Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get-ADUser error when winrm_password have special character $ #197

Open
kikitux opened this issue Jul 25, 2024 · 0 comments
Open

Get-ADUser error when winrm_password have special character $ #197

kikitux opened this issue Jul 25, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@kikitux
Copy link

kikitux commented Jul 25, 2024

Terraform Version and Provider Version

Terraform 1.8.4
Terraform-Ad 0.5.0

Windows Version

Windows 2022

Affected Resource(s)

  • Provider configuration

Terraform Configuration Files

provider "ad" {
 domain_controller = var.domain_controller

 krb_conf  = var.krb_conf
 krb_realm = var.krb_realm
 krb_spn   = var.krb_spn

 winrm_hostname = var.winrm_hostname
 winrm_username = data.vault_ldap_static_credentials.ad_id.username
 winrm_password = data.vault_ldap_static_credentials.ad_id.password

 winrm_pass_credentials = var.winrm_pass_credentials
 winrm_port             = var.winrm_port
 winrm_proto            = var.winrm_proto
}

Debug Output

Error: command Get-ADUser exited with a non-zero exit code 1, stderr: Get-ADUser : 
The server has rejected the client credentials.At line:4 char:2 Get-ADUser -identity "<user>" -properties * 
-Credential $Credential - ... 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
CategoryInfo : SecurityError: (<user>:ADUser) [Get-ADUser], AuthenticationException FullyQualifiedErrorId : 
ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.A ctiveDirectory.Management.Commands.GetADUser

Panic Output

NA

Expected Behavior

Terraform continues to work with new user/password

Actual Behavior

Terraform fails to run commands using Powershell, and the account becomes locked

Steps to Reproduce

  1. Set winrm password with $
  2. terraform apply
  3. check status of user, should be blocked

Important Factoids

New password is having $ due company policies

References

N/A

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

When the password for winrm have special character dollar $ the Get-ADUser command fails and the account becomes lock

error:

Refer screenshot attached of user locked out during terraform plan execution.

func GetUserFromHost(conf *config.ProviderConf, guid string, customAttributes []string) (*User, error) {
cmd := fmt.Sprintf("Get-ADUser -identity %q -properties *", guid)
psOpts := CreatePSCommandOpts{
JSONOutput: true,
ForceArray: false,
ExecLocally: conf.IsConnectionTypeLocal(),
PassCredentials: conf.IsPassCredentialsEnabled(),
Username: conf.Settings.WinRMUsername,
Password: conf.Settings.WinRMPassword,
Server: conf.IdentifyDomainController(),
}
psCmd := NewPSCommand([]string{cmd}, psOpts)
result, err := psCmd.Run(conf)
if err != nil {
return nil, err
}
if result.ExitCode != 0 {
log.Printf("[DEBUG] stderr: %s\nstdout: %s", result.StdErr, result.Stdout)
return nil, fmt.Errorf("command Get-ADUser exited with a non-zero exit code %d, stderr: %s", result.ExitCode, result.StdErr)
}
u, err := unmarshallUser([]byte(result.Stdout), customAttributes)
if err != nil {
return nil, fmt.Errorf("error while unmarshalling user json document: %s", err)
}
return u, nil
}

The password is being set by Vault static role, users confirmed they can log in into windows using the user/pass combination when $ is present, it's just that terraform ad that fails

provider "ad" {
domain_controller = var.domain_controller

krb_conf = var.krb_conf
krb_realm = var.krb_realm
krb_spn = var.krb_spn

winrm_hostname = var.winrm_hostname
winrm_username = data.vault_ldap_static_credentials.ad_id.username
winrm_password = data.vault_ldap_static_credentials.ad_id.password

winrm_pass_credentials = var.winrm_pass_credentials
winrm_port = var.winrm_port
winrm_proto = var.winrm_proto
}

Customer Pain Context
The customer is not able to use $ character in the password and this can cause issues if dynamically the password generated has $. Hence, putting a pain score of 9.

To Reproduce
-Connect in a double hop environment with a $ in the password:

@kikitux kikitux added the bug Something isn't working label Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant