Winrm issues in chef-recipe


#1

Hi,

I need to run chef-client in windows machine from one windows machine using
winrm/winrs. I had a code chef cookbook like

windows_batch “backup” do
cwd node[‘winrm_path’]
code <<-EOH
winrs -r:ip_address chef-client
EOH
end

the above code(cookbook) will execute in windows machine from there it will run
chef-client in another windows machine using winrs but errors occured. I
enabled the winrm in both windows machines

errors like :

STDERR: Winrs error:The WinRM client cannot process the request. If the
authentication scheme is different from Kerberos, or if the client computer is
not joined to a domain, then HTTPS transport must be used or the destination
machine must be added to the TrustedHosts configuration setting. Use winrm.cmd
to configure TrustedHosts. Note that computers in the TrustedHosts list might
not be authenticated. You can get more information about that by running the
following command: winrm help config.

or else

Connecting to remote server failed with the following error message : WinRM
cannot process the request. The following error occured while using
Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.

any one help me how to resolve this??

Thanks,
Ganesan.A


#2

You probably hit the reverse dns error.

Windows WinRM ensure it is called properly by checking the dns entries
and the hots in the request header.

Check that your dns entries (host and PTR) are correct, PTR record must
point to the machine name, not to an alias.

You should also call the distant host by its name and not by IP address.

Hope this helps.

Le 2014-05-21 11:01, ganesan15785@gmail.com a écrit :

Hi,

I need to run chef-client in windows machine from one windows machine using
winrm/winrs. I had a code chef cookbook like

windows_batch “backup” do
cwd node[‘winrm_path’]
code <<-EOH
winrs -r:ip_address chef-client
EOH
end

the above code(cookbook) will execute in windows machine from there it will run
chef-client in another windows machine using winrs but errors occured. I
enabled the winrm in both windows machines

errors like :

STDERR: Winrs error:The WinRM client cannot process the request. If the
authentication scheme is different from Kerberos, or if the client computer is
not joined to a domain, then HTTPS transport must be used or the destination
machine must be added to the TrustedHosts configuration setting. Use winrm.cmd
to configure TrustedHosts. Note that computers in the TrustedHosts list might
not be authenticated. You can get more information about that by running the
following command: winrm help config.

or else

Connecting to remote server failed with the following error message : WinRM
cannot process the request. The following error occured while using
Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.

any one help me how to resolve this??

Thanks,
Ganesan.A


#3

Hi Ganesan
I’ve been using knife WinRM to bootstrap windows servers and I have found that Directory auth would not work with it.
My Chef server is not a member of the Windows AD domain and I have no AD auth provisioned to use with it which will be why it was not working.
I found there were several steps/settings that needed to be taken before WinRM would respond to using a basic local admin account on each of the servers (Microsoft have some good notes about how to configure WinRM which was what I used).
The steps I have had to use on our test machines were:

Winrm quickconfig (this will enable WinRM to be contacted via http/https, it is not enabled by default)
Set-ExecutionPolicy RemoteSigned (allow scripts to be run on each windows server remotely via powershell)

(These settings cover the config of WinRM, the massive timeout is due to items that we are running which can take a lot of time to complete, we were seeing timeouts during chef-client runs which were down to this timeout setting)
winrm set winrm/config '@{MaxTimeoutms=“2700000”}'
winrm set winrm/config/service '@{AllowUnencrypted=“true”}'
winrm set winrm/config/service/auth '@{Basic=“true”}'
winrm set winrm/config/winrs ‘@{MaxMemoryPerShellMB=“3096”}’ (upped to 3gb)
(the last three items refer to how much resource WinRM is having to use and authentication methods. I had to allow un-encrypted auth, basic local account access for our chef server so the bootstrapping would run. I suspect that with the Chef Server tied into AD and these Auth settings tweaked then AD auth should be usable but it is not something that I have looked at yet.

No doubt someone with more experience can clear-up these auth settings if we wish to use AD accounts.

Thanks
Chris

-----Original Message-----
From: ganesan15785@gmail.com [mailto:ganesan15785@gmail.com]
Sent: 22 May 2014 07:52
To: chef@lists.opscode.com
Subject: [chef] Winrm issues in chef-recipe

Hi,

I need to run chef-client in windows machine from one windows machine using winrm/winrs. I had a code chef cookbook like

windows_batch “backup” do
cwd node[‘winrm_path’]
code <<-EOH
winrs -r:ip_address chef-client
EOH
end

the above code(cookbook) will execute in windows machine from there it will run chef-client in another windows machine using winrs but errors occured. I enabled the winrm in both windows machines

errors like :

STDERR: Winrs error:The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.

or else

Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.

any one help me how to resolve this??

Thanks,
Ganesan.A