[wpkg-users] wpkgCreateReport Update

Sun Aug 23 02:49:17 CEST 2009

Am Sonntag, 23. August 2009 00:56:29 schrieb Lukasz Zalewski:
> Malte Starostik wrote:
> > in the client, you can configure a command to execute after wpkg.js
> > (Variable, actions -> Execute after).  There you can put sth. like
> > cmd /c copy /y "%SystemRoot%\system32\wpkg.xml"
> > \\host\share\%COMPUTERNAME%.xml
> >
> > Mybe you need the testing version of the client for that - see
> > http://www1.wpkg.org/files/client/beta/test/2009-01-24/
> > Then you need to somehow setup the connection to the share, one IMHO very
> > clean way to do this with the above testing version is to check "Path,
> > users _> Use computer account and password" and grant the group "Domain
> > Computers" read permission on the share(s) containing WPKG and SOFTWARE
> > and write permissions on the share referenced in the above copy command. 
> > This way there is no need to save some user's password for WPKG to run.
>
> Malte,
> Did you managed, or heard anyone being successful in getting computer
> authentication working on samba 3.0.X with ldap backend?

Hi Lukasz,

this is not going to work.  The SYSTEM account authenticates to servers using 
the machine account, but only if both the client and the server are members of 
an Active Directory domain.  I'm running the shares with computer 
authentication on a samba 3.0.33 server with ACLs like these on the shares' 
root directories:

This is where WPKG resides on, user apache has full access for management 
purposes:

# file: wpkg/
# owner: root
# group: domain\040admins
user::rwx
user:apache:rwx
group::rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:group::rwx
default:group:domain\040computers:r-x
default:mask::rwx
default:other::---

SOFTWARE share: the computer accounts can install from here, the admins have 
full acces, but normal users can't take the setup files to where they don't 
belong:

# file: software/
# owner: root
# group: domain\040admins
user::rwx
group::rwx
group:domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:domain\040computers:r-x
default:mask::rwx
default:other::---

This is where the clients write their logfiles to:

# file: logs
# owner: root
# group: domain\040admins
user::rwx
user:apache:rwx
group::rwx
group:domain\040computers:rwx
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:group::rwx
default:group:domain\040computers:rwx
default:mask::rwx
default:other::---

Then there's a "status" share with the same permissions like logs where the 
wpkg.xml files are copied to.  The whole thing could just as well reside in 
subdirectoruies of just a single share of course.  The "logs" and "status" 
shares could be somewhat more secured with the sticky bit so a client can 
never mess with the other clients' log files even if someone managed to hook 
into the WPKG client's execution, I just haven't verified that one yet.

The samba server is a member of our AD domain and thus running with security = 
ads.  User mapping is done with winbind.  Unfortunately there seems to be no 
way to apply this scheme to a samba (read: NT) domain as the clients will 
refuse to authenticate there :-(
So, if you want to go for a samba-only setup with no Windows ADC, you'll have 
to either store credentials on the clients or grant anonymous access to the 
shares, none of which seems optimal.  I haven't had the time to explore samba4 
yet, but that should finally close this gap :-)

Cheers,
Malte