我在Redhat 9上安装了Rundeck 4.8.0。我有一个Windows 2022服务器节点。我在节点上有一个名为rundeck的本地帐户,它位于Administrators组中。在运行甲板密钥存储中,我制作了一个密码密钥,其中包含本地运行甲板帐户的密码。在我的项目中,我有一个指向运行甲板用户名节点的yaml文件。这样,我就可以在节点上运行调用powershell脚本的作业了。
但是,现在我想使用一个域帐户,rundeck@MANAGEMENT.CORP
我安装了必要的应用程序:Yum install GCC python-devel krb5- krb5-workstation python-devel python3-devel
在我的项目配置中,在默认节点执行器下,我首先尝试使用内置的"WinRM节点执行器Python">
Interpreter - Python3
Authentication - Kerberos
username - rundeck@MANAGEMENT.CORP
Password - path to key store
Protocol - http
shell - powershell
krb5C Config file - /etc/krb5.conf
我/etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = MANAGEMENT.CORP
[realms]
MANAGEMENT.CORP = {
kdc = NYMGMTDC01.management.corp
admin_server = NYMGMTDC01.management.corp
default_domain = MANAGEMENT.CORP
}
[domain_realm]
.management.corp = MANAGEMWNT.CORP
management.corp = MANAGEMWNT.CORP
在windows节点上,winrm配置如下所示
winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 2147483647
当我测试I节点时,我得到这个错误:
[ERROR ] generate_request_header(): authGSSClientStep() failed: (kerberos_.py:257)[winrm.vendor.requests_kerberos.kerberos_]
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py", line 245, in generate_request_header
result = kerberos.authGSSClientStep(self.context[host],
kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
[ERROR ] (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) (kerberos_.py:259)[winrm.vendor.requests_kerberos.kerberos_]
通过我的谷歌搜索,这表明缺乏SPN,但节点的SPN看起来很好。
setspn -L NYMGMTRDNODE01
Registered ServicePrincipalNames for CN=NYMGMTRDNODE01,OU=Servers1,OU=Servers,OU=Management,DC=management,DC=corp:
WSMAN/NYMGMTRDNODE01.management.corp:5985
TERMSRV/NYMGMTRDNODE01.management.corp
WSMAN/NYMGMTRDNODE01.management.corp
RestrictedKrbHost/NYMGMTRDNODE01.management.corp
HOST/NYMGMTRDNODE01.management.corp
TERMSRV/NYMGMTRDNODE01
WSMAN/NYMGMTRDNODE01
RestrictedKrbHost/NYMGMTRDNODE01
HOST/NYMGMTRDNODE01
我甚至让我们的管理员添加了"WSMAN/NYMGMTRDNODE01.management.corp:5985"如果没有指定端口。我还在节点上测试了winrm连接。
winrm identify -r:http://NYMGMTRDNODE01.management.corp:5985 -auth:kerberos -u:rundeck@MANAGEMENT.CORP -p:PASSWORD -encoding:utf-8
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.20348 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
所以接下来我尝试了Overthere WinRm插件,rundeck-winrm-plugin-1.3.8.jar我创建了一个resources.xml文件:
<node name="NYMGMTRDNODE01"
description="Windows node"
tags="Windows"
hostname="NYMGMTRDNODE01.MANAGEMENT.CORP"
username="rundeck"
osFamily="Windows"
osName="Microsoft Windows Server 2022Standard"
osArch="amd64"
node-executor="overthere-winrm"
winrm-auth-type="kerberos"
winrm-protocol="http"
winrm-cmd="Powershell"
winrm-kerberos-debug="true"
winrm-domain="MANAGEMENT.CORP"
winrm-port="5985"
winrm-timeout="PT28800.000S"
winrm-connection-timeout="28800000"
connectionType="WINRM_NATIVE"
winrm-password-storage-path="keys/NYMGMTRDNODE01.password"/>
当我测试这个节点时,调试显示如下:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
[Krb5LoginModule] user entered username: srv-rundeck@MANAGEMENT.CORP
principal is srv-rundeck@MANAGEMENT.CORP
Commit Succeeded
,然后是错误:
[overthere-winrm:NYMGMTRDNODE01.MANAGEMENT.CORP] failed: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401)
Execution failed: 106 in project Staging-Windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [NYMGMTRDNODE01: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {NYMGMTRDNODE01=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://NYMGMTRDNODE01.MANAGEMENT.CORP:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
我发现很多帖子都带有"意外的HTTP响应(401)"&;问题。我试着遵循所有的修复,有些人似乎没有解决方案,有些人有。
我已经连续48小时这样了。因此,任何想法,任何帮助都将非常感谢。
谢谢你。
让您的管理员运行此命令,然后再试一次:
setspn -S HTTP/NYMGMTRDNODE01.MANAGEMENT.CORP:5985 rundeck
实际上John我误解了你的答案。我所做的是:
setspn -A WSMAN/NYMGMTRDNODE01:5985 MANAGEMENTsrv-rundeck