Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Rundeck to perform Double Hop to connect to a remote SQL Server #33

Open
fgutierrezz opened this issue Aug 20, 2019 · 1 comment
Open

Allow Rundeck to perform Double Hop to connect to a remote SQL Server #33

fgutierrezz opened this issue Aug 20, 2019 · 1 comment

Comments

@fgutierrezz
Copy link

fgutierrezz commented Aug 20, 2019
edited
Loading

Describe the bug
Actually not possible to perform double Hop from Rundeck Server to a Server C. Server B is unable to pass credentials to Server C.

Rundeck Server > Server B > Server C.
linux > windows > windows

My Rundeck detail

  • Rundeck version: 3.1
  • install type: Launcher
  • OS Name/version: [ubuntu 16.04]

To Reproduce
Steps to reproduce the behavior:
Create a job, use pywinrm + kerberos authentication and execute the command in Server B

Example:

"query_execution.sql"
use rundeckdb;
select * from execution;

"Job"
sqlcmd -S ServerC -i C:\sql\query_execution.sql

The following error appears when executing a command in Server B and tries to pass credentials to a Server C using sqlcmd command.

Command [ERROR ] Execution finished with the following error (winrm-exec.py:267)[root]
18:40:34 [ERROR ] Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'..
18:40:34 (winrm-exec.py:268)[root]

Expected behavior
It's expected the Double Hop to work.

Screenshots

error

Desktop (please complete the following information):

  • OS: Ubuntu 18.04
  • Browser Chrome
  • Version 76.0.3809.100

Additional context
A workaround ( not working when connecting to database, but working when using for example "net view" ) . https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

$ServerB = Get-ADComputer -Identity ServerB
$ServerC = Get-ADComputer -Identity ServerC
Set-ADComputer -Identity $ServerC -PrincipalsAllowedToDelegateToAccount $ServerB

Then on ServerB: KLIST PURGE -LI 0x3e7

Job is included

- defaultTab: nodes
  description: ''
  executionEnabled: true
  group: Kerberos
  id: dfc18c53-4e98-4583-a94c-6deef31badd0
  loglevel: INFO
  name: testing
  nodeFilterEditable: false
  nodefilters:
    dispatch:
      excludePrecedence: true
      keepgoing: false
      rankOrder: ascending
      successOnEmptyNodeFilter: false
      threadcount: '1'
    filter: 'name: serverB'
  nodesSelectedByDefault: true
  scheduleEnabled: true
  sequence:
    commands:
    - exec: sqlcmd -S ServerC -i C:\query_execution.sql
    keepgoing: false
    strategy: node-first
  uuid: dfc18c53-4e98-4583-a94c-6deef31badd0
@Proxicon
Copy link

Hi, Linux -> Windows -> Windows is not a Linux or Rundeck blocker but instead a Microsoft credential delegation feature.

You can enable credential delegation between computers by setting that in WinRM end point or using Powershell command lets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Proxicon @fgutierrezz