Closed ryantho6 closed 2 years ago
You need to :
I was able to make it work with those settings :
provider "ad" {
winrm_hostname = "ad.jej.net"
winrm_username = "jej"
winrm_password = "password"
krb_realm = "JEJ.NET"
}
NB:
It's working when there is an existing kerberos ticket for the user used to authenticate via winrm (jej in my case because i'm logged on the server with this account). If i set another account, I endup with the same error as you have :
ad_use2020-12-24T11:55:29.483+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "13fb9423-49bd-43c5-9cbe-d8987621ae53" -properties * | convertto-json via powershell
2020-12-24T11:55:29.483+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgAxADMAZgBiADkANAAyADMALQA0ADkAYgBkAC0ANAAzAGMANQAtADkAYwBiAGUALQBkADgAOQA4ADcANgAyADEAYQBlADUAMwAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
r.u: Refreshing state... [id=13fb9423-49bd-43c5-9cbe-d8987621ae53]
ad_user.u2: Refreshing state... [id=af66c22e-1107-42b7-a81f-697d8f0850a9]
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 Reading ad_user resource for user with guid: "13fb9423-49bd-43c5-9cbe-d8987621ae53"
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "13fb9423-49bd-43c5-9cbe-d8987621ae53" -properties * | convertto-json via powershell
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgAxADMAZgBiADkANAAyADMALQA0ADkAYgBkAC0ANAAzAGMANQAtADkAYwBiAGUALQBkADgAOQA4ADcANgAyADEAYQBlADUAMwAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 Reading ad_user resource for user with guid: "af66c22e-1107-42b7-a81f-697d8f0850a9"
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Running command Get-ADUser -identity "af66c22e-1107-42b7-a81f-697d8f0850a9" -properties * | convertto-json via powershell
2020-12-24T11:55:29.487+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Encoded command: powershell.exe -EncodedCommand RwBlAHQALQBBAEQAVQBzAGUAcgAgAC0AaQBkAGUAbgB0AGkAdAB5ACAAIgBhAGYANgA2AGMAMgAyAGUALQAxADEAMAA3AC0ANAAyAGIANwAtAGEAOAAxAGYALQA2ADkANwBkADgAZgAwADgANQAwAGEAOQAiACAALQBwAHIAbwBwAGUAcgB0AGkAZQBzACAAKgAgAHwAIABjAG8AbgB2AGUAcgB0AHQAbwAtAGoAcwBvAG4A
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.562+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2 (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u2 (expand)": visit complete
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.741+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "data.ad_user.u (expand)": visit complete
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.trusted_for_delegation" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.country" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "output.username" errored, so skipping
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u": visit complete
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u (expand)": dynamic subgraph encountered errors
2020/12/24 11:55:29 [TRACE] vertex "ad_user.u (expand)": visit complete
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "provider[\"myregistry/examplecorp/ad\"] (close)" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/12/24 11:55:29 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020/12/24 11:55:29 [INFO] backend/local: plan operation completed
2020/12/24 11:55:29 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Powershell command exited with code 1
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] Stdout: , Stderr:
2020-12-24T11:55:29.932+0100 [DEBUG] plugin.terraform-provider-ad.exe: 2020/12/24 11:55:29 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020/12/24 11:55:29 [TRACE] statemgr.Filesystem: unlocked by closing terraform.tfstate
2020-12-24T11:55:29.934+0100 [WARN] plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
2020-12-24T11:55:29.946+0100 [DEBUG] plugin: plugin process exited: path=.terraform/providers/myregistry/examplecorp/ad/0.4.1/windows_amd64/terraform-provider-ad.exe pid=5308
2020-12-24T11:55:29.946+0100 [DEBUG] plugin: plugin exited
Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
So I guess we need to find a way to generate kerberos ticket upfront. As there is no built-in "kinit" command (as far as I know), I need to dig into that. Any extra info about this is welcome.
For the management of the kerberos ticket you can use kinit by installing java on your server.
For the management of the kerberos ticket you can use kinit by installing java on your server.
Any way to include that in the provider? Or better yet, without using Java?
trying to get it working from mac:
$ kinit -f alexey.wasilyev
alexey.wasilyev@XXX.COM's password:
$ klist
Credentials cache: API:02FF1088-85DD-4C58-8476-489A776EE454
Principal: alexey.wasilyev@XXX.COM
Issued Expires Principal
Jan 7 16:25:37 2021 Jan 8 02:25:33 2021 krbtgt/XXX.COM@XXX.COM
$ cat provider.tf
provider "ad" {
winrm_hostname = "localhost"
krb_realm = "XXX.COM"
krb_conf = "krb.conf"
winrm_username = "alexey.wasilyev"
winrm_password = "xx"
}
$ terraform apply
ad_ou.o: Refreshing state... [id=766eefd4-63f5-4231-8493-c377eff94f7a]
ad_gpo.g: Refreshing state... [id=1622b485-9bd1-4815-a39b-8268de150784]
Error: powershell command failed with exit code 1
stdout:
stderr:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
it does not try to use ticket from keytab, use winrm_password instead. I would like not to have my password defined in clear text in tf code or env variable. How to get it working with keytab?
winrm_hostname = "localhost" is fine, I've forwarder 88/tcp and 5985/tcp ports to the localhost from windows ad dc
Hi @ryantho6, thanks for reporting this issue.
I looked at your initial log and my first suggestion would be what @jpatigny said, set your username without the @<domain>
bit and try again.
@jpatigny I looked at the additional work you put into this (thanks for that as well :) ) and I tried to reproduce the issue with no success. I created a new user on my test DC, configured my provider to use that user's credentials and ran some tests without any issues. I never logged on to my system as that user before running the test. If you were running terraform on a server different than the DC then make sure the clocks were in sync, since time drift was one of the reasons I got the same error message as you did during development.
@awasilyev the underlying kerberos library we're using supports keytab files, so this looks like a possibility. ~Would you mind opening a new issue so we can prioritise and track this separately ?~ I opened issue #79 to track this.
Hello @ryantho6, is this still an issue?
Hi @koikonom Yeah, came back to this and still having major issues. Below are my current files and debug log. I don't get how to set this up properly. Creating a Kerberos ticket ahead of time does not sound like a valid solution.
Now using Terraform v1.0.5 and provider v0.4.3
#main.tf
provider "ad" {
winrm_hostname = "server.[redacted].com" //domain server used for running PowerShell (also tried using a DC here)
winrm_username = "ryan" //my domain username with rights to WINRM and query/modify AD
winrm_password = "[redacted]"
krb_realm = "[REDACTED].[REDACTED].COM"
}
#ad.tf
data "ad_ou" "ou_servergroups" {
ou_id = "OU=Servers,OU=System Administration,DC=REDACTED,DC=REDACTED,DC=com"
}
resource "ad_group" "testgroup" {
name = "test"
sam_account_name = "test"
scope = "domainlocal"
category = "security"
container = data.ad_ou.ou_servergroups.ou_id
}
2021-09-02T14:43:36.019-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Checking if connection should be local: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:36.020-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Local connection ? false: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:36.022-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Checking to see if credentials should be passed: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:36.023-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Pass Credentials ? false: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:36.025-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Constructing powerrshell command: Get-ADObject -Properties * -Identity "OU=Servers,OU=System Administration,DC=REDACTED,DC=REDACTED,DC=com" | ConvertTo-Json: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:36.026-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:36 [DEBUG] Executing command on remote host: timestamp=2021-09-02T14:43:36.011-0700
2021-09-02T14:43:38.109-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:38 [DEBUG] Powershell command exited with code 1: timestamp=2021-09-02T14:43:38.109-0700
2021-09-02T14:43:38.115-0700 [INFO] backend/local: plan operation completed
2021-09-02T14:43:38.118-0700 [INFO] provider.terraform-provider-ad_v0.4.3_x5.exe: 2021/09/02 14:43:38 [DEBUG] run error : could not acquire client credential: could not get valid TGT for client's realm: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: communication error with KDC via TCP: error in getting a TCP connection to any of the KDCs: timestamp=2021-09-02T14:43:38.109-0700
2021-09-02T14:43:38.160-0700 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-09-02T14:43:38.172-0700 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/ad/0.4.3/windows_amd64/terraform-provider-ad_v0.4.3_x5.exe pid=20316
2021-09-02T14:43:38.176-0700 [DEBUG] provider: plugin exited
If I try the domain "Administrator" account and specify a DC as winrm_hostname, I get this error:
error: could not acquire client credential: could not get valid TGT for client's realm: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
So I think this is mostly due to not having proper documentation. I did a ton of digging on krb5 conf and trial-and-error. Finally got WinRM double hop to work:
main.tf:
winrm_hostname = "SERVER.DOMAIN.COM" //FQDN of a server with AD module installed
winrm_username = "USERNAME" //not UPN
winrm_password = var.domain_pass
krb_conf = "krb5.conf"
krb_realm = "DOMAIN.COM" //Domain name
krb_spn = "Server" //Name of same server as winrm_hostname. Not FQDN.
winrm_pass_credentials = true
winrm_proto = "https"
winrm_port = 5986
krb5.conf:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = { //Domain name
kdc = DC01.DOMAIN.COM //specific domain controller
admin_server = DC01.DOMAIN.COM //specific domain controller
default_domain = DOMAIN.COM
master_kdc = DC01.DOMAIN.COM //specific domain controller
}
[domain_realm]
.kerberos.server = DOMAIN.COM
.domain.com = DOMAIN.COM \\replace both parts
domain.com = DOMAIN.COM \\replace both parts
Terraform Version and Provider Version
Terraform v0.14.2 hashicorp/ad v0.4.0
Windows Version
Client: Windows 10 1909 Domain Controller: Windows 2016 Domain functional level: Windows2008R2Domain
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Computer object created within assigned OU
Actual Behavior
Steps to Reproduce
terraform plan
Important Factoids
Community Note