I have a Jenkins machine running builds, but I would like to run scripts as alternative users across Operating Systems on my Jenkins slaves.
I can do this on my GNU/Linux boxes using symmetrical keys and authorized_keys
in ssh, but I am having quite a lot of trouble doing the same on some Windows machines.
I would like to use Powershell
to run the commands I am interested in.
I am getting Access Denied
errors as the user I would like to have run a specific command. I can run Invoke-Command
with Get-Credential
with an AD administrative account, and it works correctly but not as other AD users, so I know winrm
is running as it should.
How do I add a specific AD user to run Invoke-Command
or Enter-PSSession
on a specific host?
And related to that question, How does the AD Admin have access to any machine running winrm
? Can I emulate that in some way locally for one user on a targeted machine?
If you're authenticating like this then you'll need to export a new file for each authenticating user, and after password changes:
read-host -assecurestring | convertfrom-securestring | out-file UserOneSecureString.txt
I'll beg off the more general parts of your question with docs for about_remote and about_remote_troubleshooting , which you've may've seen.
After a bit of reading, this question can be reduced to Impersonating a domain user on a host in Powershell non-interactively.
To impersonate a user in powershell non-interactively you must do the following:
The host we will use needs to have Windows Remote Management enabled, there is a powershell command to do all the work for you.
Enable-PSRemoting -Force
If the user is not an administrator on the host, you must add it to the Powershell Session Configuration. You can then control what kind of access you would like to give to the user on that host.
Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI
Credssp deals with the double-hop or second-hop issue on Microsoft products.
This allows credential forwarding to occur for users to access services that may not be on the local host, such as network shares.
In many cases, this is an issue when logging into machine B from machine A and needing a resource on machine C.
In this case, machine A and B are the same host, so we enable Credssp on the host as both the Client
and Server
roles.
Enable-WSManCredSSP -Role Client -Delegate $env:COMPUTERNAME
Enable-WSManCredSSP -Role Server
This is mentioned in one of the answers by 'noam'.
An asymmetrical key can be used by exporting the domain user's password to a file.
Then, the file can be read and a new powershell session can be started on the host.
Read-Host -AsSecureString "Write the password: " | ConvertFrom-SecureString | Out-File C:\\somelocation\\users-pass-key-file.txt
Now you can initiate a non-interactive login session in Powershell by reading the file with the key, and logging into the host.
$user = "DOMAIN\username"
$passkey = Get-Content C:\somelocation\users-pass-key-file.txt | ConvertTo-SecureString
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$passkey
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock { Write-Output $env:USERNAME } -Credential $credential -Authentication Credssp
After doing the previous steps you can use your Jenkins slaves or master to execute Powershell commands on behalf of another user.
This will have to be done by running Invoke-Command
with the appropriate preface using the credentials stored on the host in question.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.