search

microsoft / omi

Open Management Infrastructure
Other
360 stars 114 forks source link

missing /etc/opt/omi/creds/omi.keytab file after joined Linux box to domain #751

Closed anranwuyan closed 7 months ago

anranwuyan commented 8 months ago

Hi experts, I have joined my red hat 7.9 to my windows AD , and I am able to login to the Linux box with my Windows domain account. I also have omi installed on this Linux box. When I am trying to connect to this Linux box with 'winrm enumurate' command under kerberos authentication, i would hit below error.

PS C:\temp> winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -auth:kerberos -remote:https://rhel-e73.domain.leo.com:1270 -username:omaa@domain.leo.com -skipCACheck -skipCNCheck -skiprevocationcheck -encoding:utf-8 Enter the password for 'omaa@domain.leo.com' to connect to 'https://rhel-e73.domain.leo.com:1270': WSManFault Message = Access is denied.

Error number: -2147024891 0x80070005 Access is denied.

I noticed error '2023/10/31 15:09:30 [80832,80832] ERROR: null(0): EventId=20146 Priority=ERROR HTTP: Client Authorization failed. gss:() mech:(Key table entry not found)' in omiserver.log file when running the winrm command. Later I noticed file /etc/opt/omi/creds/omi.keytable does not exist on this Linux. Can anyone guide me how to get this file auto created please?

I get the omid installed, and then joined this Linux to AD. I am not sure if we have to join the Linux to AD first, and then install the OMID after that or not.

[root@rhel-e73 log]# cat /etc/*release NAME="Red Hat Enterprise Linux Server" VERSION="7.9 (Maipo)" ID="rhel" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="7.9" PRETTY_NAME="Red Hat" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7" REDHAT_BUGZILLA_PRODUCT_VERSION=7.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="7.9" Red Hat Enterprise Linux Server release 7.9 (Maipo) Red Hat Enterprise Linux Server release 7.9 (Maipo)

[root@rhel-e73 log]# rpm -qa |grep -i sssd sssd-1.16.5-10.el7_9.15.x86_64 python-sssdconfig-1.16.5-10.el7_9.15.noarch sssd-krb5-common-1.16.5-10.el7_9.15.x86_64 sssd-ad-1.16.5-10.el7_9.15.x86_64 sssd-proxy-1.16.5-10.el7_9.15.x86_64 sssd-common-pac-1.16.5-10.el7_9.15.x86_64 sssd-client-1.16.5-10.el7_9.15.x86_64 sssd-ldap-1.16.5-10.el7_9.15.x86_64 sssd-common-1.16.5-10.el7_9.15.x86_64 sssd-ipa-1.16.5-10.el7_9.15.x86_64 sssd-krb5-1.16.5-10.el7_9.15.x86_64 [root@rhel-e73 log]#

Thanks!

JumpingYang001 commented 8 months ago

@LeoYuAtMicrosoft have you setup Kerberos environment on your Linux box? once you setup Kerberos, you will see /etc/krb5.keytab on your local box. https://github.com/microsoft/omi/blob/master/Unix/doc/setup-kerberos-omi.md

JumpingYang001 commented 7 months ago

by design.