Re: [wpkg-users] wpkgCreateReport Update
Grubi, there is a problem with the color of the HTML report (v1.8.1) the following line needs to be changed from: this.stateClasses = new Array(pkgStateOk, pkgStateInstall, pkgStateRemove, pkgStateUpgrade, pkgStateDowngrade); to: this.stateClasses = new Array(pkgStateOk, pkgStateInstall, pkgStateUpgrade, pkgStateDowngrade, pkgStateRemove); To match the pkgState definition at the start. I like the new version very much, it is the thing I needed to create a simple report as scheduled task. Thanks so much. --- Stefan - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Malte, Thanks for your thorough explanation. I'm running a samba (NT4-style) domain. You've given me some more thing to think about. Mark - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Hello Mark, Am Freitag, 21. August 2009 20:44:03 schrieb Mark Nienberg: grubi wrote: Download and user manual can be found at: http://www.gig-mbh.de/edv/software/wpkgtools/wpkg-create-report-english.h tm The user manual says: The prerequisite is that you have copied the wpkg.xml file of every client to a central directory, carrying the name of the computer it originates from. This can easily be achieved by appending something like the following command line at the end of the script file you are calling wpkg from. What is the best way to do this if you are using the wpkg-client service to call wpkg? I'm guessing that maybe it should be listed in the Advanced section under Execute After. In that case, does anyone know which user/passwd combination will be used to execute the command? I'd like to be sure that user actually has write privileges in the share that will hold the xml files. in the client, you can configure a command to execute after wpkg.js (Variable, actions - Execute after). There you can put sth. like cmd /c copy /y %SystemRoot%\system32\wpkg.xml \\host\share\%COMPUTERNAME%.xml Mybe you need the testing version of the client for that - see http://www1.wpkg.org/files/client/beta/test/2009-01-24/ Then you need to somehow setup the connection to the share, one IMHO very clean way to do this with the above testing version is to check Path, users _ Use computer account and password and grant the group Domain Computers read permission on the share(s) containing WPKG and SOFTWARE and write permissions on the share referenced in the above copy command. This way there is no need to save some user's password for WPKG to run. HTH, Malte - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Malte Starostik wrote: Am Freitag, 21. August 2009 20:44:03 schrieb Mark Nienberg: What is the best way to do this if you are using the wpkg-client service to call wpkg? I'm guessing that maybe it should be listed in the Advanced section under Execute After. In that case, does anyone know which user/passwd combination will be used to execute the command? I'd like to be sure that user actually has write privileges in the share that will hold the xml files. in the client, you can configure a command to execute after wpkg.js (Variable, actions - Execute after). There you can put sth. like cmd /c copy /y %SystemRoot%\system32\wpkg.xml \\host\share\%COMPUTERNAME%.xml Mybe you need the testing version of the client for that - see http://www1.wpkg.org/files/client/beta/test/2009-01-24/ Then you need to somehow setup the connection to the share, one IMHO very clean way to do this with the above testing version is to check Path, users _ Use computer account and password and grant the group Domain Computers read permission on the share(s) containing WPKG and SOFTWARE and write permissions on the share referenced in the above copy command. This way there is no need to save some user's password for WPKG to run. I tested with the Execute After command and could not get it to work correctly. In my case the share where I need to copy the file is a samba share and I don't really want to make it world writeable. It appeared from my testing that wpkg tried to connect using the SYSTEM account, which has no password and no account on the samba server. Eventually I decided to do the copy as a wpkg package with Execute Always, so the user/password specified in the client is used instead of SYSTEM. This has the disadvantage that it might be out of date by one reboot, unless someone can tell me how to make this package execute last. Another option might be to use a daily Windows Scheduled job, since you can specify user/password there. -- Mark Nienberg Sent from an invalid address. Please reply to the group. - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Hi Mark, Mark Nienberg wrote: I tested with the Execute After command and could not get it to work correctly. In my case the share where I need to copy the file is a samba share and I don't really want to make it world writeable. It appeared from my testing that wpkg tried to connect using the SYSTEM account, which has no password and no account on the samba server. You could specify a cmd script in the Execute After setting which maps the share using a specified user/password. It's not really secure unless you protect the script not to be readable by local users. Eventually I decided to do the copy as a wpkg package with Execute Always, so the user/password specified in the client is used instead of SYSTEM. This has the disadvantage that it might be out of date by one reboot, unless someone can tell me how to make this package execute last. You might use the latest 1.1.2-RC* release. It includes a change which writes changes to the local settings (wpkg.xml) right after the modification instead of just when wpkg.js exits. As a result if you put an execute=always package at the end of each run it will copy an updated wpkg.xml. In order to run it at the end you must specify the lowest priority value for this package. My package simply looks like this: package id='WPKG-XML' name='WPKG XML backup' revision='1' priority='10' reboot='false' execute='always' !