我已经在Redhat 9上安装了Rundeck 4.8.0。我有一个Windows 2022 Server节点。我在节点上有一个名为rundeck的本地帐户,它在Administrators组中。在Rundeck密钥存储中,我制作了一个密码密钥,使用本地rundeck帐户的密码。在我的项目中,我有一个yaml文件,指向具有rundeck用户名的节点。这样就可以了。我可以在节点上运行调用powershell脚本的作业。
但是,现在我想使用域帐户rundeck@MANAGEMENT. CORP
我已安装必要的应用程序:yum安装gcc python-devel krb5-devel krb5-工作站python-devel python3-devel
在我的项目配置中,在默认节点执行器下,我首先尝试使用内置的"WinRM节点执行器Python"
Interpreter - Python3
Authentication - Kerberos
username - rundeck@MANAGEMENT.CORP
Password - path to key store
Protocol - http
shell - powershell
krb5C Config file - /etc/krb5.conf
我的/etc/文件
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = MANAGEMENT.CORP
[realms]
MANAGEMENT.CORP = {
kdc = NYMGMTDC01.management.corp
admin_server = NYMGMTDC01.management.corp
default_domain = MANAGEMENT.CORP
}
[domain_realm]
.management.corp = MANAGEMWNT.CORP
management.corp = MANAGEMWNT.CORP
在Windows节点上,winrm配置如下所示
winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 2147483647
当我测试节点时,我得到这个错误:
[ERROR ] generate_request_header(): authGSSClientStep() failed: (kerberos_.py:257)[winrm.vendor.requests_kerberos.kerberos_]
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py", line 245, in generate_request_header
result = kerberos.authGSSClientStep(self.context[host],
kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
[ERROR ] (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) (kerberos_.py:259)[winrm.vendor.requests_kerberos.kerberos_]
从我的谷歌搜索,这表明缺乏SPN,但节点的SPN看起来很好。
setspn -L NYMGMTRDNODE01
Registered ServicePrincipalNames for CN=NYMGMTRDNODE01,OU=Servers1,OU=Servers,OU=Management,DC=management,DC=corp:
WSMAN/NYMGMTRDNODE01.management.corp:5985
TERMSRV/NYMGMTRDNODE01.management.corp
WSMAN/NYMGMTRDNODE01.management.corp
RestrictedKrbHost/NYMGMTRDNODE01.management.corp
HOST/NYMGMTRDNODE01.management.corp
TERMSRV/NYMGMTRDNODE01
WSMAN/NYMGMTRDNODE01
RestrictedKrbHost/NYMGMTRDNODE01
HOST/NYMGMTRDNODE01
我甚至让我们的管理员添加了"WSMAN/NYMGMTRDNODE01.management.corp:5985",以防端口没有被指定。我还在节点本身测试了winrm连接。
winrm identify -r:http://NYMGMTRDNODE01.management.corp:5985 -auth:kerberos -u:rundeck@MANAGEMENT.CORP -p:PASSWORD -encoding:utf-8
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.20348 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
所以接下来我尝试了Overthere WinRm插件,rundeck-winrm-plugin-1.3.8.jar我创建了一个resources.xml文件:
<node name="NYMGMTRDNODE01"
description="Windows node"
tags="Windows"
hostname="NYMGMTRDNODE01.MANAGEMENT.CORP"
username="rundeck"
osFamily="Windows"
osName="Microsoft Windows Server 2022Standard"
osArch="amd64"
node-executor="overthere-winrm"
winrm-auth-type="kerberos"
winrm-protocol="http"
winrm-cmd="Powershell"
winrm-kerberos-debug="true"
winrm-domain="MANAGEMENT.CORP"
winrm-port="5985"
winrm-timeout="PT28800.000S"
winrm-connection-timeout="28800000"
connectionType="WINRM_NATIVE"
winrm-password-storage-path="keys/NYMGMTRDNODE01.password"/>
当我测试这个节点时,调试显示如下:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
[Krb5LoginModule] user entered username: srv-rundeck@MANAGEMENT.CORP
principal is srv-rundeck@MANAGEMENT.CORP
Commit Succeeded
然后是错误:
[overthere-winrm:NYMGMTRDNODE01.MANAGEMENT.CORP] failed: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Execution failed: 106 in project Staging-Windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [NYMGMTRDNODE01: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {NYMGMTRDNODE01=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
我发现了很多关于"意外HTTP响应(401)"问题的帖子。我试着遵循所有的修复,有些人似乎没有解决方案,有些人有。
我已经连续48小时这样了。所以任何想法,任何帮助都将不胜感激。
谢谢你。
1条答案
按热度按时间r6hnlfcb1#
让管理员运行此操作,然后重试: