packages security warnings

[wardenik]

hi,

some packages, like python or firefox, during wInst, popup a window
"openfile - security warning"
Name: Firefox setup .... exe
Run, Cancel...

Is it possible to get rid of this one to not popup anything as it should be in unattended mode?

[d.oertel]

Hi wardenik,

check your depotURL
If the depotURL contains a IP-Number or a full qualified DNS-Name
XP thinks about the share 'oh this may be the dangerous internet'.
To avoid these problems use the netbios name in the depoturl.
You can see and modify this at the configed via 'server configuration'
or under
/var/lib/opsi/config/depots/<depotname>/depot.ini

does this help ?

regards

detlef

[wardenik]

Hi,

I presume you meant remoteurl from the depotshare section of this file
Yeap, I have changed it and it works fine.
Should I change remoteurl in the repository section as well?

Some additional questions:
- is it possible to uninstall a package? I can see the uninstall section in the manual, but it says only about preparing packages for uninstallation. But I don't see the uninstall option in the configed itself...
- i'm going to prepare a bitdefender and MS Office 2003 package if you are interested


radek

[j.schneider]

Hi!

Should I change remoteurl in the repository section as well?

You can leave this setting as it is.

- is it possible to uninstall a package? I can see the uninstall section in the manual, but it says only about preparing packages for uninstallation. But I don't see the uninstall option in the configed itself...

Sure, but you have to provide an uninstall-script.
You may have a look at /var/lib/opsi/config/depots/*/products/localboot/* and the command opsi-newprod.

[cshields]

I am having this problem on a win2k3 box, and the depot url is set to the netbios name just fine. The problem is that when I go to install swaudit, the preloginloader goes to install python and swaudit and the computer ends up sitting at two security warning prompts stating that the publisher could not be verified. This blocks the automatic deployment of python and swaudit (not to mention blocks any RDP access in the process). To see the error view: http://www.grabup.com/uploads/d021eb671 ... 3ab056.png

I've set the group policy template settings to not check for code signatures and to allow execution of invalid signatures but that does not fix anything (maybe the template change is not retroactive to the pcpatch account???)

How do people setup windows 2003 to allow OPSI to deploy properly?? I've read that windows 2003 is supported but this seems to be a major issue. (this is win2k3 sp2, basic install)

Cheers!

[fabi]

In fact we're having the same issue with windows vista, we just purchased the license for using vista with opsi. Like cshields I tried everything with setting up group policys or HKLM registry-keys to add *.exe-files to LowRiskFileTypes, which would prevent this massage in every case, or to add the opsi-server to the local intranet zone. This settings work for all local users except for the opsiconfd-service thread which runs under the SYSTEM-user (?).

We worked out that this message only appears if you call the command by a "winbatch" sub. If you're trying "dosbatch" this warning will never appear. But to change all scripts like that seems to be more like a dirty work-around than a sensible solution for this problem.

So any help would be welcomed!

[d.oertel]

Hi fabi,

there are some differences between XP/2003 and Vista/2008.
At XP you get normally no warning if the depotur uses the netbiosname and
the nameresolution via netbios works.

At Vista the UAC has to configured and the share has to be declared as trused at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
Both is done at the preloginvista installation.
So if this don't work with vista you should post your preloginvista.log

regards
detlef oertel

[fabi]

Thanks for your fast reply!

I set up a fresh vista machine and now the preloginvista did the registry updates automatically.. no idea why it didn't at the first time.. But nevertheless the same message appears if I want to install additional programs, so I attached the preloginvista.log.

[d.oertel]

Hi fabi,

The log seems to be ok.

But nevertheless the same message appears if I want to install additional programs,

Do you mean:
If you try to install programs via opsi to this vista client, you get a security warning ?

This should not happen if the programs are called from the opsi-server share ( e.g. vis %SCRIPTPATH%), because this server is registred as trusted.
If you call programs from a other (not trusted) share, you have problem.

Does this help ?

regards
detlef oertel

[fabi]

Yes I mean installing programs via opsi to my vista client from the trusted share on the opsi server. That's the thing that I don't understand, if I try to start the setup program manually from the admin account no warning appears, the trusted-network-entry works in this case. But the account which starts the opsiconfd seems to simply ignore this configuration.By the way, it's Vista Business I'm working with.