Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)

Change By:	Ethan Brown
Summary:	Support WinRM with Kerberos (from Linux node)

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

Ethan Brown (JIRA)

unread,

May 20, 2019, 1:17:04 PM5/20/19

to puppe...@googlegroups.com

Ethan Brown commented on

Re: Support WinRM with Kerberos (from Linux node)

The WinRM gem has been updated. However, it was determined that this only supports the needs of non-Windows clients -> Windows using Kerberos. Windows client-side support is a separate task and I've filed BOLT-1323 for that.

Currently working on getting testing up for this PR by bringing up a few additional nodes in our docker compose tests:

A KDC based on Alpine Linux to authenticate against
The Microsoft OMI server, with PowerShell and the PSRP plugin installed to allow for running Powershell remotely over WinRM (or SSH)

There are still two wildcards in the mix here:

The instructions on OMI server only specify how to authenticate against an Active Directory Domain Controller, not a KDC server (https://github.com/Microsoft/omi/blob/master/Unix/doc/setup-kerberos-omi.md)
We know there are still some incompatibilities running PowerShell commands over WinRM to a Linux host (based on the webinar I did demonstrating this behavior). Being able to run Write-Host hi should be sufficient to test the Kerberos auth however.
We don't yet support PowerShell over SSH transport, but this testing setup will make it easier to add support for that later

Ethan Brown (JIRA)

unread,

Jul 15, 2019, 12:43:04 PM7/15/19

to puppe...@googlegroups.com

Ethan Brown commented on

Re: Support WinRM with Kerberos (from Linux node)

BOLT-1472 has been created to cover the testing aspect of this ticket, so that we can move forward on merging the basics of this work with manual testing only.

As mentioned in https://github.com/puppetlabs/bolt/pull/1087 the caveats are:

Works only with MIT Kerberos from a Linux node
Does not work with Heimdal on OSX
- gssapi gem support for Heimdal is not well vetted
- OSX doesn't export Kerberos IOV functions needed for MS DCE RPC
Does not work from a Windows node as winrm / gssapi gems only
support MIT Kerberos, and Windows has its own APIs
Has been manually tested in a simple AD environment that has a
CentOS host domain joined to Windows Active Directory

Provides initial support for the --realm command line switch, which
can be used intead of --username / --password.

Note that Kerberos is an authentication method, not a transport, so
can be used with or without SSL just like other authentication.

Lucy Wyman (JIRA)

unread,

Jul 19, 2019, 6:06:03 PM7/19/19

to puppe...@googlegroups.com

Lucy Wyman assigned an issue to Lucy Wyman

Change By:	Lucy Wyman
Assignee:	Ethan Brown Lucy Wyman

Lucy Wyman (JIRA)

unread,

Jul 22, 2019, 6:15:04 PM7/22/19

to puppe...@googlegroups.com

Lucy Wyman updated an issue

Change By:	Lucy Wyman
Labels:	docs windows

Lucy Wyman (JIRA)

unread,

Jul 22, 2019, 6:15:04 PM7/22/19

to puppe...@googlegroups.com

Lucy Wyman updated an issue

Change By:	Lucy Wyman
Fix Version/s:	BOLT Next

Lucy Wyman (JIRA)

unread,

Jul 22, 2019, 6:15:05 PM7/22/19

to puppe...@googlegroups.com

Lucy Wyman updated an issue

Change By:	Lucy Wyman
Labels:	DOCS docs windows

Chris Cowell (JIRA)

unread,

Jul 25, 2019, 5:41:04 PM7/25/19

to puppe...@googlegroups.com

Chris Cowell updated an issue

Change By:	Chris Cowell
Labels:	DOCS docs docs_reviewed windows

Ethan Brown (JIRA)

unread,

Jul 25, 2019, 6:49:04 PM7/25/19

to puppe...@googlegroups.com

Ethan Brown commented on

Re: Support WinRM with Kerberos (from Linux node)

We removed –realm switch in the PR in favor of using realm in the winrm definition.

It's possible that we'll make it so that –user us...@domain.com will imply use of Kerberos. Windows should probably implicitly use the Kerberos ticket affiliated with the current logged on domain user ... making specification of realm unnecessary on Windows.

It's also possible that realm will be changed to domain - that's still an open discussion.