堆栈内存溢出
  繁体   English   中英

使用域帐户的 Rundeck 节点身份验证

[英]Rundeck Node Authentication with domain account

 原文  2022-12-17 00:31:07       python/ java/ powershell/ kerberos/ rundeck

问题描述

我在 Redhat 9 上安装了 Rundeck 4.8.0。我有一个 Windows 2022 Server 节点。 我在名为 rundeck 的节点上有一个本地帐户,它在 Administrators 组中。 在Rundeck key storage中,我做了一个password key,密码为本地rundeck账号。 在我的项目中,我有一个 yaml 文件指向具有 rundeck 用户名的节点。 这行得通,我可以在节点上运行调用 powershell 脚本的作业。

但是,现在我想使用域帐户,rundeck@MANAGEMENT.CORP

我已经安装了必要的应用程序: yum install gcc python-devel krb5-devel krb5-workstation python-devel python3-devel

在我的项目配置中,在默认节点执行器下,我首先尝试使用内置的“WinRM 节点执行器 Python”

Interpreter - Python3
Authentication - Kerberos
username - rundeck@MANAGEMENT.CORP
Password - path to key store
Protocol - http
shell - powershell
krb5C Config file - /etc/krb5.conf

我的 /etc/krb5.conf

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = MANAGEMENT.CORP

[realms]
  MANAGEMENT.CORP = {
     kdc = NYMGMTDC01.management.corp
     admin_server = NYMGMTDC01.management.corp
     default_domain = MANAGEMENT.CORP
}

[domain_realm]
  .management.corp = MANAGEMWNT.CORP
  management.corp = MANAGEMWNT.CORP

在 Windows 节点上,winrm 配置如下所示

winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 2147483647

当我测试节点时,出现此错误:

[ERROR  ]  generate_request_header(): authGSSClientStep() failed: (kerberos_.py:257)[winrm.vendor.requests_kerberos.kerberos_]
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py", line 245, in generate_request_header
    result = kerberos.authGSSClientStep(self.context[host],
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
[ERROR  ]  (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) (kerberos_.py:259)[winrm.vendor.requests_kerberos.kerberos_]

根据我的谷歌搜索,这表明缺少 SPN,但节点的 SPN 看起来不错。

setspn -L NYMGMTRDNODE01
Registered ServicePrincipalNames for CN=NYMGMTRDNODE01,OU=Servers1,OU=Servers,OU=Management,DC=management,DC=corp:
        WSMAN/NYMGMTRDNODE01.management.corp:5985
        TERMSRV/NYMGMTRDNODE01.management.corp
        WSMAN/NYMGMTRDNODE01.management.corp
        RestrictedKrbHost/NYMGMTRDNODE01.management.corp
        HOST/NYMGMTRDNODE01.management.corp
        TERMSRV/NYMGMTRDNODE01
        WSMAN/NYMGMTRDNODE01
        RestrictedKrbHost/NYMGMTRDNODE01
        HOST/NYMGMTRDNODE01

我什至让我们的管理员添加“WSMAN/NYMGMTRDNODE01.management.corp:5985”以防未指定端口。 同样在节点本身上,我测试了 winrm 连接。

winrm identify -r:http://NYMGMTRDNODE01.management.corp:5985 -auth:kerberos -u:rundeck@MANAGEMENT.CORP -p:PASSWORD -encoding:utf-8

IdentifyResponse
    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    ProductVendor = Microsoft Corporation
    ProductVersion = OS: 10.0.20348 SP: 0.0 Stack: 3.0
    SecurityProfiles
        SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos

所以接下来我尝试了 Overthere WinRm 插件 rundeck-winrm-plugin-1.3.8.jar 我创建了一个 resources.xml 文件:

<node name="NYMGMTRDNODE01"
description="Windows node"
tags="Windows"
hostname="NYMGMTRDNODE01.MANAGEMENT.CORP"
username="rundeck"
osFamily="Windows"
osName="Microsoft Windows Server 2022Standard"
osArch="amd64"
node-executor="overthere-winrm"
winrm-auth-type="kerberos"
winrm-protocol="http"
winrm-cmd="Powershell"
winrm-kerberos-debug="true"
winrm-domain="MANAGEMENT.CORP"
winrm-port="5985"
winrm-timeout="PT28800.000S"
winrm-connection-timeout="28800000"
connectionType="WINRM_NATIVE"
winrm-password-storage-path="keys/NYMGMTRDNODE01.password"/>

当我测试这个节点时,调试显示:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
        [Krb5LoginModule] user entered username: srv-rundeck@MANAGEMENT.CORP
principal is srv-rundeck@MANAGEMENT.CORP
Commit Succeeded

然后是错误:

[overthere-winrm:NYMGMTRDNODE01.MANAGEMENT.CORP] failed: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman:   (401)
Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman:   (401)
Execution failed: 106 in project Staging-Windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [NYMGMTRDNODE01: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman:   (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {NYMGMTRDNODE01=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman:   (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]

我发现很多帖子都有“意外的 HTTP 响应 (401)”问题。 我已尝试遵循所有修复程序,有些人似乎没有解决方案,有些人有。

我已经连续 48 小时这样做了。 所以任何想法,任何帮助将不胜感激。

感谢您。

2 个解决方案

解决方案1
 1 已采纳  2022-12-19 22:35:03

让您的管理员运行此程序,然后重试:

setspn -S HTTP/NYMGMTRDNODE01.MANAGEMENT.CORP:5985 rundeck

解决方案2
 0  2022-12-22 14:27:57

其实约翰我误解了你的回答。 我所做的是:

setspn -A WSMAN/NYMGMTRDNODE01:5985 MANAGEMENT\srv-rundeck

谢谢

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用WinRM Node Executor Python和Ansible清单作为Rundeck中的资源 将SSH连接到域上的用户帐户? 使用个人帐户进行googleapiclient身份验证? 针对Windows域的分散式身份验证 在 Python 中使用域用户帐户访问 Windows 文件共享 使用Python Django中的一个帐户进行多用户身份验证? Django中的Messenger帐户链接身份验证流程 使用Python身份验证连接到AD域 Google App Engine上的域限制身份验证 Rundeck ::执行python脚本
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM