gschueler
commented
8 years ago Hi Fred, which version of the plugin are you using? I recently released 1.3.2 https://github.com/rundeck-plugins/rundeck-winrm-plugin/releases/tag/rundeck-winrm-plugin-1.3.2 which upgrades the Overthere library to a newer version. One issue in particular that was fixed was a 401 error when using Kerberos, so you might try that.
How much of the Overthere featureset is exposed through this rundeck plugin? For example, is it possible to connect and execute winRM calls to Windows 2012 R2 server using a non-Admin account to:
It uses Overthere "WINRM_INTERNAL" connection type, can use HTTPS, and Kerberos authentication. It requires the user to have local admin credentials on the target nodes. See WinRM Commands fail with a 401 response code
execute remote scripts? (I'm pretty clear that this supports execution remote commands)
It defines a Rundeck Node Executor (runs commands), but it does not define a Rundeck File Copier, which is needed for full script execution support. To run a script you would need some other File Copier plugin to copy the script file. Possibly this could be created using Overthere and CIFS, but this plugin does not have an implementation of that.
transfer files to a remote W2K12 server and then execute these files? (CIFS?)
No
can the source system be RHEL7 or must it be a W2K box? Host (rundeck server) can be anything which can run JVM.
Some other comments:
- it requires "unencrypted" connection (meaning no kerberos encryption of the SOAP messages), so HTTPS is preferred to HTTP. (And no support for "encrypted" connections is likely any time soon.)
- If you are running Rundeck server on windows, it may be easier to use a "native" WinRM mechanism like winrs. (We include one in Rundeck PRO).
- For that reason, this plugin is basically recommended if you have to manage windows from unix servers
I'm a fairly new user to Rundeck, and have this requirement to be able to transfer files to a W2K12 R2 server and execute remote commands and remote/inline scripts via rundeck jobs, utilizing non-Administrative Windows accounts. Enter the lovely world of winRM, or so I hoped.
I have been successful modeling the above using the rd-winrm-plugin (Ruby-based... https://github.com/NetDocuments/rd-winrm-plugin) linked on the rundeck.org site, with the one (huge) caveat that I was only able to find success when authenticating with a user that is present in the local Administrators group of the target W2K12 R2 server. Apparently a big no-no in corporate environments complete with Windows architecture watchdogs, and while I understand why, this gotcha has really stomped on my progress.
So I then located this Overthere-based winRM plugin, and have to admit that I've had absolutely no luck getting past Kerberos authentication (we must use a domain user), which basically means I have not been able to be wowed by the featureset of this plugin as of yet. I'm toling with the super obscure "WinRmRuntimeIOException: Unexpected HTTP response (401)." error, and havent climbed out of that hole yet.
The main questions I have before I give any more blood with this are:
Aside from the challenges of my general newby staus with advanced Windows Administration and Security concepts (I'm not a winRM or Powershell guy in the least bit), I'm really not finding any reference implementations / community postings to try and help shed some light on the above effectively.
Would really appreciate some insight from someone that absolutely loves this plugin and can rant and rave about how awesome it is and how many features you have working.
Thanks in advance!