search

hashicorp / terraform-provider-ad

Active Directory provider for HashiCorp Terraform (experimental)
https://registry.terraform.io/providers/hashicorp/ad/latest
Mozilla Public License 2.0
136 stars 72 forks source link

Kerberos auth not working #62

Closed ryantho6 closed 2 years ago

ryantho6 commented 3 years ago

Terraform Version and Provider Version

Terraform v0.14.2 hashicorp/ad v0.4.0

Windows Version

Client: Windows 10 1909 Domain Controller: Windows 2016 Domain functional level: Windows2008R2Domain

Affected Resource(s)

Terraform Configuration Files

provider "ad" {
    winrm_hostname = "[domaincontroller].[redacted].com"
    winrm_username = "administrator@[redacted].com"
    winrm_password = "[redacted]"
    krb_realm = "[redacted].com"
}

data "ad_ou" "ou_servers" {
  dn = "ou=MemberServers,dc=[redacted],dc=com"
}

resource "ad_computer" "test" {
  name = "test"
  container = data.ad_ou.ou_servers.dn
}

Expected Behavior

Computer object created within assigned OU

Actual Behavior

2020-12-21T12:34:09.233-0800 [DEBUG] plugin.terraform-provider-ad_v0.4.0_x5.exe: 2020/12/21 12:34:09 [DEBUG] Running command Get-ADObject -Properties * -Identity "ou=MemberServers,dc=[redacted]=com" | convertto-json via powershell
2020-12-21T12:34:09.233-0800 [DEBUG] plugin.terraform-provider-ad_v0.4.0_x5.exe: 2020/12/21 12:34:09 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAaQBlAHMAIAAqACAALQBJAGQAZQBuAHQAaQB0AHkAIAAiAG8AdQA9AE0AZQBtAGIAZQByAFMAZQByAHYAZQByAHMALABkAGMAPQBjAG8AcgBwACwAZABjAD0AcwBhAGkAZgAsAGQAYwA9AGMAbwBtACIAIAB8ACAAYwBvAG4AdgBlAHIAdAB0AG8ALQBqAHMAbwBuAA==
2020-12-21T12:34:09.258-0800 [DEBUG] plugin.terraform-provider-ad_v0.4.0_x5.exe: 2020/12/21 12:34:09 [DEBUG] Powershell command exited with code 1
2020-12-21T12:34:09.258-0800 [DEBUG] plugin.terraform-provider-ad_v0.4.0_x5.exe: 2020/12/21 12:34:09 [DEBUG] Stdout: , Stderr:
2020-12-21T12:34:09.258-0800 [DEBUG] plugin.terraform-provider-ad_v0.4.0_x5.exe: 2020/12/21 12:34:09 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database

Steps to Reproduce

  1. terraform plan

Important Factoids

Community Note

jpatigny commented 3 years ago

You need to :

I was able to make it work with those settings :

provider "ad" {
  winrm_hostname = "ad.jej.net"
  winrm_username = "jej"
  winrm_password = "password"
  krb_realm       = "JEJ.NET"
}

NB:

It's working when there is an existing kerberos ticket for the user used to authenticate via winrm (jej in my case because i'm logged on the server with this account). If i set another account, I endup with the same error as you have : 

