- From: o haya <
>
- To:
- Cc:
- Subject: [chef] Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm
- Date: Thu, 2 Jul 2015 12:24:13 -0700
Hi,
Thanks for the info. I was just about to post that I've had some success
today, but doing something different... leveraging the Chef Windows service.
What I did was set the user's credentials in place of whatever was in that
service (in my case the Windows domain Administrator) and then let the
service fire off my recipe/cookbook. I have to so some tweaking of the
design of my recipes to prevent them from re-running more than once, but I
was surprised that it works after that.
I had seen mention of using task scheduler/schtasks before, and I would've
tried that for this situation, but when I was looking into how to do
processing across reboots, but even though I was able to get the task
scheduling part done, the recipes appeared to run into the same type of
access denied problems. I fought with that for a couple of days, and finally
gave up on it.
In particular, I was doing a recipe for deploying Exchange, and it required
installing some prerequisites and then a reboot and then the actual
installation. So back then, I would have the first part of the recipe create
a scheduled task via schtasks, for the 2nd part, but when the 2nd part, which
was what actually ran the setup.exe and psconfig.exe, ran, it kept throwing
errors indicating that something wasn't accessible.
So, at this point, the service approach is the only approach that works for
me.
Thanks again,
Jim
P.S. I kind of guessed that there wasn't something, but I posted because the
threads, etc I found on the credssp and chef were a couple of years old, and
was hoping that there'd be something better by now :(...
--------------------------------------------
On Thu, 7/2/15, Steven Murawski
<
>
wrote:
Subject: [chef] Re: Getting "Access denied" when use mount in recipe and run
chef-client remotely via winrm
To:
Cc: "o haya"
<
>
Date: Thursday, July 2, 2015, 3:02 PM
You are hitting one of the
core challenges in dealing with Windows remote management.
The ruby WinRM gem, which we use for knife-windows,
doesn't support CredSSP credential delegation (and there
are security concerns with that anyway). A better
workaround would be to create a scheduled task that will run
Chef Client and trigger that from winrm (with schtasks
/run). This gets around the logon type and credential
delegation issues running in WinRM provide.
The cause of the issue is that when you
land in a remote shell hosted inside WinRM (either WinRS or
PowerShell Remoting), you're connecting to a service and
that service does not have the right to pass on your
credentials to other services/computers. So when you try
to mount the outside resource, it attempts to connect as the
computer's Network Service account. The path around
this is either Kerberos delegation (which has requirements
on the client side and in Active Directory) or CredSSP,
which the WinRM gem doesn't handle. Task scheduler
suffers no such problems (and is a better way to run Chef
Client - and closer to how it should run in a production
context.
Steve
Steven MurawskiCommunity Software Development Engineer @
ChefMicrosoft MVP - PowerShell
http://stevenmurawski.com
On 7/1/2015 9:54:21
PM, o haya
<
>
wrote:Hi,
I have been implementing some
recipes/cookbooks for deploying and configuring Sharepoint
and Exchange onto our Windows servers. These servers would
be domain mmembers.
I was originally testing by logging into
one of the Windows server and then running "chef-client
-o myCookbook" and was finally able to get them working
this past week.
Both sets of recipes expect the respective
installation files to be shared out from the domain
controller and the recipes do a "mount" to
"Z:" drive, and then the recipes do "cd
z:\" and then execute the appropriate .exe inside a
powershell_script resource.
As I said, I got these recipes working this
week, but in the real world, we would want to trigger the
cookbook/recipe execution remotely using like "knife
winrm", so I started testing the recipes using
"knife winrm" this weekend, and, in both cases, I
ran into similar problems with both sets of recipes.
The first problem was that the
"mount" would fail with "access denied",
so I've since tried (a) pre-creating the mapped drive
outside of Chef and also (b) physically copying the entire
directories of installation software to the local C: drive
and running the installations off of the local files.
Unfortunately, neither (a) nor (b) approach
worked either. These failures occur at different points of
the installation, but my impression is that all the failures
are coming down to some kind of access denied or violation.
So, I've spent most of this weekend
testing and researching, which lead me to find some older
threads and information on things like credssp an
"2-hop" that seem to indicate that these problems
have been around for awhile, so I was wondering if
there's some mechanism or configuration that should fix
he problem nowadays?
Also, I should mention that I'm tried
setting the WinRM CredSSP to "true" on both the
server side and on my client (Chef workstation) side, but
that hasn't made any difference.
Can anyone here tell me how I can get these
cookbooks/recipes to work using "knife winrm"?
Thanks,
Jim
- [chef] Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/01/2015
- [chef] Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, Steven Murawski, 07/02/2015
- [chef] Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, Tensibai Zhaoying, 07/02/2015
- [chef] Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, Steven Murawski, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, Tensibai Zhaoying, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, Tensibai Zhaoying, 07/02/2015
- [chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: Getting "Access denied" when use mount in recipe and run chef-client remotely via winrm, o haya, 07/02/2015
Archive powered by MHonArc 2.6.16.