Agent deployment error NT_STATUS_ACCESS_DENIED

  • 7017630
  • 23-May-2016
  • 07-Jun-2016

Environment

NetIQ Change Guardian 4.2

Situation

Change Guardian Agent Manager fails after applying SUSE Linux Enterprise Service Pack 4.
Agent deployment to a Windows machine using the Agent Manager fails with NetIQBootstrapService error.
Samba connection fails with error NT_STATUS_ACCESS_DENIED while attempting to create service NetIQBootstrapService on the remote machine.

Resolution

There are 2 available solutions to resolve this issue.  Review them both and use the solution that best fits your environment.  

SOLUTION 1:

The easiest solution is to set client SMB packet signing on the Change Guardian server to "auto." Whether SMB packet signing is required will be determined by the settings on the Windows Agent machine. 

Add configuration option client ipc signing = auto in the [global] section of the samba configuration file /etc/samba/smb.conf.

SOLUTION 2:

The more secure solution is to tighten the security settings on all of the Windows Agent machines. This can be done using group policy in an Active Directory environment. In this scenario, you can leave the client SMB signing setting on the Change Guardian server set to "mandatory," which is now the default value if the setting is not present in the configuration file.  SMB packet signing will be required for all Windows Agent connections. 

Note: This approach is more secure but may degrade performance up to 15 percent on file service transactions.

Server SMB signing can be configured for Windows machines in an AD environment using group policy by enabling either of the following security options under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options:

Microsoft network server:  Digitally sign communications (always)

Microsoft network server:  Digitally sign communications (if client agrees)

For Windows machines not in an AD environment, the security settings can be configured locally on the machine using the Local Security Policy snapin found under Administrative Tools.

Cause

The samba-client package has been updated in SUSE Linux Enterprise Server SP4 to address the Badlock vulnerability, which is associated with multiple CVEs and could lead to a man-in-the-middle or denial of service attack. See http://badlock.org/ for more details. The samba-client update changes the default client SMB signing setting on the Change Guardian host from "auto" to "mandatory." Except for domain controllers, Window OS default settings do not require SMB packet signing and therefore samba communications between non-domain controller Windows machines and the Change Guardian servers fail. Change Guardian (Windows) Agent Management depends on samba communications and therefore does not work.

Additional Information

This issue only applies to standard installations (non appliance installations) of the Change Guardian server. The Change Guardian appliance has client SMB packet signing (client ipc signing) set to "auto" by default.