NetDocuments-Archive / rd-winrm-plugin

Allows rundeck to execute commands with powershell
Apache License 2.0
30 stars 19 forks source link

Issue using Kerberos auth #59

Open ndelo opened 6 years ago

ndelo commented 6 years ago

I have RD setup on a RedHat server and have Kerberos authentication configured on that server for our AD domain.

When I change the plugin auth to 'kerberos' instead of 'negotiate', I fail to connect with the following error:

/usr/local/share/gems/gems/winrm-2.2.3/lib/winrm/connection_opts.rb:72:in `validate_required_fields': user is a required option (RuntimeError)
16:23:59                from /usr/local/share/gems/gems/winrm-2.2.3/lib/winrm/connection_opts.rb:61:in `validate'
16:23:59                from /usr/local/share/gems/gems/winrm-2.2.3/lib/winrm/connection_opts.rb:33:in `create_with_defaults'
16:23:59                from /usr/local/share/gems/gems/winrm-2.2.3/lib/winrm/connection.rb:66:in `configure_connection_opts'
16:23:59                from /usr/local/share/gems/gems/winrm-2.2.3/lib/winrm/connection.rb:29:in `initialize'
16:23:59                from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.7.0/winrmexe.rb:135:in `new'
16:23:59                from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.7.0/winrmexe.rb:135:in `<main>'

Why does the error output specify I'm missing a 'user' option? I see a valid 'user' listed in the 'variables' output in my debug. I have tested that this user can log into my RD server locally using kerberos, and it passes my kinit tests.

Am I missing something here?

ndelo commented 6 years ago

I was able to rectify my problems. It seems I was running into 2 issues. 1) The winrm gem wants to validate the user/password options -- https://github.com/WinRb/WinRM/issues/270 -- which were missing from winrmexe.rb 2) The rundeck user cannot access krb tickets for my winrm user

I created a workaround for this by changing the 'auth' section of winrmexe.rb to the following:

when 'kerberos' system "echo #{pass} | kinit #{user} > /dev/null" connections_opts[:user] = user connections_opts[:password] = 'not_needed_for_krb' connections_opts[:transport] = :kerberos connections_opts[:realm] = realm

This satisfies the reqs of the gem and caches a krb ticket for my winrm AD service account.

Not sure if this is the right or best way to do things, but it's working in my test environment.