[chef] Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm

["Steven Murawski" < >]

                                        You are hitting one of the core challenges in dealing with Windows remote management.  The ruby WinRM gem, which we use for knife-windows, doesn't support CredSSP credential delegation (and there are security concerns with that anyway).  A better workaround would be to create a scheduled task that will run Chef Client and trigger that from winrm (with schtasks /run).  This gets around the logon type and credential delegation issues running in WinRM provide.

The cause of the issue is that when you land in a remote shell hosted inside WinRM (either WinRS or PowerShell Remoting), you're connecting to a service and that service does not have the right to pass on your credentials to other services/computers.  So when you try to mount the outside resource, it attempts to connect as the computer's Network Service account.  The path around this is either Kerberos delegation (which has requirements on the client side and in Active Directory) or CredSSP, which the WinRM gem doesn't handle.  Task scheduler suffers no such problems (and is a better way to run Chef Client - and closer to how it should run in a production context.

Steve

Steven Murawski

Community Software Development Engineer @ Chef

Microsoft MVP - PowerShell
http://stevenmurawski.com

On 7/1/2015 9:54:21 PM, o haya < > wrote:

Hi,

I have been implementing some recipes/cookbooks for deploying and configuring Sharepoint and Exchange onto our Windows servers. These servers would be domain mmembers.

I was originally testing by logging into one of the Windows server and then running "chef-client -o myCookbook" and was finally able to get them working this past week.

Both sets of recipes expect the respective installation files to be shared out from the domain controller and the recipes do a "mount" to "Z:" drive, and then the recipes do "cd z:\" and then execute the appropriate .exe inside a powershell_script resource.

As I said, I got these recipes working this week, but in the real world, we would want to trigger the cookbook/recipe execution remotely using like "knife winrm", so I started testing the recipes using "knife winrm" this weekend, and, in both cases, I ran into similar problems with both sets of recipes.

The first problem was that the "mount" would fail with "access denied", so I've since tried (a) pre-creating the mapped drive outside of Chef and also (b) physically copying the entire directories of installation software to the local C: drive and running the installations off of the local files.

Unfortunately, neither (a) nor (b) approach worked either. These failures occur at different points of the installation, but my impression is that all the failures are coming down to some kind of access denied or violation.

So, I've spent most of this weekend testing and researching, which lead me to find some older threads and information on things like credssp an "2-hop" that seem to indicate that these problems have been around for awhile, so I was wondering if there's some mechanism or configuration that should fix he problem nowadays?

Also, I should mention that I'm tried setting the WinRM CredSSP to "true" on both the server side and on my client (Chef workstation) side, but that hasn't made any difference.

Can anyone here tell me how I can get these cookbooks/recipes to work using "knife winrm"?

Thanks,
Jim