PowerShell / PowerShell Public
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot enter/create PSSession from linux to windows machine #6647
Comments
@KaloferovLab remoting over WSMan is supported, but much more limited than what you get with Windows and WinRM. From Linux, you should use |
I have tried many times establishing a new session from linux RHEL7 to windows server 2016. Enter-PSSession : MI_RESULT_ACCESS_DENIED
|
Did anyone manage to establish the connection? |
New-PSSession -ComputerName remotehost -Credential $credential -Authentication Negotiate Use Negotiate for authentication. I don't recommend using basic as that would send your password in plain text over the network and you would also need to manually allow the remote host to accept basic authentication as it is not allowed by default. Specifying Negotiate results in using NTLM authentication which can be verified by checking $PSSenderInfo.UserInfo.Identity.AuthenticationType |
If you are seeing this error on Debian or Ubuntu, see #7342 (comment). |
I also facing same problem when I am accessing from ubuntu 16.04, with powershell version and details are included Name Value PSVersion 6.2.1 My error output : enter-pssession : MI_RESULT_ACCESS_DENIED
|
I also face this Issue on Centos 7 and Server 2012r2 / 2016 |
Same issue on Centos 7 and WinServer 2019
|
So it appears this issue has been open for a while. I recently ran into this issue via #10764. Any plans to get this resolved in future releases? This holding up some progress to port some Windows automation over to Linux based environment. |
When remoting from Linux, you will likely need to explicitly use Basic auth. Negotiate requires additional libraries and configuration. |
Are the extra libraries required on the Windows or Linux side. Or both? |
Windows already has the necessary libs built into the OS. Here's an example where the docker image was updated with a lib to support NTLM on Linux: PowerShell/PowerShell-Docker#124. This issue seems to indicate Kerberos can work on Linux. |
Hmm. Checked to verify that the package is installed in the Docker image and still get the same issue as above.
|
Hey @arnydo, |
I am using the latest Docker image for Powershell with no luck. |
@arnydo Did you check whether |
Hey, what does /etc/services have to do with this particular issue? That isn't sarcastic... |
haha, yes, that's a fair question! There is an issue with the native OMI library PowerShell uses on Linux that only crops up with NTLM authentication when |
@danports I built a new image based on the latest Ubuntu 18.04 Powershell Dockerfile but with the addition of the Same result... |
Hmm, perhaps you're experiencing a different problem then. You might want to try enabling OMI logging inside the container - reviewing the OMI logs is what eventually helped me to diagnose my issue. |
Doesn't look like omi is present at all in the Powershell images...is that even used in this case? |
What do you mean by not present? You'll probably need to create the OMI log and configuration directories to enable logging - I don't think they are there by default. |
@SteveL-MSFT, This is all well and good:
Except, it's not supported:
You'd think that such a useful feature, with multiple bug reports, would have been implemented and/or documented properly a year and a half later after the issue was first reported... |
Which version of the Power shell |
Just bumped against this too, using a rhel7.7 azure devops agent that needs to remote into a windows 2016 vm |
@SteveL-MSFT Please look previous comment. I believe we can close the issue and fix it in #11374 |
It's solution..... |
I still have this issue, on Ubuntu 20.04
The error message is:
|
Same here. Ubuntu 20.04, PowerShell 7.0.1 from Store. I guess the Snap package should be changed to add
|
I am also facing the same issue with the latest version of PowerShell (7.0.1). Trying to connect to Windows 2012 from CentOS Linux 7. |
As suggested by @BitDesert above, it works for me after installing gss-ntlmssp and with -Authentication Negotiate. But there is a huge latency. Authentication itself takes around 20 seconds. Both the Linux and Windows machines are in the same subnet. Any suggestion on how to reduce the latency? |
Having the same issue here on Arch Linux with Powershell Core 7.0.0. Installing the gss-ntlmssp AUR package and using
|
Hey guys, op of PowerShell/PowerShell-Docker#124 here. You can literally just use the docker://mcr.microsoft.com/powershell:centos-7 container w/ podman/docker/rkt/whatev to get it to work. Just run the container w/ interactivity and a tty and it kicks you into
This is literally what containers are for, so you don't have to fight with crazy deps to get a simple task handled. If you're trying to get kerberos to work with it (instead of ntlm), I don't think the containers will work (despite gssapi supporting it) because you'll need to get your tgt with |
I'd like to add that Linux Mint 20 has the same issue as Ubuntu 20.04. I installed the package with snap and manually installed
|
I found the problem. Just install apt-get install inetutils-ping |
On ubuntu I have |
I get the same error on Ubuntu 20.04 (running in WSL2), even though inetutils-ping and gss-ntlmssp is installed.
|
unfortunately it seems this kind of situations are terribly poorly documented by Microsoft.
