rundeck-plugins / rundeck-winrm-plugin

UNMAINTAINED - Rundeck WinRM Node Executor plugin
Other
56 stars 28 forks source link

Kerberos authentication across AD sites #42

Open danielladd opened 8 years ago

danielladd commented 8 years ago

I have configured a Rundeck instance on a Ubuntu host on AWS with the overthere-winrm plugin in order to execute scripts against Windows hosts. The instance is configured to access these hosts as an Active Directory domain service account by retrieving a Kerberos ticket from a specified KDC. This configuration is working great locally where the machines Rundeck accesses are hosted on the same domain controller that the Kerberos ticket originates from:

enter image description here

When I attempt to have Rundeck connect to a domain host on RackSpace I receive a 401 authentication error.

enter image description here

When viewing the analytic event log for WinRM I only see that the service saw the request and returned a 401:

Sending HTTP 401 response to the client and disconnect the 
connection after sending the response

In the Rundeck log I get the following error:

WARN  HttpAuthenticator: KERBEROS authentication error: 
No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7))

I know that WinRM is setup correctly as I am able to use the powershell Test-WSMan function from a Windows host on AWS to connect to the Rackspace machine. Also, if I point Rundeck at the Rackspace Domain Controller I can still access the AWS windows servers, but not the Rackspace ones which has me confused.

gschueler commented 8 years ago

have you looked at the Overthere project? some useful troublshooting info, e.g https://github.com/xebialabs/overthere#kerberos-authentication-fails-with-the-message-server-not-found-in-kerberos-database-7

danielladd commented 8 years ago

Yup, it looks like it might be a bug as I switched it for the rd-winrm-plugin and that works without issue. https://github.com/NetDocuments/rd-winrm-plugin