Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) We removed –realm switch in the PR in favor of using realm in the winrm definition. It's possible that we'll make it so that –user u...@domain.com will imply use of Kerberos. Windows should probably implicitly use the Kerberos ticket affiliated with the current logged on domain user ... making specification of realm unnecessary on Windows. It's also possible that realm will be changed to domain - that's still an open discussion. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.31947.1564094940237%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Chris Cowell updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Chris Cowell Labels: DOCS docs docs_reviewed windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.31868.1564090860512%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Lucy Wyman updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Lucy Wyman Fix Version/s: BOLT Next Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.26060.1563833701130%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Lucy Wyman updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Lucy Wyman Labels: docs windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.26069.1563833701177%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Lucy Wyman updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Lucy Wyman Labels: DOCS docs windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.26078.1563833701342%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Lucy Wyman assigned an issue to Lucy Wyman Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Lucy Wyman Assignee: Ethan Brown Lucy Wyman Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.23833.1563573960301%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) BOLT-1472 has been created to cover the testing aspect of this ticket, so that we can move forward on merging the basics of this work with manual testing only. As mentioned in https://github.com/puppetlabs/bolt/pull/1087 the caveats are: Works only with MIT Kerberos from a Linux node Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) The WinRM gem has been updated. However, it was determined that this only supports the needs of non-Windows clients -> Windows using Kerberos. Windows client-side support is a separate task and I've filed BOLT-1323 for that. Currently working on getting testing up for this PR by bringing up a few additional nodes in our docker compose tests: A KDC based on Alpine Linux to authenticate against The Microsoft OMI server, with PowerShell and the PSRP plugin installed to allow for running Powershell remotely over WinRM (or SSH) There are still two wildcards in the mix here: The instructions on OMI server only specify how to authenticate against an Active Directory Domain Controller, not a KDC server (https://github.com/Microsoft/omi/blob/master/Unix/doc/setup-kerberos-omi.md) We know there are still some incompatibilities running PowerShell commands over WinRM to a Linux host (based on the webinar I did demonstrating this behavior). Being able to run Write-Host hi should be sufficient to test the Kerberos auth however. We don't yet support PowerShell over SSH transport, but this testing setup will make it easier to add support for that later Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Ethan Brown Summary: Support WinRM with Kerberos (from Linux node) Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.12224.1558370340842%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
