Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2019/10/08 13:22]
fiserp 		tutorial:adm:configuration_-_winrm [2021/05/24 08:14]
kucerar fixed format
Line 57: Line 57:
  
 ===== Permission configuration ===== ===== Permission configuration =====
-If you want to use user which is not admin then we need a more configuration. If you want to use admin user you should ready to go even without it.+If you want to use user which is not admin then we need to do a more configuration. If you want to use admin user you should be ready to go even without it.
  
 Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth
Line 68: Line 68:
   * Computer Management -> Services and Application -> right click WMI Control -> Properties   * Computer Management -> Services and Application -> right click WMI Control -> Properties
   * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security   * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security
-  * Next dialog window will appear - you need to add group here+  * Next dialog window will appear - you need to add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) here
   * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable   * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
   * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces   * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces
Line 78: Line 78:
   * <code>winrm configSDDL default</code>   * <code>winrm configSDDL default</code>
 {{:tutorial:adm:winrm_sddl.png?nolink&400|}} {{:tutorial:adm:winrm_sddl.png?nolink&400|}}
-  * Add group and give it Full Control+  * Add group (WinRMRemoteWMIUsers\_\_ or Remote Management Users) and give it Full Control
   * Confirm changes   * Confirm changes
  
Line 119: Line 119:
  
  
-==== Commons issues ====+==== Common issues ====
 === Specified credentials were rejected by the server === === Specified credentials were rejected by the server ===
 Can be caused by: Can be caused by:
Line 140: Line 140:
 The configuration of certificate thumbprint in the Listener should remain there. The configuration of certificate thumbprint in the Listener should remain there.
  
 +=== x509 attribute parsing error ===
 +When calling WinRM over HTTPS, you can encounter following error:
 +<code python>
 +Traceback (most recent call last):
 +  File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 309, in wrapper
 +    _lib.X509_up_ref(x509)
 +AttributeError: 'module' object has no attribute 'X509_up_ref'
 +</code>
 +This seems to be caused by older versions of the ''cryptography'' python library. Upgrading the library should solve the problem. Since this library is also used by some OS components, we recommend to upgrade it locally only for the user who runs python winrm scripts.
 +
 +=== Requests using non-urllib3 backend ===
 +<note important>Please note this is **not** a fix to your situation. For more info, look at [[https://github.com/requests/requests-kerberos/issues/128|this Github issue]].</note>
 +This affects only ''requests-ntlm'' library and therefore only NTLM authentication. It does not seem to affect the overall function but the warning is at least an annoyance. When you see the warning:
 +<code>
 +/usr/lib/python2.7/site-packages/requests_ntlm/requests_ntlm.py:200: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT
 +  NoCertificateRetrievedWarning)
 +</code>
 +You can confirm the behavior by:
 +  - Installing ''requests-ntlm'' locally for the user.
 +  - Editing ''~/.local/lib/python2.7/site-packages/requests\_ntlm/requests\_ntlm.py'' and changing the import ''from requests.packages.urllib3.response import HTTPResponse'' to ''from requests.packages.urllib3 import HTTPResponse''.
 +  - When running winrm script with NTLM, the warning should no longer pop up.
 +
 +=== HTTPS certificate not trusted ===
 +Python, by default, uses its own certificate truststore located somewhere under ''/usr/lib/python2.7/...''. If it cannot find it, it uses system-wide truststore provided by ''ca-certificates''. However, you usually do not want to trust so many authorities. Also, your server usually have your certificates and that means you have to add your CA to the truststore. For debugging this (and WinRM at all) you can also use following script:
 +<code python>
 +import os
 +# there, you can explicitly set path to your CA chain
 +# DO NOT put there server's certificate itself
 +os.environ["REQUESTS_CA_BUNDLE"] = "/path/to/crt/chain.pem"
 +
 +from winrm.protocol import Protocol
 +
 +p = Protocol(
 +    endpoint='https://SERVER YOU WANT TO CONNECT TO:5986/wsman',
 +    transport='CHOOSE AUTHENTICATION METHOD: basic,credssp,ntlm,kerberos',
 +    username='USERNAME OR USERNAME@DOMAIN',
 +    password='USER PASSWORD')
 +#server_cert_validation='ignore'           # put this into the Protocol object constructor to disable certificate validation
 +shell_id = p.open_shell()
 +command_id = p.run_command(shell_id, 'ping', ['1.1.1.1'])
 +std_out, std_err, status_code = p.get_command_output(shell_id, command_id)
 +p.cleanup_command(shell_id, command_id)
 +p.close_shell(shell_id)
 +
 +# this will output all that returned from the WinRM call
 +print "stdout",std_out
 +print "stderr",std_err
 +print "retcode",status_code
 +</code>
 ===== HTTPS support ===== ===== HTTPS support =====
 The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client. The best case is to use HTTPS connection to connect to WinRM. To achieve this we need to do some more configuration on the server and on the client.
  • by erbenr