Config Server with Local Depot

[d.oertel]

Hi,

try to use increase the loglevel by using the additional option '-l 7'
and then please post the output.

regards

d.oertel

[mansukhpatel]

Hi Patel,

Sorry for the late reply from my side.
With regards to the previous post, I have to take back my suggestion. The backend conf file is indeed changed to JSONRPC and that's how it should work.

No idea why it didn't with me the first time I tried. I checked now, and the backed conf file is using JSONRPC and all is working well.
Also, register-depot no longer hangs the server when setting rights.

In the mean time, both depot & config servers are using more recent OPSI packages, maybe this was a bug that's fixed in the mean time?

Sorry if I confused you, I was just trying to help, even though an OPSI beginner myself.

Krgds
Koen

Hi Koen,

How is your opsi servers setup?

My configurations is as follows:

I am hoping to setup the opsi for our multidomain network? Not sure if this would work. Would i need to make sure that the opsi depot and config server are on the same domain

After installing ubuntu and installing OPSI, I ran the register command on the config server, during which it hangs. But as per the manual, when I run the register command from the local depot server, the registration completes without any errors.

By following this method, I am able to deploy the agent but unable to execute any task as I receive this error "Failed to connect to config server 'https://172.16.100.5:4447/rpc': Opsi authentication error: Forbidden: Backend authentication error: Host 'opsi-client1.opsi.local' not found in backend <OPSI.Backend.BackendManager.BackendManager instance at 0x855eacc> (error on server) (OpsiService.pyo|97)"

I am not sure if this is a different issue or its to do with me registering the depot on the wrong server.

[mansukhpatel]

Hi,

try to use increase the loglevel by using the additional option '-l 7'
and then please post the output.

regards

d.oertel

Hi,

While carrying out various test, I ran the register depot from the depot server rather than config server. (As per your manual) This part works fine and I am able to deploy the agent but then I am unable to carry out any other task such as hardware/software audit. The error I receive is shown below:

"Failed to connect to config server 'https://172.16.100.5:4447/rpc': Opsi authentication error: Forbidden: Backend authentication error: Host 'opsi-client1.opsi.local' not found in backend <OPSI.Backend.BackendManager.BackendManager instance at 0x855eacc> (error on server) (OpsiService.pyo|97)"

[d.oertel]

Hi,

I ran the register depot from the depot server rather than config server. (As per your manual)

I thought the manual is clear at this point. But we will add: 'You have to run this script at the new depot'.

Is 172.16.100.5 the depot or the config server ?

regards

d.oertel

[mansukhpatel]

Hi,

I ran the register depot from the depot server rather than config server. (As per your manual)

I thought the manual is clear at this point. But we will add: 'You have to run this script at the new depot'.

Is 172.16.100.5 the depot or the config server ?

regards

d.oertel

Hi,

172.16.100.5 is the config server. I wasnt sure if it there was an issue communicating over the IPSec VPN as I previously mentioned. The config server is sitting in the cloud and the depot server configured at the local office which is on a different IP subnet to the config server. Also at a number of our office the servers are on a different domain, would this cause an issue?

[mansukhpatel]

Hi,

I ran the register depot from the depot server rather than config server. (As per your manual)

I thought the manual is clear at this point. But we will add: 'You have to run this script at the new depot'.

Is 172.16.100.5 the depot or the config server ?

regards

d.oertel

Hi,

172.16.100.5 is the config server. I wasnt sure if it there was an issue communicating over the IPSec VPN as I previously mentioned. The config server is sitting in the cloud and the depot server configured at the local office which is on a different IP subnet to the config server. Also at a number of our office the servers are on a different domain, would this cause an issue?

To add to the above, I have recreated the config and the depot server and got them communicating over WAN. On the config server I downloaded the latest packages and deploy to the depot server. This uploaded without any errors.

I then prepared a client machine and deployed the opsi agent. It installed fine and I am able to send command to it to reboot etc, but when it comes to running an audit it fails with an error "Failed to connect to config server 'https://84.45.94.40:4447/rpc': Opsi authentication error: Forbidden: Backend authentication error: Host 'opsi-client1.opsi.local' not found in backend <OPSI.Backend.BackendManager.BackendManager instance at 0x91f0b2c> (error on server) (OpsiService.pyo|97)" Going back to what i mentioned previously, its an authentication issues as when I had a single depot/config server part of our domain it worked fine. But after setting up a config server with a local depot server which is not part of the same windows domain, I am getting various issues. Again the reason for setting it up like this was because we have several Windows Domains ("abc.local", "xyz.local") and I have given opsi servers its own domain "opsi.local"

So from the above, would opsi work for a multidomain/multi tenant environment?

