Kerberos Authentification | Unspecified GSS failure

[lw-schick]

What i did

I created a simple RunDeck Project with WinRM Executor running powershell with authentification method plaintext.
I created a simple job that writes out the current user with:

[System.Security.Principal.WindowsIdentity]::GetCurrent() | ConvertTo-Json | Write-Host

That worked fine and showed me that I was using authentification method NTLM.
Now I wanted to switch to Kerberos (because I have a special script that only works in Kerberos mode) - so I switched the authentification method from plaintext to kerberos.
I tried to start the job.

Result

The Job failed with

/var/lib/gems/2.3.0/gems/gssapi-1.2.0/lib/gssapi/simple.rb:95:in `init_context': gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information (GSSAPI::GssApiError)
No Kerberos credentials available
	from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/http/transport.rb:334:in `init_krb'
	from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/http/transport.rb:274:in `initialize'
	from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:65:in `new'
	from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:65:in `init_kerberos_transport'
	from /var/lib/gems/2.3.0/gems/winrm-1.8.1/lib/winrm/winrm_service.rb:51:in `initialize'
	from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.5.1/winrmcp.rb:50:in `new'
	from /var/lib/rundeck/libext/cache/rd-winrm-plugin-1.5.1/winrmcp.rb:50:in `<main>'
Failed dispatching to node myserver.mydomain.local: [WinRMcp]: external script failed with exit code: 1
Execution failed: 229389: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [myserver..local: NonZeroResultCode: [WinRMcp]: external script failed with exit code: 1]}, Node failures: {myserver.mydomain.local=[NonZeroResultCode: [WinRMcp]: external script failed with exit code: 1]}, status: failed]

[absolutejam]

Have you already gotten a valid kerberos ticket using kinit before running this?

[mengine23]

Same problem here, but successful with kinit indeed.

[absolutejam]

What I have to do in my Ansible playbooks is a step that runs kinit on the local server before trying any remote commands. I'm sure you could do this with the key store and a local command? echo 'password' | kinit [email protected]

[mengine23]

@absolutejam thanks for mention that. Will try these days if this is going to fix ma issue and get back the results in this thread.

[mengine23]

@absolutejam This is working. Using kinit generates a valid kerberos object for 24h on the linux machine. After this object is created everything is just fine. Keep in mind that the object is temporary, go ahead to implement an automatic process to renew it (you can do it on rundeck too, yay!).

Example: su -s /bin/bash -c 'echo kerberos-password | kinit kerberos-username' local-rundeck-user

[lw-schick]

@mengine23 Thanks, that works. I will implement it as a workaround, but it doesn't sound after a nice solution.

Does someone else have a better one? ( @absolutejam ? )

[absolutejam]

The biggest issue seems to be a to integrate the Rundeck environment/user with AD, as opposed to 'asking for permission' from the outside. This isn't so much a rd-winrm-plugin, Rundeck or even Ruby issue, just limitation of using a setup like this.

You could try binding the Rundeck server to AD and see if that helps, as I believe (I've only ever briefly tested it) this will cause auto creation of kerberos tickets. Best to research this before diving in head first, I could be very wrong!