search

NetDocuments-Archive / rd-winrm-plugin

Allows rundeck to execute commands with powershell
Apache License 2.0
31 stars 19 forks source link

Kerberos Authentification | Unspecified GSS failure #35

Open lw-schick opened 7 years ago

lw-schick commented 7 years ago

What i did

I created a simple RunDeck Project with WinRM Executor running powershell with authentification method plaintext. I created a simple job that writes out the current user with:

[System.Security.Principal.WindowsIdentity]::GetCurrent() | ConvertTo-Json | Write-Host

That worked fine and showed me that I was using authentification method NTLM. Now I wanted to switch to Kerberos (because I have a special script that only works in Kerberos mode) - so I switched the authentification method from plaintext to kerberos. I tried to start the job.

Result

The Job failed with

/var/lib/gems/2.3.0/gems/gssapi-1.2.0/lib/gssapi/simple.rb:95:in `init_context': gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information (GSSAPI::GssApiError)
No Kerberos credentials available
    from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/http/transport.rb:334:in `init_krb'
    from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/http/transport.rb:274:in `initialize'
    from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:65:in `new'
    from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:65:in `init_kerberos_transport'
    from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:51:in `initialize'
    from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.5.1/winrmcp.rb:50:in `new'
    from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.5.1/winrmcp.rb:50:in `<main>'
Failed dispatching to node myserver.mydomain.local: [WinRMcp]: external script failed with exit code: 1
Execution failed: 229389: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [myserver..local: NonZeroResultCode: [WinRMcp]: external script failed with exit code: 1]}, Node failures: {myserver.mydomain.local=[NonZeroResultCode: [WinRMcp]: external script failed with exit code: 1]}, status: failed]
absolutejam commented 7 years ago

Have you already gotten a valid kerberos ticket using kinit before running this?

mengine23 commented 7 years ago

Same problem here, but successful with kinit indeed.

absolutejam commented 7 years ago

What I have to do in my Ansible playbooks is a step that runs kinit on the local server before trying any remote commands. I'm sure you could do this with the key store and a local command? echo 'password' | kinit user@DOMAINNAME.COM

mengine23 commented 7 years ago

@absolutejam thanks for mention that. Will try these days if this is going to fix ma issue and get back the results in this thread.

mengine23 commented 7 years ago

@absolutejam This is working. Using kinit generates a valid kerberos object for 24h on the linux machine. After this object is created everything is just fine. Keep in mind that the object is temporary, go ahead to implement an automatic process to renew it (you can do it on rundeck too, yay!).

Example: su -s /bin/bash -c 'echo kerberos-password | kinit kerberos-username' local-rundeck-user

lw-schick commented 7 years ago

@mengine23 Thanks, that works. I will implement it as a workaround, but it doesn't sound after a nice solution.

Does someone else have a better one? ( @absolutejam ? )

absolutejam commented 7 years ago

The biggest issue seems to be a to integrate the Rundeck environment/user with AD, as opposed to 'asking for permission' from the outside. This isn't so much a rd-winrm-plugin, Rundeck or even Ruby issue, just limitation of using a setup like this.

You could try binding the Rundeck server to AD and see if that helps, as I believe (I've only ever briefly tested it) this will cause auto creation of kerberos tickets. Best to research this before diving in head first, I could be very wrong!