Finally, you have asked me to increase the log level with this option '-l 7' this is all new to me. Where do I add this?

[d.oertel]

Hi,

at first:
opsi isn't not really interested in Windows Domains.
More exactly:
opsi need no Windows Domain.
opsi is not part of a Windows Domain.
opsi authentication is not controlled by any Domain Accounts.
and
Please don't mixup 'Windows Domains' and 'DNS Domains'.
So:

So from the above, would opsi work for a multidomain/multi tenant environment?

yes

second:
The client should connect to the config server and this is 172.16.100.5 in your case , is that right ?
The Client connects to 84.45.94.40 (thats wrong). 84.45.94.40 is the depot, is that right ?

Things like that may happen, if you install the opsi-client-agent opsi-product at the depot-server before it is a depot.
This leads to the problem that the wrong IP-Number is registered as config-server.
The simplest way to get out of this problem is:

Just remove opsi-client-agent from the depot:

Code: Alles auswählen

opsi-package-manager -r opsi-client-agent -d <mydepot.mydomain.mytopdomain>

And than just install it again and than install it on the client again.

third:
"communicating over the IPSec VPN "
"multidomain/multi tenant environment"

Sounds like a commercial installation. Just think about of commercial support:
http://uib.de/en/opsi%20support/index.html

finally: '-l 7'
You may increase the log-level of the opsi-setup command at the commandline

Code: Alles auswählen

opsi-setup -l 7 --register-depot

regards
d.oertel

[mansukhpatel]

Hi,

at first:
opsi isn't not really interested in Windows Domains.
More exactly:
opsi need no Windows Domain.
opsi is not part of a Windows Domain.
opsi authentication is not controlled by any Domain Accounts.
and
Please don't mixup 'Windows Domains' and 'DNS Domains'.
So:

So from the above, would opsi work for a multidomain/multi tenant environment?

yes

second:
The client should connect to the config server and this is 172.16.100.5 in your case , is that right ?
The Client connects to 84.45.94.40 (thats wrong). 84.45.94.40 is the depot, is that right ?

Things like that may happen, if you install the opsi-client-agent opsi-product at the depot-server before it is a depot.
This leads to the problem that the wrong IP-Number is registered as config-server.
The simplest way to get out of this problem is:

Just remove opsi-client-agent from the depot:

Code: Alles auswählen

opsi-package-manager -r opsi-client-agent -d <mydepot.mydomain.mytopdomain>

And than just install it again and than install it on the client again.

third:
"communicating over the IPSec VPN "
"multidomain/multi tenant environment"

Sounds like a commercial installation. Just think about of commercial support:
http://uib.de/en/opsi%20support/index.html

finally: '-l 7'
You may increase the log-level of the opsi-setup command at the commandline

Code: Alles auswählen

opsi-setup -l 7 --register-depot

regards
d.oertel

Hi

Thanks for your reponse

Initially I had configured the config/depot server to communicate over the private address but later reconfigured to communicate over the public address

Depot server had registered correctly and I had deployed the client agent after uploading the packages from the config server. The address below "84.45.94.40" is for the new config server

The error i am 'https://84.45.94.40:4447/rpc': Opsi authentication error: Forbidden: Backend authentication error: Host 'opsi-client1.opsi.local' not found in backend <OPSI.Backend.BackendManager.BackendManager instance at 0x91f0b2c> (error on server) (OpsiService.pyo|97)"

Could it be that it is looking for the fully qualified domain name "opsimaster.opsi.local" instead of the IP address 84.45.94.40

[d.oertel]

Hi,

have a look at:
on the depotserver file:
/opt/pcbin/install/opsi-client-agent/files/opsi/cfg/config.ini

Code: Alles auswählen

[opsiclientd]
config_service.url = https://172.16.166.1:4447

The config_service.url should point to your config-server

on the client, file
c:\program files\opsi.org\opsi-client-agent\opsicliend\opsiclientd.conf

Code: Alles auswählen

[config_service]
url=https://172.16.166.1:4447/rpc 

The url should point to your config-server

regards

d.oertel