JamfMigrator icon indicating copy to clipboard operation
JamfMigrator copied to clipboard

Published 20 hours ago verified publisher icon jamf

Export from command-line permission issues

Open jshirle2 opened this issue 1 year ago • 5 comments

I am receiving the following error message when trying to export raw XML from the command-line:

20240118_135546 ----------- Starting Export Only -----------
20240118_135546 [JamfPro.getToken] Skip getToken for dest: 
20240118_135546 [JamfPro.getToken] Token for source server is 0 minutes old.
20240118_135546 [JamfPro.getToken] Attempting to retrieve token from https://SERVERNAME/api/v1/auth/token
20240118_135546 [JamfPro.getToken] Failed to authenticate to https://SERVERNAME.jamfcloud.com.  Response error: 401.

I have been using an account with read-only access for migration and that has worked fine with this same account. Are there different permissions required for exporting rather than migrating? I assumed they were the same. The odd thing is I have the credentials stored in the keychain, and I can see those credentials (JPMA-SERVERNAME) but it seems to just not be using those credentials when exporting via CLI.

Thanks for the great app!

jshirle2 avatar Jan 18 '24 22:01 jshirle2

What command line options are you using to launch the app? Using -sourceUseClientId and -sourceClientId? Note, API client info should be stored as jamf-migrator-apiClient-<server> in the keychain, at least with the latest version. /Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -help to view all command line options.

BIG-RAT avatar Jan 22 '24 19:01 BIG-RAT

We have not switched things over to use API Roles and Clients. The command I have been testing with is

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source https://SERVER -export -objects building

I plan to export many more objects but wanted to get this error message sorted first.

I did notice something odd... We are running Jamf Migrator automatically, on a schedule, to clone our production instance to our test instance. This is done on our Mac Mini that we use for automation tasks. I left JAMF Migrator in Export mode after testing with it manually yesterday, and then the automated task to migrate failed this morning. Does the CLI not switch between modes properly? Just a thought.

jshirle2 avatar Jan 23 '24 00:01 jshirle2

I must have API client stuck on the brain, sorry for the misdirect. Try adding the following switch to help the keychain lookup: -sourceUser <someUser> Of course replace <someUser> with the account that’s stored in the keychain entry.

BIG-RAT avatar Jan 23 '24 02:01 BIG-RAT

I tried

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser APIUSER

as well as

/Applications/jamf-migrator.app/Contents/MacOS/jamf-migrator -source SERVER -export -objects buildings -sourceUser KEYCHAINITEMNAME (EG JPMA-SERVER)

In both cases, I received the output

[Credentials.itemLookup] start search for: JPMA-SERVER
[JamfPro] source received a new token

Which again, is odd because the Keychain Item is there it just seemingly isn't finding it.

jshirle2 avatar Jan 24 '24 17:01 jshirle2

v7.4.2 should have the issue resolved. Let me know how it goes as time permits.

BIG-RAT avatar Jan 24 '24 21:01 BIG-RAT