Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Export from command-line permission issues #100

Open
jshirle2 opened this issue Jan 18, 2024 · 6 comments
Open

Export from command-line permission issues #100

jshirle2 opened this issue Jan 18, 2024 · 6 comments

Comments

@jshirle2
Copy link

jshirle2 commented Jan 18, 2024

I am receiving the following error message when trying to export raw XML from the command-line:

20240118_135546 ----------- Starting Export Only -----------
20240118_135546 [JamfPro.getToken] Skip getToken for dest: 
20240118_135546 [JamfPro.getToken] Token for source server is 0 minutes old.
20240118_135546 [JamfPro.getToken] Attempting to retrieve token from https://SERVERNAME/api/v1/auth/token
20240118_135546 [JamfPro.getToken] Failed to authenticate to https://SERVERNAME.jamfcloud.com.  Response error: 401.

I have been using an account with read-only access for migration and that has worked fine with this same account. Are there different permissions required for exporting rather than migrating? I assumed they were the same. The odd thing is I have the credentials stored in the keychain, and I can see those credentials (JPMA-SERVERNAME) but it seems to just not be using those credentials when exporting via CLI.

Thanks for the great app!

@BIG-RAT
Copy link
Contributor

BIG-RAT commented Jan 22, 2024

What command line options are you using to launch the app? Using -sourceUseClientId and -sourceClientId? Note, API client info should be stored as jamf-migrator-apiClient-<server> in the keychain, at least with the latest version.
/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -help to view all command line options.

@jshirle2
Copy link
Author

We have not switched things over to use API Roles and Clients. The command I have been testing with is

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source https://SERVER -export -objects building

I plan to export many more objects but wanted to get this error message sorted first.

I did notice something odd... We are running Jamf Migrator automatically, on a schedule, to clone our production instance to our test instance. This is done on our Mac Mini that we use for automation tasks. I left JAMF Migrator in Export mode after testing with it manually yesterday, and then the automated task to migrate failed this morning. Does the CLI not switch between modes properly? Just a thought.

@BIG-RAT
Copy link
Contributor

BIG-RAT commented Jan 23, 2024

I must have API client stuck on the brain, sorry for the misdirect.
Try adding the following switch to help the keychain lookup: -sourceUser <someUser>
Of course replace <someUser> with the account that’s stored in the keychain entry.

@jshirle2
Copy link
Author

I tried

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser APIUSER

as well as

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser KEYCHAINITEMNAME (EG JPMA-SERVER)

In both cases, I received the output

[Credentials.itemLookup] start search for: JPMA-SERVER
[JamfPro] source received a new token

Which again, is odd because the Keychain Item is there it just seemingly isn't finding it.

@BIG-RAT
Copy link
Contributor

BIG-RAT commented Jan 24, 2024

v7.4.2 should have the issue resolved. Let me know how it goes as time permits.

@jshirle2
Copy link
Author

Ok so finally got around to this again. So I can get this to run when the user is logged into our automation mini. When the user is not logged in though, it will just hang forever.

I noticed that the keychain for this is stored in Local Items. How would you feel about having an option to have it stored in the login keychain instead? The reason being that we can issue a command security unlock-keychain which should work for allowing access to the keychain even when no one is logged in, but I have not found a way to do that for the Local Items keychain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants