We are an IT support firm with a dozen of little and medium sized business (SMB) customers (5 to 30 employee / SMB). We must build a more automated, more centralised IT system to be cost-effective with stable service levels.
In conjuction with this "monitored, automated, centralised systems" target plan, we have a complex opsi-deployment sub-plan. The planned scenario is the following.
All in short: the project goal is to create one, and only one central opsiconfd server with multiple depot servers in multiple DNS domains, connected to and managed by the central opsiconfd server.
We are "arwin.hu" , the IT support firm. We hosts the main OPSI Config Server -- the opsiconfd server -- called oscar.arwin.hu, connected to our network which is 172.18.1.0/24. The opsi management interface can be reached via link: https://172.18.1.2:4447
Our customers networks (LAN) should be strictly separated from eachother's LAN, and mostly separated from arwin.hu-s LAN. It is a must, a "business demand" sadly :S They all have separated firewall, mailbox and file server etc. (separated BackOffice infrastructure), but it is not too enjoyable and (cost and work)effective to deploy separated management systems at a dozen of SMB-s; neither Nagios monitoring, nor OPSI desktop management.
So the idea was to setup one OPSI Depot Server / SMB, all of them connected to the appropriate customer's LAN. These depot servers are called opsidepot.ringcsoport.hu (192.168.2.0/24, 192.168.2.3), opsidepot.infogroup.hu (192.168.10.0/24, 192.168.10.3), opsidepot.hammerworld.hu .... etc. The Windows OS deployment images are unique on these depot servers, but the package management is intended to be centralised and controlled by oscar.arwin.hu solely.
During the test phase we ran into one big problem, detailed below.
The first steps seems to be easy. We created a new depot server, called opsidepot.ringcsoport.hu. We established the physical network (firewalling, routing) link beetwen it and oscar.arwin.hu (opsidepot.ringcsoport.hu -> telnet oscar.arwin.hu 4447 works) and joined opsidepot.ringcsoport.hu to oscar.arwin.hu by the script '/usr/share/opsi/register-depot.py'.
We created a test machine named "alma.ringcsoport.hu" in the web control interface (which runs on oscar.arwin.hu central opsiconfd server as we stated earlier) and we assigned it to opsidepot.ringcsoport.hu -- the depot server in the ringcsoport.hu domain. We initialised a WinXP operating system setup. After that the client machine downloaded all the needed files via tftp from opsidepot.ringcsoport.hu and performed both the OS and the preloginloader installation. Everything has gone right, and the pckeys file got updated in the right way with the right hostname - key pair (colored in red):
barack@oscar.arwin.hu:~$ cat /etc/opsi/pckeys
oscar.arwin.hu:ea52d6c8d5b1520eb1cced8ba1c8c009
opsidepot.ringcsoport.hu:7148e9893154c8b0d17fb5e3159eeae8
alma.ringcsoport.hu:f0215e18e8d51b4a794d422406e64bb0
After the n+1. windows reboot (initialised by setup), the system starts up as it should, preloginloader comes up ... and we have faced the first problem (see attached picture beforehand).
The client name is alma.ringcsoport.hu, and there is the right key on the opsiconfd server:
alma.ringcsoport.hu:f0215e18e8d51b4a794d422406e64bb0
What... what then ... ?
( ... thinking, logreading, googleing repeatedly ... and: )
The cause of this symptom is very exciting. The client SENDS A WRONG HOSTNAME (FQDN) TO THE CONFIG SERVER.
In the logs on oscar.arwin.hu we see these lines, please notice the wrong client hostname: alma.arwin.hu
[4] [Jan 25 17:21:32] Client '192.168.2.75' did not send cookie (opsiconfd|261)
[4] [Jan 25 17:21:32] New session created (opsiconfd|950)
[4] [Jan 25 17:21:32] Authorization request from alma.arwin.hu@192.168.2.75 (opsiconfd|354)
[3] [Jan 25 17:21:32] Failed to resolve hostname 'alma.arwin.hu': (-2, 'Name or service not known') (opsiconfd|371)
[4] [Jan 25 17:21:32] Host login attempt with username 'alma.arwin.hu' from ip '192.168.2.75', but name resolves to '[]', ip verification is disabled (access granted) (opsiconfd|384)
[2] [Jan 25 17:21:32] Forbidden: Cannot find opsiHostKey for host 'alma.arwin.hu' in file '/etc/opsi/pckeys' (opsiconfd|417)
[1] [Jan 25 17:21:32] Traceback (most recent call last):
File "/usr/sbin/opsiconfd", line 118, in http_GET
return worker.process()
File "/usr/sbin/opsiconfd", line 200, in process
self.deferred.callback(None)
File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 243, in callback
self._startRunCallbacks(result)
File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 312, in _startRunCallbacks
self._runCallbacks()
--- <exception caught here> ---
File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 328, in _runCallbacks
self.result = callback(self.result, *args, **kw)
File "/usr/sbin/opsiconfd", line 389, in _authenticate
configFile = backendManagerConf )
File "/var/lib/python-support/python2.5/OPSI/Backend/BackendManager.py", line 151, in __init__
hostKey = self.getOpsiHostKey(self.__username)
File "/etc/opsi/backendManager.d/50_interface.conf", line 721, in getOpsiHostKey
return self._execMethod(self.pckeyBackend, 'getOpsiHostKey', hostId)
File "/var/lib/python-support/python2.5/OPSI/Backend/BackendManager.py", line 501, in _execMethod
res = eval( "instance.%s%s" % (method, params) )
File "<string>", line 1, in <module>
File "/var/lib/python-support/python2.5/OPSI/Backend/File31.py", line 1217, in getOpsiHostKey
raise BackendMissingDataError("Cannot find opsiHostKey for host '%s' in file '%s'" % (hostId, self.__pckeyFile))
OPSI.Backend.Backend.BackendMissingDataError: Cannot find opsiHostKey for host 'alma.arwin.hu' in file '/etc/opsi/pckeys'
(opsiconfd|619)
[2] [Jan 25 17:21:32] Failed to process rpc: Cannot find opsiHostKey for host 'alma.arwin.hu' in file '/etc/opsi/pckeys' (opsiconfd|623)
The fact is: alma.arwin.hu instead of alma.ringcsoport.hu? Why?
After diging in c:\temp\logonlog file on the test client alma.ringcsoport.hu, I have found this piece of the logs, which disclose the process of composing the hostname sent by preloginloader (colored yellow):
2010.01.25. 17:21:20 ============================ pcptch Version 3.9.3 ============================
2010.01.25. 17:21:22 starting pcptch
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ipconfig /all ::: Windows IP konfigurßciˇ
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ipconfig /all ::: +llomßsnÚv. . . . . . . . . . . . . . : alma
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: Els§dleges DNS-utˇtag . . . . . . . . :
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: CsomˇponttÝpus. . . . . . . . . . . . : Hibrid
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: IP ˙tvßlasztßs engedÚlyezve . . . . . : Nem
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: WINS-proxy engedÚlyezve . . . . . . . : Nem
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: DNS-utˇtag keresÚsi listßja . . . . . : ringcsoport.hu
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ipconfig /all ::: Ethernet-adapter Helyi kapcsolat:
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ~
2010.01.25. 17:21:23 ipconfig /all ::: Kapcsolatspecifikus DNS-utˇtag. . . . : ringcsoport.hu
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: LeÝrßs. . . . . . . . . . . . . . . . : AMD PCNET Family PCI Ethernet adapter
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: Fizikai cÝm . . . . . . . . . . . . . : 08-00-27-6C-43-98
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: DHCP engedÚlyezve . . . . . . . . . . : Igen
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: Automatikus konfigurßciˇ engedÚlyezve : Igen
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: IP-cÝm. . . . . . . . . . . . . . . . : 192.168.2.75
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: Alhßlˇzati maszk. . . . . . . . . . . : 255.255.255.0
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: AlapÚrtelmezett ßtjßrˇ. . . . . . . . : 192.168.2.254
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: DHCP kiszolgßlˇ . . . . . . . . . . . : 192.168.2.254
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: DNS-kiszolgßlˇk . . . . . . . . . . . : 192.168.2.2
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: 84.2.44.1
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: 84.2.46.1
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: 212.108.200.75
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: Els§dleges WINS-kiszolgßlˇ. . . . . . : 192.168.2.2
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: BÚrleti jog kezdete . . . . . . . . . : 2010. janußr 25. 17:21:15
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 ipconfig /all ::: BÚrleti jog vÚge. . . . . . . . . . . : 2010. janußr 26. 16:51:15
2010.01.25. 17:21:23 ipconfig /all :::
2010.01.25. 17:21:23 getting IP-Names from Environment
2010.01.25. 17:21:23 ipName from system: alma
2010.01.25. 17:21:23 ipAddress from system: 192.168.2.75
2010.01.25. 17:21:23 retrieved from registry \SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName, Computername: ALMA
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, mountdrive: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, label1: opsi
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, label2: uib
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, loadbitmap: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, bitmap1: winst1.bmp
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, bitmap2: winst2.bmp
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, button_stopnetworking: immediate
2010.01.25. 17:21:23 Button StopNetworking enabled
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, SecsUntilConnectionTimeOut: 180
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, pcprotoname: pcproto.ini
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, patchlevelTyp:
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, copydefaultuser: 0
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, networkEntriesFromEnvironment: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, WinstLocalDirectory: C:\Program Files\opsi.org\preloginloader\opsi-winst
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, ConfigDirectory: C:\Program Files\opsi.org\preloginloader\cfg
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, makeLocalCopyOfIniFile: 0
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, makeLocalWinst: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\general, opsiconf: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, pingcheck: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, sendlogtoservice: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, opsiServerType: service
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, opsiServiceURL: https://172.18.1.2:4447
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, repeatServiceConnectNo: 3
2010.01.25. 17:21:23 opsiconf true
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, pckey: DONT SHOW IT
2010.01.25. 17:21:23 reading pckey from file "C:\Program Files\opsi.org\preloginloader\cfg\locked.cfg"
2010.01.25. 17:21:23 pckey read from file
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\general, tftpserver: oscar.arwin.hu
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\general, configlocal: 1
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, user: pcpatch
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, smbusername1: opsiserver\pcpatch
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, try_secondary_user: 0
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, pcpatchpass: 95934085f34ccbdf
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, depoturl: smb:\\opsidepot\opt_pcbin\install
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, configurl: smb:\\opsidepot\opt_pcbin\install
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, utilsurl: smb:\\opsidepot\opt_pcbin\utils
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, utilsdrive: P:
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, configdrive: P:
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\shareinfo, depotdrive: P:
2010.01.25. 17:21:23 Error: Requested bitmap could not be loaded
2010.01.25. 17:21:23 retrieved from registry \SOFTWARE\opsi.org\pcptch, button_stopnetworking: immediate
2010.01.25. 17:21:23 Button StopNetworking enabled
2010.01.25. 17:21:23 servicehost reached in 20 ms
2010.01.25. 17:21:23 determining opsi client ID
2010.01.25. 17:21:23 opsi service with URL https://172.18.1.2:4447
2010.01.25. 17:21:23 json call: "https://172.18.1.2:4447/rpc?%7B%22id%22 ... :%5B%5D%7D"
2010.01.25. 17:21:23 json general Result "{"error":null,"id":1,"result":""}"
2010.01.25. 17:21:23 No client ID got from service
2010.01.25. 17:21:24 Try with ipname from local system: alma
2010.01.25. 17:21:24 json call: "https://172.18.1.2:4447/rpc?%7B%22id%22 ... :%5B%5D%7D"
2010.01.25. 17:21:24 json general Result "{"error":null,"id":1,"result":"arwin.hu"}"
2010.01.25. 17:21:24 Default domain from service >arwin.hu<
2010.01.25. 17:21:24 we supplement default domain from service to name: alma
2010.01.25. 17:21:24 We have client ID alma.arwin.hu
2010.01.25. 17:21:24 opsi service with URL https://172.18.1.2:4447
2010.01.25. 17:21:24 opsi service "https://172.18.1.2:4447", client "alma.arwin.hu" , username "alma.arwin.hu"
2010.01.25. 17:21:24 json call: "https://172.18.1.2:4447/rpc?%7B%22id%22 ... :%5B%5D%7D"
2010.01.25. 17:21:24 opsi service problem: HTTP/1.1 401 Unauthorized
2010.01.25. 17:21:24 error on trying to connect to opsi service https://172.18.1.2:4447, username "alma.arwin.hu" , message " error: HTTP/1.1 401 Unauthorized"
2010.01.25. 17:21:24 json call: "https://172.18.1.2:4447/rpc?%7B%22id%22 ... :%5B%5D%7D"
2010.01.25. 17:21:24 json retrieval error "HTTP/1.1 401 Unauthorized", request was: "Content-Type: text/html
Host: 172.18.1.2:4447
All at all: we have a wrong-composed client id "alma.arwin.hu" instead of "alma.ringcsoport.hu" which would be the reasonable name. So this is the turning point for us at the moment... Please don't misunderstand: "wrong". I think, opsi do the right thing (and takes the domain part from opsi server instead of ipconfig /all ) and we have misconfigured something, but I can't get the cure myself
What can we do to achieve the targeted multi-domain multi-depot infrastrucutre?
In hope of reply, have a nice day
