chef - [chef] Re: Windows - access network shares via knife winrm

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Windows - access network shares via knife winrm

From: Steven Murawski < >
To: , Avargil, Raanan < >
Subject: [chef] Re: Windows - access network shares via knife winrm
Date: Thu, 4 Dec 2014 09:51:58 -0600

I don't believe the WinRM gem has support for CredSSP connections (which is what knife-windows uses).

If you are connecting from a Windows workstation and using knife-windows 0.8.2 (or newer) and you have Kerberos delegation enabled, that could get you around this problem as well.

Another solution would be to set chef-client up to run as a scheduled task and invoke that task from your knife winrm call. Then the task executes in the a fresh context and can delegate credentials.

Steve

Steven Murawski

Community Manager @ Chef

Microsoft MVP - PowerShell
http://stevenmurawski.com

On December 4, 2014 at 8:21:26 AM, Avargil, Raanan ( "> ) wrote:

Hi All,

I’m trying to run chef-client on many nodes from my chef workstation via knife winrm command.

One of my recipes, needs to access a shared network drive.

When I invoke chef-client manually within every node, there is no problem and the run ended successfully.

However, when I invoke chef-client on a node from my chef workstation via knife winrm command, I get “Access is denied” error message.

Narrowing the problem a little bit more I figured out that:

1)    knife winrm 143.185.0.1 -m -x 'user' -P 'password' 'dir c:\' – works.

2)    knife winrm 143.185.0.1 -m -x 'user' -P 'password' 'dir \\myserver\shares\' – doesn’t work.
143.185.0.1 Access is denied.

3)    winrs -r:143.185.0.1 -u:user -p:password dir \\ccdsrv01\shares - doesn’t work.

143.185.0.1 Access is denied.

4)    winrs -r:143.185.0.1 -allowDelegate -u:user -p:password dir \\ccdsrv01\shares - works!!!

The –allowDelegate flag allows winrm to delegate the credentials to multiple computers (multi hop).

(One also needs to enable CredSSP support)

Is there a way to tell knife winrm to delegate credentials over multi hops? After all, knife winrm encapsulates Microsoft winrm.

Is there another way to access network drive via knife winrm?

(I found an emails thread called “knife winrm browsing network shares” on chef mailing lists, but there was no solution there)

Thanks,

Raanan.

---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

[chef] Windows - access network shares via knife winrm, Avargil, Raanan, 12/04/2014
- [chef] Re: Windows - access network shares via knife winrm, Steven Murawski, 12/04/2014
  - [chef] RE: Re: Windows - access network shares via knife winrm, Avargil, Raanan, 12/06/2014