-- Backup copy of WPKG XML files -- install cmd='%SOFTWARE%\path\to\wpkg-xml\copy-xml.cmd' / upgrade cmd='%SOFTWARE%\path\to\wpkg-xml\copy-xml.cmd' / /package Where the script is as simple as follows: @echo off copy %SYSTEMROOT%\system32\wpkg.xml \\host\share\wpkg-xml\%COMPUTERNAME%.xml /y exit 0 Well, you might add explicit credentials to access the server. br, Rainer - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Malte Starostik wrote: Hello Mark, Am Freitag, 21. August 2009 20:44:03 schrieb Mark Nienberg: grubi wrote: Download and user manual can be found at: http://www.gig-mbh.de/edv/software/wpkgtools/wpkg-create-report-english.h tm The user manual says: The prerequisite is that you have copied the wpkg.xml file of every client to a central directory, carrying the name of the computer it originates from. This can easily be achieved by appending something like the following command line at the end of the script file you are calling wpkg from. What is the best way to do this if you are using the wpkg-client service to call wpkg? I'm guessing that maybe it should be listed in the Advanced section under Execute After. In that case, does anyone know which user/passwd combination will be used to execute the command? I'd like to be sure that user actually has write privileges in the share that will hold the xml files. in the client, you can configure a command to execute after wpkg.js (Variable, actions - Execute after). There you can put sth. like cmd /c copy /y %SystemRoot%\system32\wpkg.xml \\host\share\%COMPUTERNAME%.xml Mybe you need the testing version of the client for that - see http://www1.wpkg.org/files/client/beta/test/2009-01-24/ Then you need to somehow setup the connection to the share, one IMHO very clean way to do this with the above testing version is to check Path, users _ Use computer account and password and grant the group Domain Computers read permission on the share(s) containing WPKG and SOFTWARE and write permissions on the share referenced in the above copy command. This way there is no need to save some user's password for WPKG to run. Malte, Did you managed, or heard anyone being successful in getting computer authentication working on samba 3.0.X with ldap backend? Thx Luk - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Am Sonntag, 23. August 2009 00:56:29 schrieb Lukasz Zalewski: Malte Starostik wrote: in the client, you can configure a command to execute after wpkg.js (Variable, actions - Execute after). There you can put sth. like cmd /c copy /y %SystemRoot%\system32\wpkg.xml \\host\share\%COMPUTERNAME%.xml Mybe you need the testing version of the client for that - see http://www1.wpkg.org/files/client/beta/test/2009-01-24/ Then you need to somehow setup the connection to the share, one IMHO very clean way to do this with the above testing version is to check Path, users _ Use computer account and password and grant the group Domain Computers read permission on the share(s) containing WPKG and SOFTWARE and write permissions on the share referenced in the above copy command. This way there is no need to save some user's password for WPKG to run. Malte, Did you managed, or heard anyone being successful in getting computer authentication working on samba 3.0.X with ldap backend? Hi Lukasz, this is not going to work. The SYSTEM account authenticates to servers using the machine account, but only if both the client and the server are members of an Active Directory domain. I'm running the shares with computer authentication on a samba 3.0.33 server with ACLs like these on the shares' root directories: This is where WPKG resides on, user apache has full access for management purposes: # file: wpkg/ # owner: root # group: domain\040admins user::rwx user:apache:rwx group::rwx group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:apache:rwx default:group::rwx default:group:domain\040computers:r-x default:mask::rwx default:other::--- SOFTWARE share: the computer accounts can install from here, the admins have full acces, but normal users can't take the setup files to where they don't belong: # file: software/ # owner: root # group: domain\040admins user::rwx group::rwx group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:domain\040computers:r-x default:mask::rwx default:other::--- This is where the clients write their logfiles to: # file: logs # owner: root # group: domain\040admins user::rwx user:apache:rwx group::rwx group:domain\040computers:rwx mask::rwx other::--- default:user::rwx default:user:apache:rwx default:group::rwx default:group:domain\040computers:rwx default:mask::rwx default:other::--- Then there's a status share with the same permissions like logs where the wpkg.xml files are copied to. The whole thing could just as well reside in subdirectoruies of just a single share of course. The logs and status shares could be somewhat more secured with the sticky bit so a client can never mess with the other clients' log files even if someone managed to hook into the WPKG client's execution, I just haven't verified that one yet. The samba server is a member of our AD domain and thus running with security = ads. User mapping is done with winbind. Unfortunately there seems to be no way to apply this scheme to a samba (read: NT) domain as the clients will refuse to authenticate there :-( So, if you want to go for a samba-only setup with no Windows ADC, you'll have to either store credentials on the clients or grant anonymous access to the shares, none of which seems optimal. I haven't had the time to explore samba4 yet, but that should finally close this gap :-) Cheers, Malte - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
Hi Mark, Am Samstag, 22. August 2009 20:28:00 schrieb Mark Nienberg: I tested with the Execute After command and could not get it to work correctly. In my case the share where I need to copy the file is a samba share and I don't really want to make it world writeable. It appeared from my testing that wpkg tried to connect using the SYSTEM account, which has no password and no account on the samba server. The SYSTEM account will use the client's machine account (which does have a password, just one you don't personally know) iff you're using AD. Please refer to my reply to Lukasz' mail. Without an AD, you will have to use some regular user account to access the share and configure the clients to use it. The password storage is pretty much as secured as the machine password is with one major drawback: unless you're going to add a separate user account for each client, a compromised machine will force you to change the single password and propagate the change to the remaining clients. With machine authentication, all you need to do is deactivate or delete the machine account and it will no longer be able to access your server(s). Eventually I decided to do the copy as a wpkg package with Execute Always, so the user/password specified in the client is used instead of SYSTEM. This has the disadvantage that it might be out of date by one reboot, unless someone can tell me how to make this package execute last. Another option might be to use a daily Windows Scheduled job, since you can specify user/password there. The task scheduler is one option, some others come to mind (not intended to be an exhaustive list): * The connection to the distribution share the WPKG client set up is still connected when the Execute After script is run. You could then have just one subdir writable to the respective user and deposit the XMLs there. This is quite viable and rather secure, only with the bad taste of a storing the password for a most probably shared account. * You could point Execute After to a batch file that sets up its own connection via net use - but this is a lot worse than the above as you'd need to include the password in plain text in the batch file while the WPKG client stores it in the LSA database instead. * You could sandbox the clients' access by creating a subdirectory for each client machine and setting up a share for use with one of the above means or even anonymous, including the machine name in the path via samba's variable expansion, so the share is called e.g. \\setup\reports on every client but in fact points to a dedicated directory like /srv/reports/host1 on the server. This option's security level is basically determined by what variable you use for the path name and what it takes for a rogue client to forge its value. * Instead of a simple copy, you could somehow upload the file to a web server that authenticates the client by other fancy means. Regards, Malte - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
[wpkg-users] wpkgCreateReport Update
Hi. I have released a new version of wpkgCreateReport. What's new: Now creation of Excel and HTML reports. Filtering of report rows depending on package state. Customization via settings file or command line. User Manual. Download and user manual can be found at: http://www.gig-mbh.de/edv/software/wpkgtools/wpkg-create-report-english.htm Regards, grubi - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users
Re: [wpkg-users] wpkgCreateReport Update
grubi wrote: Download and user manual can be found at: http://www.gig-mbh.de/edv/software/wpkgtools/wpkg-create-report-english.htm The user manual says: The prerequisite is that you have copied the wpkg.xml file of every client to a central directory, carrying the name of the computer it originates from. This can easily be achieved by appending something like the following command line at the end of the script file you are calling wpkg from. What is the best way to do this if you are using the wpkg-client service to call wpkg? I'm guessing that maybe it should be listed in the Advanced section under Execute After. In that case, does anyone know which user/passwd combination will be used to execute the command? I'd like to be sure that user actually has write privileges in the share that will hold the xml files. Thanks, -- Mark Nienberg Sent from an invalid address. Please reply to the group. - wpkg-users mailing list archives http://lists.wpkg.org/pipermail/wpkg-users/ ___ wpkg-users mailing list wpkg-users@lists.wpkg.org http://lists.wpkg.org/mailman/listinfo/wpkg-users