chef - [chef] Re: Re: Re: Server 2012/WinRM3 uses different security?

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Server 2012/WinRM3 uses different security?

From: Adam Edwards < >
To: " " < >
Subject: [chef] Re: Re: Re: Server 2012/WinRM3 uses different security?
Date: Fri, 24 May 2013 15:50:51 +0000
Accept-language: en-US

Question: has anyone actually repro'd this outside of Win2k12?

One workaround is to use scheduled tasks, another is to use psexec — see http://tickets.opscode.com/browse/COOK-1172.

This sounds like the issue we hit when we fixed this bug, originally for Server 2012:

http://tickets.opscode.com/browse/KNIFE-208

Bootstrap was faling on 2k12, and the cause was that job objects in Windows (an NT kernel capability) which are used by winrm to enforce things like maxmemorypershellmb. The knife bug referenced earlier repros the problem without winrm, simply using a script that leverages job objects and works on Win2k3-Win2kR2, but not 2k12. In this case, WinRM was not the root cause, it was a bug in Win2k12.

I'll see if there is something that MSFT is using to publicly track the job object issue. If people are hitting this outside of the bootstrap case we worked around, this is obviously higher priority to fix.

Adam Edwards

Software Development Engineer, Opscode, Inc.

From: David Petzel < "> >
Reply-To: " "> " < "> >
Date: Thursday, May 23, 2013 4:06 PM
To: " "> " < "> >
Subject: [chef] Re: Re: Server 2012/WinRM3 uses different security?

WinRM does impose limitations on what you can do over that interface. I fought with this for a quite a bit a while back when trying to get nodes to automatically install windows updates.

I ended up on http://msdn.microsoft.com/en-us/library/aa387288%28VS.85%29.aspx

On that page in the section "The following list contains interfaces and properties that are not available to remote users and applications" it lists a number of interfaces which are disallowed. I know in my case, with Windows updates I was restricted on "IUpdateSession::CreateUpdateDownloader".

If I ran my windows update code over SSH (WinSSHD), it would work just fine, however when chef-client was invoked over WinRM, it would fail with "OLE error code:80070005"

Luckily for me we have WinSSHD across the board, so I was able to just punt and use SSH.

Sorry thats not really a solution, but I did want to pass along the info I had learned (the hard way)

On Thu, May 23, 2013 at 4:10 PM, Peter Donald < " target="_blank"> > wrote:

Hi,

On Fri, May 24, 2013 at 4:39 AM, Nate Fox < "> > wrote:
> My question is this: is there a permissions issue of some kind when running
> chef through WinRM3 that doesnt allow programs to go out to the internet?

I was fighting with the exact same problem yesterday. Yet to find an
answer. It seems it is anything requiring network credentials is
disabled. We can't even access the local DFS. It has been suggested
that we need to set up Multi-hop support [1] for winrm but I have't
yet to figure out how to do that via knife. All of the instructions
seem to be for when using windows as the client where we run chef off
non-windows hosts.

[chef] Server 2012/WinRM3 uses different security?, Nate Fox, 05/23/2013
- [chef] Re: Server 2012/WinRM3 uses different security?, Peter Donald, 05/23/2013
  - [chef] Re: Re: Server 2012/WinRM3 uses different security?, David Petzel, 05/23/2013
    - [chef] Re: Re: Re: Server 2012/WinRM3 uses different security?, Adam Edwards, 05/24/2013
      - [chef] Re: Re: Re: Re: Server 2012/WinRM3 uses different security?, David Petzel, 05/24/2013
        
        [chef] Re: Re: Re: Re: Re: Server 2012/WinRM3 uses different security?, Adam Edwards, 05/24/2013
- [chef] Re: Server 2012/WinRM3 uses different security?, Jeppe Nejsum Madsen, 05/24/2013