Problem to use wsman cli "gss" option w/o password?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem to use wsman cli "gss" option w/o password?

ywang529
Trying to make Kerberos working with SSO: was able to SSO to a linux/Ubuntu box using a Windows AD user, and was able to do "kinit/klist" to issue/list Kerberos ticket without problem and winrm setting on Windows side seems okay too. But having problem to issue a WMI request from linux using wsman cli command by using gss option (see below).

Wonder if this has been asked before? Other than "-d 6", are there any other logs or debug options? Thanks.  

The command is working if password is supplied:
$ wsman -h hostname -u administrator@SAMPLE.COM --auth=gss enumerate http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service -d 6

The command is NOT working if password is not supplied:
$ wsman -h hostname -u administrator@SAMPLE.COM --auth=gss enumerate http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service -d 6
Jul 21 15:25:50  cl->authentication.verify_peer: 1
Jul 21 15:25:50  *****set post buf len = 895******
* Hostname was NOT found in DNS cache
*   Trying 10.x.x.x...
* Connected to hostname (10.x.x.x) port 5985 (#0)
> POST /wsman HTTP/1.1
Host: hostname:5985
Accept: */*
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: WS-Management for all
Content-Length: 895

* upload completely sent off: 895 out of 895 bytes
< HTTP/1.1 401
* Server Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Kerberos
< WWW-Authenticate: Basic realm="WSMAN"
< WWW-Authenticate: CredSSP
< Date: Thu, 21 Jul 2016 15:25:41 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
Jul 21 15:25:50  GSS-Negotiate authentication is used
Jul 21 15:25:50  Invoking Auth request callback
Authentication failed, please retry
User name:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem to use wsman cli "gss" option w/o password?

veewus
I think the only way to communicate with WinRM is through 'Basic' authorization *and* 'Unencrypted'
messages. The problem here is that openwsman utilize curl to perform the actual requests, and it just  support the standard ways to use HTTP. When using non-Basic auth in WinRM, it always requires the
messages to be encrypted, in the ms way which curl cannot parse.
This is why the wiki tells to configure WinRM like this in the first place.
I believe openwsman is not designed to be compatible with WinRM from the ground up.

However if you really need this feature and have plenty time planned for it, you could implement a proxy
under curl or even get ride of curl entirely to do the communication part yourself. I know a people who
have done this sort of thing successfully to make openwsman work with WinRM through Negotiate.
You may need to work through windows protocols yourself: https://msdn.microsoft.com/en-us/library/cc216517.aspx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem to use wsman cli "gss" option w/o password?

ywang529
Thanks for your response. Thinking about developing our own communication to integrate with openwsman, just wanted to confirm before start doing that.
Loading...