Open lw-schick opened 7 years ago
Have you already gotten a valid kerberos ticket using kinit
before running this?
Same problem here, but successful with kinit indeed.
What I have to do in my Ansible playbooks is a step that runs kinit
on the local server before trying any remote commands. I'm sure you could do this with the key store and a local command? echo 'password' | kinit user@DOMAINNAME.COM
@absolutejam thanks for mention that. Will try these days if this is going to fix ma issue and get back the results in this thread.
@absolutejam This is working. Using kinit generates a valid kerberos object for 24h on the linux machine. After this object is created everything is just fine. Keep in mind that the object is temporary, go ahead to implement an automatic process to renew it (you can do it on rundeck too, yay!).
Example: su -s /bin/bash -c 'echo kerberos-password | kinit kerberos-username' local-rundeck-user
@mengine23 Thanks, that works. I will implement it as a workaround, but it doesn't sound after a nice solution.
Does someone else have a better one? ( @absolutejam ? )
The biggest issue seems to be a to integrate the Rundeck environment/user with AD, as opposed to 'asking for permission' from the outside. This isn't so much a rd-winrm-plugin, Rundeck or even Ruby issue, just limitation of using a setup like this.
You could try binding the Rundeck server to AD and see if that helps, as I believe (I've only ever briefly tested it) this will cause auto creation of kerberos tickets. Best to research this before diving in head first, I could be very wrong!
What i did
I created a simple RunDeck Project with WinRM Executor running powershell with authentification method plaintext. I created a simple job that writes out the current user with:
That worked fine and showed me that I was using authentification method NTLM. Now I wanted to switch to Kerberos (because I have a special script that only works in Kerberos mode) - so I switched the authentification method from plaintext to kerberos. I tried to start the job.
Result
The Job failed with