Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enter-PSSession fails from Docker image #7342

Open
Stlouistechy opened this issue Jul 23, 2018 · 15 comments
Open

Enter-PSSession fails from Docker image #7342

Stlouistechy opened this issue Jul 23, 2018 · 15 comments
Labels
Issue-Discussion the issue may not have a clear classification yet. The issue may generate an RFC or may be reclassif WG-Remoting PSRP issues with any transport layer

Comments

@Stlouistechy
Copy link

Stlouistechy commented Jul 23, 2018

Steps to reproduce

From a RHEL server running docker, pull down latest release by running:
docker run -it microsoft/powershell
From PS command prompt, connect to a Windows 2012 R2 server by running:
PS /> $creds = Get-Credential
PS /> Enter-PSSession -ComputerName {Win2012-R2 Hostname} -Authentication Basic -Credential $creds

Expected behavior

PS connects to server

Actual behavior

Enter-PSSession : Connecting to remote server {Win2012-R2 Hostname} failed with the following error message : MI_RESULT_ACCESS_DENIED For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1

  • Enter-PSSession -ComputerName {Win2012-R2 Hostname} -Authentica ...
  • CategoryInfo : InvalidArgument: ({Win2012-R2 Hostname}:String) [Enter-PSSession], PSRemotingTransportException
  • FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Environment data

PS /> $psversiontable

Name Value


PSVersion 6.0.3
PSEdition Core
GitCommitId v6.0.3
OS Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23 18:54:16 UTC 2018
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

@MaximoTrinidad
Copy link

MaximoTrinidad commented Jul 23, 2018

@Stlouistechy

Question: Did you setup Winrm linux on RHEL Docker?

I know it's kind-of hard to setup but it's possible. The best and fast route it to setup ssh on the Windows Server. Docker IT/PowerShell image will not have the Winrm configured.

:)

@Stlouistechy
Copy link
Author

Stlouistechy commented Jul 23, 2018

@MaximoTrinidad

Thanks Maximo. I just tested this on my Container by installing pywinrm (pip install pywinrm) and running the steps again. Unfortunately no luck, I receive the same error.

@MaximoTrinidad
Copy link

MaximoTrinidad commented Jul 24, 2018

@Stlouistechy

Just keep in mind... installing pywinrm is a python module and won't work with PowerShell.
There are more steps to follow in order to enable WinRm in Linux.

This why is quicker, and even efficient, to use OpenSSL and use port 21 for ssh connectivity.

:)

@iSazonov iSazonov added Issue-Discussion the issue may not have a clear classification yet. The issue may generate an RFC or may be reclassif WG-Remoting PSRP issues with any transport layer labels Jul 24, 2018
@Stlouistechy
Copy link
Author

Stlouistechy commented Jul 24, 2018

So is there a way for PSCore to support PSSessions from Linux to Windows currently? Given the fact that we can not run most windows native modules from PSCore on Linux, remoting is our only method to execute windows based modules. Without remoting, or support for Windows modules such as Active Directory, we are unable to use much of anything on PSCore Linux.

@MaximoTrinidad
Copy link

MaximoTrinidad commented Jul 24, 2018

@Stlouistechy

OpenSSH can be install in Windows so you can use SSH protocol for remoting.

By the way, the AD Module will be available (if is not already) for PSCore. Then again, all components to support AD Authentication need to be in place on the Linux system. I know the way to install these components does varies on different Linux distributions.

:)

@Stlouistechy
Copy link
Author

Stlouistechy commented Jul 26, 2018

@chuanjiao10 Thanks. Is there a timeline when PSSession and ActiveDirectory modules may be available to PSCore on Linux?

@danports
Copy link

danports commented Mar 28, 2019

@Stlouistechy The microsoft/powershell image is based on Ubuntu, which does not bundle /etc/services, so you are likely being bit by this issue: microsoft/omi#623. The workaround for now is to build your own Docker image based on the PowerShell image that includes a command like:
RUN echo 'http 80/tcp www www-http' > /etc/services

@jimdigriz
Copy link

jimdigriz commented Feb 13, 2020

@Stlouistechy The microsoft/powershell image is based on Ubuntu, which does not bundle /etc/services, so you are likely being bit by this issue: microsoft/omi#623. The workaround for now is to build your own Docker image based on the PowerShell image that includes a command like:
RUN echo 'http 80/tcp www www-http' > /etc/services

...or apt-get install netbase

I just lost two hours of my life because of this.

@apiening
Copy link

apiening commented Jun 12, 2020

Thanks @jimdigriz an apt update && apt install netbase did the trick for me as well.

However I can't get around saying how poor this looks to me that Microsoft is unable / unwilling to fix errors like this in their official images that are around for two years.
I only stumbled upon this issue because it seems not to be possible to do PowerShell remoting from Mac OS X (even though it is an officially supported platform) due to an incorrect hard linked dependency to an outdated OpenSSL library.
Searching the web tells that even after 3 years still a lot of users (like me) are wasting their time with no workaround or even a solution provided by Microsoft.

So I thought with their docker image at least it should work right out of the box. Double fail! What a shame!
Sorry but I'm just frustrated after wasting nearly three hours.

@danports
Copy link

danports commented Jun 13, 2020

@apiening Agreed. I think it took me 1-2 days of work last year digging into the OMI library internals to identify the issue - and then when I did, the fix I proposed was promptly rejected. 🤷‍♂️ 😖

@Veverke
Copy link

Veverke commented Mar 9, 2021

@apiening I was hesitating to express such a thought... thinking it is too naive to think Microsoft would ignore errors (in plural form) in official docker images.
Well seems this is reality. 🕵️‍♀️

@VGerris
Copy link

VGerris commented Apr 16, 2021

It also fails for a non-docker image for me with netbase installed on Ubuntu 20.04. Don't kid yourself, the total lack of support of Microsoft for this and similar issues just shows clearly how committed they are to providing true cross platform solutions.
Kerberos support should work out of the box, it's trivial to make that work if it works on Windows. I would expect more from a so called commitment to open source and other platforms.

@VenkataNaveen-Zoetis
Copy link

VenkataNaveen-Zoetis commented Apr 28, 2021

apt-get install netbase

Life savior!!

@VOVELEE
Copy link

VOVELEE commented Jun 9, 2021

Please take a look into this threat - jborean93/omi#29
Looks like the limitation comes from the libraries which ship with different version of Windows. The workaround is to set the CbtHardeningLevel to None so Windows doesn't try to validate the value at all.

@Veverke
Copy link

Veverke commented Jun 29, 2021

apt-get install netbase

Life savior!!

I had a working image in .net core 3.1 where I could establish remote connections via powershell from linux containers to windows machines, but the same code did not succeed when upgrading to .net 5.
Simply adding netbase package installation to my container dockerfile did the job, I am able to connect from linux containers to windows machines via powershell in .net 5 using sdk 5.0 docker hub image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Issue-Discussion the issue may not have a clear classification yet. The issue may generate an RFC or may be reclassif WG-Remoting PSRP issues with any transport layer
Projects
None yet
Development

No branches or pull requests

11 participants