search

rundeck-plugins / rundeck-winrm-plugin

Rundeck WinRM Node Executor plugin
Other
56 stars 28 forks source link

Login to Windows Server w/ Kerberos doesn´t work #44

Open svenschumacher opened 8 years ago

svenschumacher commented 8 years ago

I´ve setted up rundeck with winrm-plugin.

Settings for the project/etc/resources.xml:

<node name="hostname" connectionType="WINRM_NATIVE" node-executor="overthere-winrm" winrm-password-option="winrmPassword" winrm-protocol="http" winrm-auth-type="kerberos" username="username@DOMAIN.TLD" winrmPassword="password" description="Rundeck server node Windows" tags="" hostname="hostname:Port" osArch="x86_64" osFamily="windows" osName="Microsoft Windows Server 2008 R2 Standard" osVersion="Microsoft Windows Server 2008 R2 Standard" />

In /etc/rundeck/profile -Djava.security.krb5.realm=domain.tld -Djava.security.krb5.kdc=domaincontroller.domain.tld

Windows Server settings:

winrm/config/service
...
AllowUnencrypted = true
...
Auth
    Basic = true
    Kerberos = true
...
DefaultPorts:
    HTTP = 5985
    HTTPS = 5986
AllowRemoteAccess = true
...

If i try to run the job, the following Error appears: Execution failed: 72207: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [_domain_: ConfigurationFailure: Password was not set]}, Node failures: {_domain_=[ConfigurationFailure: Password was not set]}, flow control: Continue, status: failed]

gschueler commented 8 years ago

try changing winrm-password-option="winrmPassword" to winrm-password-option="option.winrmPassword"

svenschumacher commented 8 years ago

It didn´t help.

07:26:02            [overthere-winrm:host] Password was not set
07:26:02            Failed: ConfigurationFailure: Password was not set
gschueler commented 8 years ago

what is your job definition?

svenschumacher commented 8 years ago

Exported as yaml:

- description: ''
  executionEnabled: true
  id: 5974465d-abbb-4501-bc42-cf555b7d8126
  loglevel: DEBUG
  name: Test
  nodefilters:
    dispatch:
      excludePrecedence: true
      keepgoing: false
      rankOrder: ascending
      threadcount: 1
    filter: HOST
  nodesSelectedByDefault: true
  options:
  - name: Password
    secure: true
    value: PASSWORD
  scheduleEnabled: true
  sequence:
    commands:
    - exec: write-host test
    keepgoing: false
    strategy: step-first
  uuid: 5974465d-abbb-4501-bc42-cf555b7d8126
gschueler commented 8 years ago

Make sure your password option matches the winrm-password-option name, e.g. winrmPassword not Password

svenschumacher commented 8 years ago

I think i´ve done what you meant. I´m not sure. Could you have another look on my projects resources.xml, please? 

<node 
  name="Remote Host Name" 
  connectionType="WINRM_NATIVE" 
  node-executor="overthere-winrm" 
  winrm-password-option="option.winrmPassword" 
  winrm-protocol="http" 
  winrm-auth-type="kerberos"  
  username="Username@DOMAIN.COM" 
  winrmPassword="Top-Secret Password" 
  description="Rundeck server node Windows" 
  tags="" 
  hostname="remotehost:5985" 
  osArch="x86_64" 
  osFamily="windows" 
  osName="Microsoft Windows Server 2008 R2 Standard" 
  osVersion="Microsoft Windows Server 2008 R2 Standard" 
/>
gschueler commented 8 years ago

i mean change this:

 options:
  - name: Password
    secure: true
    value: PASSWORD

to this:

 options:
  - name: winrmPassword
    secure: true
    value: PASSWORD
svenschumacher commented 8 years ago

Sorry for the delay. I´ve changed the settings as mentioned. The new error is:

16:27:34            com.xebialabs.overthere.cifs.winrm.WinRmRuntimeIOException: Unexpected HTTP response on http://domain:5985/wsman:   (401)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient.doSendRequest(WinRmClient.java:419)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient.access$100(WinRmClient.java:92)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient$PrivilegedSendMessage.run(WinRmClient.java:384)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient$PrivilegedSendMessage.run(WinRmClient.java:373)
16:27:34                at java.security.AccessController.doPrivileged(Native Method)
16:27:34                at javax.security.auth.Subject.doAs(Subject.java:422)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient.runPrivileged(WinRmClient.java:359)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient.sendRequest(WinRmClient.java:343)
16:27:34                at com.xebialabs.overthere.cifs.winrm.WinRmClient.createShell(WinRmClient.java:149)
16:27:34                at com.xebialabs.overthere.cifs.winrm.CifsWinRmConnection.startProcess(CifsWinRmConnection.java:126)
16:27:34                at com.xebialabs.overthere.spi.BaseOverthereConnection.execute(BaseOverthereConnection.java:272)
16:27:34                at com.dtolabs.rundeck.plugin.overthere.OTWinRMNodeExecutor.executeCommand(OTWinRMNodeExecutor.java:240)
16:27:34                at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeCommand(ExecutionServiceImpl.java:333)
16:27:34                at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeCommand(ExecutionServiceImpl.java:307)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.steps.node.impl.ExecNodeStepExecutor.executeNodeStep(ExecNodeStepExecutor.java:53)
16:27:34                at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeNodeStep(ExecutionServiceImpl.java:149)
16:27:34                at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:116)
16:27:34                at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:58)
16:27:34                at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodes(ExecutionServiceImpl.java:177)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.steps.NodeDispatchStepExecutor.executeWorkflowStep(NodeDispatchStepExecutor.java:66)
16:27:34                at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:116)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowStrategy.executeWFItem(BaseWorkflowStrategy.java:225)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowStrategy.executeWorkflowItemsForNodeSet(BaseWorkflowStrategy.java:303)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowStrategy.executeWorkflowItemsForNodeSet(BaseWorkflowStrategy.java:258)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.StepFirstWorkflowStrategy.executeWorkflowImpl(StepFirstWorkflowStrategy.java:79)
16:27:34                at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowStrategy.executeWorkflow(BaseWorkflowStrategy.java:182)
16:27:34                at com.dtolabs.rundeck.core.execution.WorkflowExecutionServiceThread.run(WorkflowExecutionServiceThread.java:55)
16:27:34            [overthere-winrm:domain] failed: Unexpected HTTP response on http://domain:5985/wsman:   (401)
16:27:34            Failed: WinRMProtocolError: Unexpected HTTP response on http://domain:5985/wsman:   (401)

It is possible to execute remote scripts via remote powershell. Only Rundeck has this Problem.

UnicodeTreason commented 7 years ago

Did you ever resolve this Unexpected HTTP Reponse issue? I am now having the same error on Basic Auth.

rootd00d commented 6 years ago

I am having the same experience here. It takes a long time (>1m) for CMD tasks to actually execute, and other times, I get the unexpected HTTP response error @svenschumacher mentioned.

thomsonac commented 6 years ago

We're having the exact same 401 error. Any movement on this?

havalo-lolawo commented 2 years ago

Also having the same issue, has anyone managed to find a solution without setting AllowUnencrypted = true?