Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 22528 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to set the Active Directory Name when creating the linux package

GrantS

Even though it is documented here

https://www.sophos.com/en-us/support/knowledgebase/122249.aspx

as of version 9.8.5 linux client you are unable to pass the AD ( Active directory ) domain. The command comes back with incorrect usage message.

eg.

# /opt/sophos-av/update/mkinstpkg  -o /root/savinstpkg-test.x86_64.rpm  --host --rpm --rpm-version="9.8.5" --rpm-release="8"  --domainname=DOMAIN

mkinstpkg: Make installation package
Usage: ./mkinstpkg.sh [OPTION]
OPTION:
  -h, --help                               Display this help information
  -o OUTPUT-FILE, --output=OUTPUT-FILE     Path to installation package file
  -a, --all                                Generate a package for all supported distributions
  --host                                   Generate a package for this distribution only
  --update-proxy-address=URL               Address for HTTP proxy
  -r, --rpm                                Create RPM package
  --rpm-version=VERSION                    Version number for RPM package. Eg: --rpm-version=9.0.0
  --rpm-release=RELEASE                    Release number for RPM package. Eg: --rpm-release=1
Package creation aborted
# /opt/sophos-av/update/mkinstpkg  -o /root/savinstpkg-test.x86_64.rpm  --host --rpm --rpm-version="9.8.5" --rpm-release="8"  



Sophos Anti-Virus
=================
Copyright (c) 1989-2015 Sophos Limited. All rights reserved.

Welcome to the Sophos Anti-Virus installer. Sophos Anti-Virus contains an on-access scanner, an on-demand
command-line scanner, the Sophos Anti-Virus daemon, and the Sophos Anti-Virus GUI.

On-access scanner         Scans files as they are accessed, and grants access
                          to only those that are threat-free.
On-demand scanner         Scans the computer, or parts of the computer,
                          immediately.
Sophos Anti-Virus daemon  Background process that provides control, logging,
                          and email alerting for Sophos Anti-Virus.
Sophos Anti-Virus GUI     User interface accessed through a web browser.


Press <return> to display Licence. Then press <spc> to scroll forward

<snip>



This thread was automatically locked due to age.
Parents
  • 0
    FYI excerpt from the URL mentioned
    "For a new install, you can specify the installer options to override the computer name and SEC group (as well as description and domain name):

    --hostname=<GROUP>

    --sec-group <GROUP>

    --description=<DESCRIPTION>

    --domainname=<DOMAINNAME>"
  • 0 in reply to GrantS

    At least install.sh accepts all of them. When the --sec-group option is correctly used the endpoint does indeed appear in the specified SEC group. The article doesn't mention the correct format though (like the ones for Windows and MAC do):  \SecServerName\TopLevelGroup\Group with group names being case-sensitive, no trailing backslash (and of course the string or backslashes have to be escaped in the shell). The other three put the mentioned files in /opt/sophos-av/etc but this has apparently no effect.


    Christian

  • 0 in reply to QC
    Thanks christian. I can confirm that the --sec-group option works both in the install.sh and mkinstpkg, and you can use it to populate a sync'd AD group. My concern though, and the reason for the question is that the Domain is not able to be provided when using mkinstpkg. install.sh does accept it, but doesn't actually do anything with it.
  • 0 in reply to GrantS

    Hello GrantS,

    intended to reply on the other thread but I can do it here as well.

    Indeed this is murky. Ad sync correctly obtains the computer object (for now I'm assuming the OS attribute is either blank or Linux) from AD, setting the correct domain. The computer appears as unmanaged. When Sophos is installed on the endpoint (running Linux) the machine is matched to the computer in the sync'ed group. If you watch the entry closely the Domain/workgroup value switches from the domain to blank and back. The former happens whenever the endpoint sends a status message, the latter when a sync is performed.  
    If you then reinstall Sophos on the endpoint it will connect to SEC with a new (hidden) RMS identity but - unfortunately - also with a blank domain. As both identity and domain do not match SEC assumes this is a new computer and puts it in the Unassigned group (or whichever group you specify - except a sync'ed one, as two computers with the same name are not permitted).

    Unless the setting of domain works you'll have troubles (one can make it work without editing the AD or fiddling with the SEC database but only with a very careful timing of actions).

    Christian

Reply
  • 0 in reply to GrantS

    Hello GrantS,

    intended to reply on the other thread but I can do it here as well.

    Indeed this is murky. Ad sync correctly obtains the computer object (for now I'm assuming the OS attribute is either blank or Linux) from AD, setting the correct domain. The computer appears as unmanaged. When Sophos is installed on the endpoint (running Linux) the machine is matched to the computer in the sync'ed group. If you watch the entry closely the Domain/workgroup value switches from the domain to blank and back. The former happens whenever the endpoint sends a status message, the latter when a sync is performed.  
    If you then reinstall Sophos on the endpoint it will connect to SEC with a new (hidden) RMS identity but - unfortunately - also with a blank domain. As both identity and domain do not match SEC assumes this is a new computer and puts it in the Unassigned group (or whichever group you specify - except a sync'ed one, as two computers with the same name are not permitted).

    Unless the setting of domain works you'll have troubles (one can make it work without editing the AD or fiddling with the SEC database but only with a very careful timing of actions).

    Christian

Children
  • 0 in reply to QC
    The other thread goes into what happens when you reinstall sophos so I'll discuss that there.

    I am using something like the following (actual details changed)
    ./install.sh --sec-group="\secserver\AD\Linux" --domainname="FOO"

    With or without the domain name option the following happens in SEC
    1. Node appears disconnected with unknown OS for about 10 secs or so. It is put into the group defined by --sec-group
    2. Node changes to connected WITHOUT the domain defined
    3. After an AD sync the domain is defined as FOO

    It also means that you can't use this for RPM based packages

    As previously mentioned either I'm doing something wrong, the KB article is wrong or there is a bug.
  • 0 in reply to GrantS

    Hello GrantS,

    you're not doing something wrong (though arguably the specification of --sec-group in conjunction with AD sync is redundant). Fact is that the agent (RMS) doesn't work as described in 122249 and mkinstpkg only accepts --sec-group but not --domainname (the other two would be counterproductive anyway). As the CID's install.sh accepts and processes these options I'd call it a bug.


    Christian

Unfiltered HTML