ad_use2020-12-24T11:55:29.483+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "13fb9423-49bd-43c5-9cbe-d8987621ae53" -properties * | convertto-json via powershell
2020-12-24T11:55:29.483+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgAxADMAZgBiADkANAAyADMALQA0ADkAYgBkAC0ANAAzAGMANQAtADkAYwBiAGUALQBkADgAOQA4ADcANgAyADEAYQBlADUAMwAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
r.u: Refreshing state... [id=13fb9423-49bd-43c5-9cbe-d8987621ae53]
ad_user.u2: Refreshing state... [id=af66c22e-1107-42b7-a81f-697d8f0850a9]
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 Reading ad_user resource for user with guid: "13fb9423-49bd-43c5-9cbe-d8987621ae53"
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "13fb9423-49bd-43c5-9cbe-d8987621ae53" -properties * | convertto-json via powershell
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgAxADMAZgBiADkANAAyADMALQA0ADkAYgBkAC0ANAAzAGMANQAtADkAYwBiAGUALQBkADgAOQA4ADcANgAyADEAYQBlADUAMwAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 Reading ad_user resource for user with guid: "af66c22e-1107-42b7-a81f-697d8f0850a9"
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "af66c22e-1107-42b7-a81f-697d8f0850a9" -properties * | convertto-json via powershell
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgBhAGYANgA2AGMAMgAyAGUALQAxADEAMAA3AC0ANAAyAGIANwAtAGEAOAAxAGYALQA2ADkANwBkADgAZgAwADgANQAwAGEAOQAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2 (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2 (expand)": visit complete
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u (expand)": visit complete
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.trusted_for_delegation" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.country" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.username" errored, so skipping
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u (expand)": visit complete
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "provider[\"myregistry/examplecorp/ad\"] (close)" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020/12/24 11:55:29 [INFO] backend/local: plan operation completed
2020/12/24 11:55:29 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] statemgr.Filesystem: unlocked by closing terraform.tfstate
2020-12-24T11:55:29.934+0100 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"

Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020-12-24T11:55:29.946+0100 [DEBUG] plugin: plugin process exited: path=.terraform/providers/myregistry/examplecorp/ad/0.4.1/windows_amd64/terraform-provider-ad.exe pid=5308
2020-12-24T11:55:29.946+0100 [DEBUG] plugin: plugin exited

Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid

Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid

So I guess we need to find a way to generate kerberos ticket upfront. As there is no built-in "kinit" command (as far as I know), I need to dig into that. Any extra info about this is welcome.

jpatigny commented 3 years ago

For the management of the kerberos ticket you can use kinit by installing java on your server.

ryantho6 commented 3 years ago

For the management of the kerberos ticket you can use kinit by installing java on your server.

Any way to include that in the provider? Or better yet, without using Java?

awasilyev commented 3 years ago

trying to get it working from mac:

$ kinit -f alexey.wasilyev
alexey.wasilyev@XXX.COM's password:
$ klist
Credentials cache: API:02FF1088-85DD-4C58-8476-489A776EE454
        Principal: alexey.wasilyev@XXX.COM

  Issued                Expires               Principal
Jan  7 16:25:37 2021  Jan  8 02:25:33 2021  krbtgt/XXX.COM@XXX.COM
$ cat provider.tf
provider "ad" {
  winrm_hostname = "localhost"
  krb_realm      = "XXX.COM"
  krb_conf       = "krb.conf"
  winrm_username = "alexey.wasilyev"
  winrm_password = "xx"
}
$ terraform apply
ad_ou.o: Refreshing state... [id=766eefd4-63f5-4231-8493-c377eff94f7a]
ad_gpo.g: Refreshing state... [id=1622b485-9bd1-4815-a39b-8268de150784]

Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid

it does not try to use ticket from keytab, use winrm_password instead. I would like not to have my password defined in clear text in tf code or env variable. How to get it working with keytab?

winrm_hostname = "localhost" is fine, I've forwarder 88/tcp and 5985/tcp ports to the localhost from windows ad dc

koikonom commented 3 years ago

Hi @ryantho6, thanks for reporting this issue.

I looked at your initial log and my first suggestion would be what @jpatigny said, set your username without the @<domain> bit and try again.

@jpatigny I looked at the additional work you put into this (thanks for that as well :) ) and I tried to reproduce the issue with no success. I created a new user on my test DC, configured my provider to use that user's credentials and ran some tests without any issues. I never logged on to my system as that user before running the test. If you were running terraform on a server different than the DC then make sure the clocks were in sync, since time drift was one of the reasons I got the same error message as you did during development.

@awasilyev the underlying kerberos library we're using supports keytab files, so this looks like a possibility. ~Would you mind opening a new issue so we can prioritise and track this separately ?~ I opened issue #79 to track this.

koikonom commented 3 years ago

Hello @ryantho6, is this still an issue?

ryantho6 commented 3 years ago

Hi @koikonom Yeah, came back to this and still having major issues. Below are my current files and debug log. I don't get how to set this up properly. Creating a Kerberos ticket ahead of time does not sound like a valid solution.

Now using Terraform v1.0.5 and provider v0.4.3

#main.tf
provider "ad" {
    winrm_hostname = "server.[redacted].com" //domain server used for running PowerShell (also tried using a DC here)
    winrm_username = "ryan" //my domain username with rights to WINRM and query/modify AD
    winrm_password = "[redacted]"
    krb_realm = "[REDACTED].[REDACTED].COM"
}
#ad.tf
data "ad_ou" "ou_servergroups" {
  ou_id = "OU=Servers,OU=System Administration,DC=REDACTED,DC=REDACTED,DC=com"
}

resource "ad_group" "testgroup" {
  name = "test"
  sam_account_name = "test"
  scope = "domainlocal"
  category = "security"
  container = data.ad_ou.ou_servergroups.ou_id
}
2021-09-02T14:43:36.019-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Checking if connection should be local: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:36.020-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Local connection ? false: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:36.022-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Checking to see if credentials should be passed: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:36.023-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Pass Credentials ? false: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:36.025-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Constructing powerrshell command: Get-ADObject -Properties * -Identity "OU=Servers,OU=System Administration,DC=REDACTED,DC=REDACTED,DC=com" | ConvertTo-Json: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:36.026-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Executing command on remote host: timestamp=2021-09-02T14:43:36.011-0700

2021-09-02T14:43:38.109-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:38 [DEBUG] Powershell command exited with code 1: timestamp=2021-09-02T14:43:38.109-0700

2021-09-02T14:43:38.115-0700 [INFO]  backend/local: plan operation completed

2021-09-02T14:43:38.118-0700 [INFO]  provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:38 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: communication error with KDC via TCP: error in getting a TCP connection to any of the KDCs: timestamp=2021-09-02T14:43:38.109-0700

2021-09-02T14:43:38.160-0700 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"

2021-09-02T14:43:38.172-0700 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/ad/0.4.3/windows_amd64/terraform-provider-ad_v0.4.3_x5.exe pid=20316

2021-09-02T14:43:38.176-0700 [DEBUG] provider: plugin exited
ryantho6 commented 3 years ago

If I try the domain "Administrator" account and specify a DC as winrm_hostname, I get this error: error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid

ryantho6 commented 2 years ago

So I think this is mostly due to not having proper documentation. I did a ton of digging on krb5 conf and trial-and-error. Finally got WinRM double hop to work:

main.tf:

    winrm_hostname = "SERVER.DOMAIN.COM" //FQDN of a server with AD module installed
    winrm_username = "USERNAME" //not UPN
    winrm_password = var.domain_pass
    krb_conf       = "krb5.conf"
    krb_realm = "DOMAIN.COM" //Domain name
    krb_spn = "Server" //Name of same server as winrm_hostname. Not FQDN.
    winrm_pass_credentials = true
    winrm_proto = "https"
    winrm_port = 5986

krb5.conf:

[libdefaults]
   default_realm = DOMAIN.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false

[realms]
 DOMAIN.COM = { //Domain name
      kdc = DC01.DOMAIN.COM //specific domain controller
      admin_server = DC01.DOMAIN.COM //specific domain controller
      default_domain = DOMAIN.COM
      master_kdc = DC01.DOMAIN.COM //specific domain controller
  }

[domain_realm]
  .kerberos.server = DOMAIN.COM
  .domain.com = DOMAIN.COM \\replace both parts
  domain.com = DOMAIN.COM \\replace both parts