Problem to use wsman cli "gss" option w/o password?
Trying to make Kerberos working with SSO: was able to SSO to a linux/Ubuntu box using a Windows AD user, and was able to do "kinit/klist" to issue/list Kerberos ticket without problem and winrm setting on Windows side seems okay too. But having problem to issue a WMI request from linux using wsman cli command by using gss option (see below).
Wonder if this has been asked before? Other than "-d 6", are there any other logs or debug options? Thanks.
The command is NOT working if password is not supplied:
$ wsman -h hostname -u administrator@SAMPLE.COM --auth=gss enumerate http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service -d 6
Jul 21 15:25:50 cl->authentication.verify_peer: 1
Jul 21 15:25:50 *****set post buf len = 895******
* Hostname was NOT found in DNS cache
* Trying 10.x.x.x...
* Connected to hostname (10.x.x.x) port 5985 (#0)
> POST /wsman HTTP/1.1
User-Agent: WS-Management for all
* upload completely sent off: 895 out of 895 bytes
< HTTP/1.1 401
* Server Microsoft-HTTPAPI/2.0 is not blacklisted
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Kerberos
< WWW-Authenticate: Basic realm="WSMAN"
< WWW-Authenticate: CredSSP
< Date: Thu, 21 Jul 2016 15:25:41 GMT
< Connection: close
< Content-Length: 0
* Closing connection 0
Jul 21 15:25:50 GSS-Negotiate authentication is used
Jul 21 15:25:50 Invoking Auth request callback
Authentication failed, please retry
Re: Problem to use wsman cli "gss" option w/o password?
I think the only way to communicate with WinRM is through 'Basic' authorization *and* 'Unencrypted'
messages. The problem here is that openwsman utilize curl to perform the actual requests, and it just support the standard ways to use HTTP. When using non-Basic auth in WinRM, it always requires the
messages to be encrypted, in the ms way which curl cannot parse.
This is why the wiki tells to configure WinRM like this in the first place.
I believe openwsman is not designed to be compatible with WinRM from the ground up.
However if you really need this feature and have plenty time planned for it, you could implement a proxy
under curl or even get ride of curl entirely to do the communication part yourself. I know a people who
have done this sort of thing successfully to make openwsman work with WinRM through Negotiate.
You may need to work through windows protocols yourself: https://msdn.microsoft.com/en-us/library/cc216517.aspx