![](/img/trans.png)
[英]Use WinRM Node Executor Python and Ansible inventory as resources in Rundeck
[英]Rundeck Node Authentication with domain account
我在 Redhat 9 上安装了 Rundeck 4.8.0。我有一个 Windows 2022 Server 节点。 我在名为 rundeck 的节点上有一个本地帐户,它在 Administrators 组中。 在Rundeck key storage中,我做了一个password key,密码为本地rundeck账号。 在我的项目中,我有一个 yaml 文件指向具有 rundeck 用户名的节点。 这行得通,我可以在节点上运行调用 powershell 脚本的作业。
但是,现在我想使用域帐户,rundeck@MANAGEMENT.CORP
我已经安装了必要的应用程序: yum install gcc python-devel krb5-devel krb5-workstation python-devel python3-devel
在我的项目配置中,在默认节点执行器下,我首先尝试使用内置的“WinRM 节点执行器 Python”
Interpreter - Python3
Authentication - Kerberos
username - rundeck@MANAGEMENT.CORP
Password - path to key store
Protocol - http
shell - powershell
krb5C Config file - /etc/krb5.conf
我的 /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = MANAGEMENT.CORP
[realms]
MANAGEMENT.CORP = {
kdc = NYMGMTDC01.management.corp
admin_server = NYMGMTDC01.management.corp
default_domain = MANAGEMENT.CORP
}
[domain_realm]
.management.corp = MANAGEMWNT.CORP
management.corp = MANAGEMWNT.CORP
在 Windows 节点上,winrm 配置如下所示
winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 2147483647
当我测试节点时,出现此错误:
[ERROR ] generate_request_header(): authGSSClientStep() failed: (kerberos_.py:257)[winrm.vendor.requests_kerberos.kerberos_]
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py", line 245, in generate_request_header
result = kerberos.authGSSClientStep(self.context[host],
kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
[ERROR ] (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) (kerberos_.py:259)[winrm.vendor.requests_kerberos.kerberos_]
根据我的谷歌搜索,这表明缺少 SPN,但节点的 SPN 看起来不错。
setspn -L NYMGMTRDNODE01
Registered ServicePrincipalNames for CN=NYMGMTRDNODE01,OU=Servers1,OU=Servers,OU=Management,DC=management,DC=corp:
WSMAN/NYMGMTRDNODE01.management.corp:5985
TERMSRV/NYMGMTRDNODE01.management.corp
WSMAN/NYMGMTRDNODE01.management.corp
RestrictedKrbHost/NYMGMTRDNODE01.management.corp
HOST/NYMGMTRDNODE01.management.corp
TERMSRV/NYMGMTRDNODE01
WSMAN/NYMGMTRDNODE01
RestrictedKrbHost/NYMGMTRDNODE01
HOST/NYMGMTRDNODE01
我什至让我们的管理员添加“WSMAN/NYMGMTRDNODE01.management.corp:5985”以防未指定端口。 同样在节点本身上,我测试了 winrm 连接。
winrm identify -r:http://NYMGMTRDNODE01.management.corp:5985 -auth:kerberos -u:rundeck@MANAGEMENT.CORP -p:PASSWORD -encoding:utf-8
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.20348 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
所以接下来我尝试了 Overthere WinRm 插件 rundeck-winrm-plugin-1.3.8.jar 我创建了一个 resources.xml 文件:
<node name="NYMGMTRDNODE01"
description="Windows node"
tags="Windows"
hostname="NYMGMTRDNODE01.MANAGEMENT.CORP"
username="rundeck"
osFamily="Windows"
osName="Microsoft Windows Server 2022Standard"
osArch="amd64"
node-executor="overthere-winrm"
winrm-auth-type="kerberos"
winrm-protocol="http"
winrm-cmd="Powershell"
winrm-kerberos-debug="true"
winrm-domain="MANAGEMENT.CORP"
winrm-port="5985"
winrm-timeout="PT28800.000S"
winrm-connection-timeout="28800000"
connectionType="WINRM_NATIVE"
winrm-password-storage-path="keys/NYMGMTRDNODE01.password"/>
当我测试这个节点时,调试显示:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
[Krb5LoginModule] user entered username: srv-rundeck@MANAGEMENT.CORP
principal is srv-rundeck@MANAGEMENT.CORP
Commit Succeeded
然后是错误:
[overthere-winrm:NYMGMTRDNODE01.MANAGEMENT.CORP] failed: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Execution failed: 106 in project Staging-Windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [NYMGMTRDNODE01: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {NYMGMTRDNODE01=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
我发现很多帖子都有“意外的 HTTP 响应 (401)”问题。 我已尝试遵循所有修复程序,有些人似乎没有解决方案,有些人有。
我已经连续 48 小时这样做了。 所以任何想法,任何帮助将不胜感激。
感谢您。
让您的管理员运行此程序,然后重试:
setspn -S HTTP/NYMGMTRDNODE01.MANAGEMENT.CORP:5985 rundeck
其实约翰我误解了你的回答。 我所做的是:
setspn -A WSMAN/NYMGMTRDNODE01:5985 MANAGEMENT\srv-rundeck
谢谢
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.