/

[litew]

@agauvrit-tis great news, thank you! I'll make another try on 1.5 branch from fresh start. Closing this issue since it concerns 1.4, I'll create another one if there are problems during testing with 1.5 branch.