Ghost Solution Suite

 View Only

  • 1.  Applications that negatively impact GSS 2.0 - Courion & Safeboot Encryption

    Posted Mar 27, 2007 12:11 PM
    Folks,
     
    I've been using GSS for a month now, trying to get this working with our many different builds including WIN2K and WINXP.  It works great except for the following MAJOR problems:
     
    1 - Courion Identity Management Suite(IMS) - Password Self Service application allows users to change their passwords.  The problem is that IMS inserts it's own gina which conflicts with the gina that GSS inserts.  The only solution I've found is to remove IMS, which fixes the issue.  Is there an alternative?
     
    2 - Laptop Encryption - We use Safeboot and I've found that this one is a show stopper.  When GSS tries to create the Virtual Partition, it fails with the message "Error Loading Operating System".  Is there anyway around this?
     
    Thanks for any help that can be given.
     
    Bill Leahy


  • 2.  RE: Applications that negatively impact GSS 2.0 - Courion & Safeboot Encryption

    Posted Mar 28, 2007 06:15 AM
    Thanks for the heads-up on these compatibility issues!

    Password Self Service application allows users to change their passwords. The problem is that IMS inserts it's own gina which conflicts with the gina that GSS inserts. The only solution I've found is to remove IMS, which fixes the issue.


    Exactly what form do the conflicts take? The GINA DLL that we use to prevent user logins when running AutoInstall-based operations isn't really an essential part of GSS; in Vista we use a GPO extension instead of a GINA for this purpose since it's much more robust.

    Although the design of the GINA extension system doesn't permit more than one to be installed, if Ghost's GINA is installed when an existing one is present, it records the existing one and will chain along to it. Ghost's one does kinda want to be first in the chain since it exists merely to delay any other ones from running, but since that's its only purpose in life the best option in the short term may be for us to provide you a way to disable ours.

    Anyway, I've taken a look at the Courion site and I can't see an easy way to get in touch with any of their devs (or, for that matter, get hold of the software so we can look at reproducing your problem in an environment where we can diagnose the interaction), but I can try dropping an e-mail to their support line and see how far that gets me.

    We use Safeboot and I've found that this one is a show stopper. When GSS tries to create the Virtual Partition, it fails with the message "Error Loading Operating System". Is there anyway around this?

    If you are using SafeBoot on the boot volume, probably not easily while using the Virtual Partition, unless SafeBoot has an API we can use to bypass the encryption on the file we create that contains the Virtual Parition.

    However, the older Ghost Boot Partition system creates a separate, normally hidden partition to hold the console's client. Unlike the virtual partition it's not created automatically on demand; you need to construct the GBP using the Ghost Boot Wizard and deploy it to the system, then lay down the system you need. Because this keeps the DOS-level Ghost pieces separate from Safeboot, and you should be able to get further.

    Because of the way most such full-disk encryption products work, many of the regular Ghost and console features could be unavailable when working against encrypted filesystems, but depending on your needs this may at least help.


  • 3.  RE: Applications that negatively impact GSS 2.0 - Courion & Safeboot Encryption

    Posted Mar 28, 2007 07:05 AM
    Nigel,
     
    Thanks for the reply....
     
    The problem/conflict with Courion manifests itself with by Windows failiing to login and a dll error being displayed.  To get a around it, I log in Safe Mode and then removed the Courion product.  Please note that we've had this issue with Novell and the only solution was to install Courion last.
     
    With regard to Safeboot, is there any way to create the virtual partition on a network drive?  What about a floppy or CD?
     
    Bill
     
     


  • 4.  RE: Applications that negatively impact GSS 2.0 - Courion & Safeboot Encryption

    Posted Mar 28, 2007 09:42 AM
    The problem/conflict with Courion manifests itself with by Windows failiing to login and a dll error being displayed.

    Ah, interesting. If possible, could you send me a screenshot of the error (to nigel dot bree at gmail dot com)? It's likely that we'll need to figure out a way that I can inspect a memory dump of the winlogon.exe process at the point where it has this error displayed (such as by using a tool like the User Mode Process Dumper), so I could inspect the situation in a debugger.

    With regard to Safeboot, is there any way to create the virtual partition on a network drive? What about a floppy or CD?

    Actually, we do support something that, although we don't provide simple tools for it. The original style of Ghost Boot Partition that you can build using the Ghost Boot Wizard can be turned into either a bootable CD or into a PXE network boot package, and it is possible (albeit tricky) to even create a boot floppy that loads the console client from a network drive.

    I believe the Ghost Boot Wizard can directly make a PXE boot package for the console, but I'm not the real expert on using PXE boot packages. Adina posted on the process in this thread and that may give you a few ideas.

    If you want to try making a CD instead, the Ghost Boot Partition that the Boot Wizard manufactures is just a plain old FAT16 filesystem wrapped in a .GHO file; it's really much the same as any other boot diskette or CD that the Ghost Boot Wizard makes, except that:
    a) it's wrapped in a .GHO instead of a .ISO (for a CD boot) or on a floppy,
    b) it contains two extra files, the console client NGCTDOS.EXE plus a PUBKEY.CRT file that identifies the console machine that manages the machine,
    c) the autoexec.bat runs the NGCTDOS.EXE application instead of GHOST.EXE, and
    d) the DOS client likes to be able to write files, so you might need to load up a RAMDISK and run the client from inside that.

    So, if you make a regular bootable (manual) Ghost CD, you may be able to use your CD-burning software or an ISO image editor to tweak the CD to boot into the console client instead. Krish or Adina probably know more about that than I do, though.


  • 5.  RE: Applications that negatively impact GSS 2.0 - Courion & Safeboot Encryption

    Posted Mar 28, 2007 10:50 AM
    Nigel,
     
    I will get you the screen capture  of the Courion error along with any information on the dump process. 
     
    We spoke with Safeboot and they indicated that it won't be compatible.  They said that anything that moves or changes the Master Boot Record will poison the SafeBoot installation.
     
    So......I will now pursue a different course.  I will look into some of the alternatives that you spoke about.  Question though, would it be helpful to call Technical Support?  Would they know about alternatives?
     
    Thanks,
     
    Bill