Windows - access network shares via knife winrm


#1

Hi All,

I’m trying to run chef-client on many nodes from my chef workstation via knife winrm command.
One of my recipes, needs to access a shared network drive.

When I invoke chef-client manually within every node, there is no problem and the run ended successfully.
However, when I invoke chef-client on a node from my chef workstation via knife winrm command, I get “Access is denied” error message.

Narrowing the problem a little bit more I figured out that:

  1. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir c:’ - works.

  2. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir \myserver\shares’ - doesn’t work.
    143.185.0.1 Access is denied.

  3. winrs -r:143.185.0.1 -u:user -p:password dir \ccdsrv01\shares<file:///\ccdsrv01\shares> - doesn’t work.

143.185.0.1 Access is denied.

  1. winrs -r:143.185.0.1 -allowDelegate -u:user -p:password dir \ccdsrv01\shares<file:///\ccdsrv01\shares> - works!!!

The -allowDelegate flag allows winrm to delegate the credentials to multiple computers (multi hop).
(One also needs to enable CredSSP support)

Is there a way to tell knife winrm to delegate credentials over multi hops? After all, knife winrm encapsulates Microsoft winrm.
Is there another way to access network drive via knife winrm?

(I found an emails thread called “knife winrm browsing network shares” on chef mailing lists, but there was no solution there)

Thanks,
Raanan.


Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


#2

I don’t believe the WinRM gem has support for CredSSP connections (which is what knife-windows uses).

If you are connecting from a Windows workstation and using knife-windows 0.8.2 (or newer) and you have Kerberos delegation enabled, that could get you around this problem as well.

Another solution would be to set chef-client up to run as a scheduled task and invoke that task from your knife winrm call. Then the task executes in the a fresh context and can delegate credentials.

Steve

Steven Murawski
Community Manager @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com

On December 4, 2014 at 8:21:26 AM, Avargil, Raanan (raanan.avargil@intel.com) wrote:

Hi All,

I’m trying to run chef-client on many nodes from my chef workstation via knife winrm command.

One of my recipes, needs to access a shared network drive.

When I invoke chef-client manually within every node, there is no problem and the run ended successfully.

However, when I invoke chef-client on a node from my chef workstation via knife winrm command, I get “Access is denied” error message.

Narrowing the problem a little bit more I figured out that:

  1. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir c:’ – works.

  2. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir \myserver\shares’ – doesn’t work.
    143.185.0.1 Access is denied.

  3. winrs -r:143.185.0.1 -u:user -p:password dir \ccdsrv01\shares - doesn’t work.

143.185.0.1 Access is denied.

  1. winrs -r:143.185.0.1 -allowDelegate -u:user -p:password dir \ccdsrv01\shares - works!!!

The –allowDelegate flag allows winrm to delegate the credentials to multiple computers (multi hop).

(One also needs to enable CredSSP support)

Is there a way to tell knife winrm to delegate credentials over multi hops? After all, knife winrm encapsulates Microsoft winrm.

Is there another way to access network drive via knife winrm?

(I found an emails thread called “knife winrm browsing network shares” on chef mailing lists, but there was no solution there)

Thanks,

Raanan.


Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


#3

Thank you Steve!
I’ll try the solutions you suggested.

Raanan

From: Steven Murawski [mailto:steven.murawski@gmail.com]
Sent: Thursday, December 04, 2014 17:52
To: chef@lists.opscode.com; Avargil, Raanan
Subject: [chef] Re: Windows - access network shares via knife winrm

I don’t believe the WinRM gem has support for CredSSP connections (which is what knife-windows uses).

If you are connecting from a Windows workstation and using knife-windows 0.8.2 (or newer) and you have Kerberos delegation enabled, that could get you around this problem as well.

Another solution would be to set chef-client up to run as a scheduled task and invoke that task from your knife winrm call. Then the task executes in the a fresh context and can delegate credentials.

Steve

Steven Murawski
Community Manager @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.comhttp://stevenmurawski.com/

On December 4, 2014 at 8:21:26 AM, Avargil, Raanan (raanan.avargil@intel.commailto:raanan.avargil@intel.com) wrote:
Hi All,

I’m trying to run chef-client on many nodes from my chef workstation via knife winrm command.
One of my recipes, needs to access a shared network drive.

When I invoke chef-client manually within every node, there is no problem and the run ended successfully.
However, when I invoke chef-client on a node from my chef workstation via knife winrm command, I get “Access is denied” error message.

Narrowing the problem a little bit more I figured out that:

  1. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir c:’ – works.

  2. knife winrm 143.185.0.1 -m -x ‘user’ -P ‘password’ ‘dir \myserver\shares<file:///\myserver\shares>’ – doesn’t work.
    143.185.0.1 Access is denied.

  3. winrs -r:143.185.0.1 -u:user -p:password dir \ccdsrv01\shares<file:///\ccdsrv01\shares> - doesn’t work.

143.185.0.1 Access is denied.

  1. winrs -r:143.185.0.1 -allowDelegate -u:user -p:password dir \ccdsrv01\shares<file:///\ccdsrv01\shares> - works!!!

The –allowDelegate flag allows winrm to delegate the credentials to multiple computers (multi hop).
(One also needs to enable CredSSP support)

Is there a way to tell knife winrm to delegate credentials over multi hops? After all, knife winrm encapsulates Microsoft winrm.
Is there another way to access network drive via knife winrm?

(I found an emails thread called “knife winrm browsing network shares” on chef mailing lists, but there was no solution there)

Thanks,
Raanan.


Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.