General discussion about Chef

[chef] RE: Re: RE: RE: Chef and Windows Active directory


Chronological Thread 
  • From: "Deprez, Tom" < >
  • To: " " < >
  • Subject: [chef] RE: Re: RE: RE: Chef and Windows Active directory
  • Date: Wed, 9 Apr 2014 16:37:51 +0000
  • Accept-language: en-GB, en-US

Hi,

 

Both AllowUnencrypted and basic_auth are set to true.

 

Winrm commands will work, it’s when using knife this seems to break. So I’m not really sure which of these we should be troubleshooting.

 

When using , it’s actually "> we use, so yeah, it’s fully qualified.

 

Thanks

Tom

 

Results below:

WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service\Auth

 

Type Name SourceOfValue Value

---- ---- ------------- -----

System.String Basic true

System.String Kerberos true

System.String Negotiate true

System.String Certificate false

System.String CredSSP true

System.String CbtHardeningLevel Relaxed

 

 

winrm get winrm/config

Config

    MaxEnvelopeSizekb = 500

    MaxTimeoutms = 1800000

    MaxBatchItems = 32000

    MaxProviderRequests = 4294967295

    Client

        NetworkDelayms = 5000

        URLPrefix = wsman

        AllowUnencrypted = true

        Auth

            Basic = true

            Digest = true

            Kerberos = true

            Negotiate = true

            Certificate = false

            CredSSP = true

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        TrustedHosts

    Service

        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

        MaxConcurrentOperations = 4294967295

        MaxConcurrentOperationsPerUser = 1500

        EnumerationTimeoutms = 240000

        MaxConnections = 300

        MaxPacketRetrievalTimeSeconds = 120

        AllowUnencrypted = true

        Auth

            Basic = true

            Kerberos = true

            Negotiate = true

            Certificate = false

            CredSSP = true

            CbtHardeningLevel = Relaxed

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        IPv4Filter = *

        IPv6Filter = *

        EnableCompatibilityHttpListener = false

        EnableCompatibilityHttpsListener = false

        CertificateThumbprint

        AllowRemoteAccess = true

    Winrs

        AllowRemoteShellAccess = true

        IdleTimeout = 7200000

        MaxConcurrentUsers = 10

        MaxShellRunTime = 2147483647

        MaxProcessesPerShell = 25

        MaxMemoryPerShellMB = 1024

        MaxShellsPerUser = 30

 

 

 

From: Tensibai [mailto:
Sent: 09 April 2014 17:26
To:
Subject: [chef] Re: RE: RE: Chef and Windows Active directory

 

Could you paste the result of winrm get winrm/config from the target server ?

I would suspect the allow unencrypted parameter as Adam says before.

 

Hope you'll find, debuging winrm is a high PITA, but its really nice once it works :p

P.S: Just to be sure, in the form , domain is the fully qualified domain name right ?

 

Le 2014-04-09 18:10, Deprez, Tom a écrit :

Hi Adam,

 

The auth logs are from the server we are trying to bootstrap. This server is already on the domain and we can log in to it using domain accounts. The chef user is a domain account which is a member of the local admin group on the server we’re bootstrapping.

 

We are able to run this from the admin server:

winrs -u:domain\build_chef -p:password -r:10.175.1.21  dir

but fails when running this:

knife winrm -m 10.175.1.21 -P 'password' -x domain\build_chef dir

 

CredSSP was disabled, but enabling it in powershell and winrm doesn’t appear to have done anything.

 

Tensibai – we’ve tried domain\user, domain\\user and (the latter doesn’t pass the domain through, the user appears as ). None of these have worked either.

 

Thanks

Tom

 

From: Adam Edwards [ ">mailto: ]
Sent: 09 April 2014 16:48
To: ">
Subject: [chef] RE: Chef and Windows Active directory

 

Tom, on which machine are you getting those auth logs? On the DC, or on the server you’re truing to join to the domain?

 

The first thing to check is if you can issue commands via knife winrm, so rather than a bootstrap, can you issue a simple command like “echo” on the system? If not, then you probably need to enable “allow unencrypted” on your winrm listener on the remote system. To confirm one thing though: is the machine already joined to the domain and that domain user a member of the local admins group?

 

If that is working, then it sounds like the credentials aren’t making it off the system when talking to the DC. In that case, enabling CredSSP is required, e.g. in powershell

 

ls WSMan:\localhost\Service\Auth\CredSSP

 

If that shows false, try using set-item to set it to true.

 

Thanks.

 

-Adam

 

 

From: Deprez, Tom [mailto: "> ]
Sent: Wednesday, April 9, 2014 8:10 AM
To: ">
Subject: [chef] Chef and Windows Active directory

 

Hi,

 

I’ve been bootstrapping Windows servers in a lab environment using local admin accounts and this has worked fine (bootstrap command is run from a Windows server). However, we’re now trying to integrate this into production and would like to use an AD account when bootstrapping the server. This is failing with the following error:

 

D:\chef-repo>knife bootstrap windows winrm 10.175.1.21 --winrm-user="domain\build_chef" --winrm-password="password"

Bootstrapping Chef on 10.175.1.21

ERROR: Failed to authenticate to ["10.175.1.21"] as domain\build_chef

Response: Bad HTTP response returned from server (401).

ERROR: Batch render command returned

 

On the server I am trying to bootstrap, I get this error in the security logs:

Account For Which Logon Failed:

                Security ID:                           NULL SID

                Account Name:                    Build_Chef

                Account Domain:                 BMGUK

 

Failure Information:

                Failure Reason:                    An Error occured during Logon.

                Status:                                    0xC000005E

                Sub Status:                            0x0

 

Detailed Authentication Information:

                Logon Process:                     NtLmSsp

                Authentication Package:    NTLM

                Transited Services:              -

                Package Name (NTLM only):              -

                Key Length:                           0

 

 

Any ideas on why this is failing? And why is it trying to use NTLM rather than Kerberos?

 

The user is in the local administrators group so has access to the server.

 

Thanks

Tom



HBVB trading as Bauer Corporate Services (BCS) is a division of the Bauer Media
Group the largest consumer publisher in the UK, and second largest commercial
radio broadcaster. BCS provides financial services and manages and develops IT
systems on which our UK publishing, broadcast, digital and partner businesses depend.

The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised. If you are not the intended
recipient of this message any disclosure, copying, distribution or any action
taken in reliance on it is prohibited and may be unlawful. HBVB do not warrant that
any attachments are free from viruses or other defects and accept no liability for
any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator
and do not necessarily reflect those of this organisation.

HBVB is registered in England; Registered address is
1 Lincoln Court, Lincoln Road, Peterborough, PE1 2RF.

Registration number 8453545

 

 


Archive powered by MHonArc 2.6.16.

§