Posted on 07-30-2019 10:52 AM
In Jamf 10.14 (on Ubuntu 18.04), tomcat has moved to systemd instead of the old init script. It seems that all of the handling of the AUTHBIND environment variable has been removed. Setting AUTHBIND=yes no longer works to allow binding to unprivileged ports.
As a workaround, you can make a change to the ExecStart line /etc/systemd/system/jamf.tomcat8.service as follows:
ExecStart=/usr/bin/authbind --deep /usr/local/jss/tomcat/bin/startup.sh
Posted on 08-02-2019 12:51 AM
Good save! This one definitely stumped me when I first realised /etc/init.d/jamf.tomcat8 was gone
Posted on 08-09-2019 04:33 AM
Thanks for that hint! works like a charm for me. I'd be curious if there's an "official" solution for this topic...
Posted on 08-09-2019 06:26 AM
We've circumvented this by running on the default port 8080 and doing our SSL termination at a load balancer instead. Better design than putting Jamf in a DMZ as it means external attackers hit the LB, and Tomcat isn't running as root or has the overhead of SSL decrypt.
Posted on 09-11-2019 12:50 PM
Thank you for posting this. You saved the day.
Posted on 08-19-2021 10:47 AM
A follow-up for anyone else using this authbind fix - it's possible to use a systemd "drop-in" config to make this fix persistent across jamf upgrades. All you need to do is create the file /etc/systemd/system/jamf.tomcat8.service.d/override.conf with the following contents:
[Service]
ExecStart=
ExecStart=/usr/bin/authbind --deep /usr/local/jss/tomcat/bin/startup.sh
This will persistently override the ExecStart command.
Posted on 09-07-2021 09:17 AM
In Ubuntu 20.04.2 LTS I had to edit the file located here:
/etc/systemd/system/jamf.tomcat8.service
Just open it up in your editor of choice and then find the "ExecStart=" line. Edit it to be:
ExecStart=/usr/bin/authbind --deep /usr/local/jss/tomcat/bin/startup.sh
and restart to see it go into effect.
Thanks for the tip @darrelle!