A few other notes :
Finally, the output on CentOS 7 to connect looks like :
All this was put together by pulling information from all over the net. There are tickets for that that have been open for months, I haven't checked those for a while, but feel free to try and get those done. Nobody wants to need a Windows server to manage other Windows servers ( or manage any windows server at all for that matter, but that's beyond the scope of the answer ;) ). |
you are not posting your whole command line. Make sure to use hostname and not IP and set up credentials as shown in my post above. it seems you only supply a user. Just google that error and look at examples otherwise. Make sure to post full info if you have the same issue, thanks |
yum install gssntlmssp
... PS > $sesopt = New-PSSessionOption -SkipCACheck -SkipCNCheck
PS > Enter-PSSession -ComputerName 192.168.10.85 -Credential $cred -Authentication Negotiate -UseSSL -SessionOption $sesopt
Enter-PSSession: Connecting to remote server 192.168.10.85 failed with the following error message : Authorization failed For more information, see the about_Remote_Troubleshooting Help topic. The Windows eventlog shows Error code 0xC000035B. That might be a version problem. Powershell on Linux seems to use NTLMv1. Windows Server needs a newer version. Client: CentOS 7, Powershell 7.1.3 |
In order to get the remote work, I have installed the following dependencies on ubuntu 20.4 (without Kerberos). While I am trying to setup on RHEL with Kerberos, got the error of "acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate" from Invoke-Command, and "Authorization failed Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database For more information" from New-PSSession and Enter-PSSession command This might be a Kerberos configure issue or still missing some other dependencies required on RHEL. |
you need to have your Linux machine authenticate with Kerberos first. Depending if you use AD or Linux, you need to make sure that it works. As I wrote, it works with both the Windows and Linux host using a Linux Kerberos server. |
@VGerris Thank you for your comment, I am able to create/enter PSSession from Linux to windows server run after turn off FIPS on Linux. Tracing down to md5 hash error and find that gss-ntlmssp is not compatible with FIPS. |
I am experiencing similar issues with my setup - I simply cannot make Ubuntu 18.04 or 20.04 to connect to Windows Server 2019 using NTLM. Does anyone have any suggestions? Looks like Ubuntu and Windows Server 2019 cannot negotiate the correct NTLM. Setup:
Commands executed on Ubuntu server: $PSSessionParameters = @{
Authentication = 'Negotiate'
Credential = [pscredential]::new('user@domaintest.onmicrosoft.com', ('Obfuscated' | ConvertTo-SecureString -AsPlainText))
UseSSL = $true
Port = 5986
ConfigurationName = 'PowerShell.7'
SessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
}
New-PSSession -ComputerName '10.0.104.201' @PSSessionParameters Error received on Ubuntu:
Error in Windows Server Security log:
NTLM audit log on Windows Server:
|
Please take a look into this threat - jborean93/omi#29 |
if you using yum install gssntlmssp if using sudo apt install gss-ntlmssp |
Thanks! |
Obviously something is wrong with the PowerShell for Linux. For my Ubuntu18.04 connecting to Win10 Pro over winrm (http port, not joined in AD) , the following worked:
Validation:
File copy :
|
The below steps worked for me on CentOS 7* Install PowerShell for linux Register the Microsoft RedHat repository Install PowerShell
Confirm epel-release is installed
Update all packages
Install the below packages
Note: If gssntlmssp fails with the error Public key for gssntlmssp-0.7.0-1.el7.x86_64.rpm is not installed use the below command
Install the PSWSMan on powershell
|
For the record, the blog is definitely titled as being related to Linux..but if you look at the PRs microsoft/omi#669, microsoft/omi#670, and the blog, those are all related to building the library on MacOS (which is unsupported). The troubleshooting of GSSAPI and everything else from the blog is definitely on-topic, though, and is probably useful for people who need help troubleshooting more details of how pwsh on linux interacts with GSSAPI. Still, though, it's super cool that the author is actively maintaining OMI for all of the platforms (including MacOS)...because honestly, it needs it. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Thanks! |
This comment was marked as off-topic.
This comment was marked as off-topic.
@hunter86bg not to police this thread, but that might be off-topic since we're in an issue tracker for keeping track of bugs and the thread could get closed or locked if it wanders too far from the original issue. this specific issue is with regards to entering/creating a PSsession and not necessarily performance issues encountered therein. please create another issue describing your problem so that maybe the devers could look into it. |
Steps to reproduce
From LInux to WIn :
Expected behavior
Enter the pssession on the Windows box. Same error when i try to create new pesssession on the windows box.
Actual behavior
Error
Environment data
WIndows server:
LInux Server:
The alpha vesion of the plugin didn't support PSCredential Object and WinRM. Does it support them now?
Found this from last year.
#5742
Does cross platform remoting work now in 6.1.0?
The text was updated successfully, but these errors were encountered: