Script Execution Fails

Content Authoring
1

Hi,

I’m trying to get BigFix to execute a simple script, but it isn’t working. The task fails. Here’s the action script.

delete __createfile
delete KerbAuthConfig.bat
createfile until __EOF
start /wait ksetup /addkdc DOMAIN.COM kerberos1.domain.com
start /wait ksetup /addkdc DOMAIN.COM kerberos2.domain.com
start /wait ksetup /addkdc DOMAIN.COM kerberos3.domain.com
__EOF
copy __createfile KerbAuthConfig.bat
waithidden cmd /c KerbAuthConfig.bat
dos echo Kerberos authentication configured! %date% %time%>C:\KerbAuthConfig.txt

This works if I run the commands interactively, but as usual, BigFix won’t do it. I copied this fixlet from another example that does work. What am I doing wrong?

Thanks

2

Sounds like it could be the issue of user context vs SYSTEM context. You could verify that by either manually running the batch file in SYSTEM context (eg via psexec) or set the action to run in the user context using either runascurrentuser.exe or use the override action commands.

Regs
Rob

3

OK. thanks. I’ll give that a try.

4

Might also be a problem with the 32-bit environment used by the BES client. You can put

action uses wow64 redirection false

anywhere in the script before the waithidden command to ensure you use the native version of cmd.exe and ksetup.exe

If using the native environment doesn’t work, I sometimes test running commands as the SYSTEM account using psexec to open a command shell in SYSTEM context -

psexec.exe -s cmd.exe

PSExec is part of Microsoft’s System Internals suite - https://technet.microsoft.com/en-us/sysinternals/default.aspx

1 Like
5

If you look at the client log on an endpoint you ran this on, does the BAT file line return an error code?

There won’t be an error code in the console because the last error code would be from the dos echo command, which should always succeed.

I normally don’t recommend doing things in BAT files in most cases.

I would do it something like this:

waithidden ksetup /addkdc DOMAIN.COM kerberos1.domain.com
waithidden ksetup /addkdc DOMAIN.COM kerberos2.domain.com
waithidden ksetup /addkdc DOMAIN.COM kerberos3.domain.com

or maybe this:

waithidden cmd /c ksetup /addkdc DOMAIN.COM kerberos1.domain.com
waithidden cmd /c ksetup /addkdc DOMAIN.COM kerberos2.domain.com
waithidden cmd /c ksetup /addkdc DOMAIN.COM kerberos3.domain.com

The reason is that this will give you error codes for every one of those separately in the client log.

If you instead use a BAT file, then you only get a single error code, which wouldn’t be a major issue in this case since all lines of the BAT file are doing something similar, but in other cases you would only get the error code for the last item in the BAT file to execute rather than an error code for everything.