Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any plans to make the gem work on OS X ? #16

Closed
enrico opened this issue Sep 7, 2011 · 15 comments
Closed

Any plans to make the gem work on OS X ? #16

enrico opened this issue Sep 7, 2011 · 15 comments
Labels
question

Comments

@enrico
Copy link

enrico commented Sep 7, 2011

I'm using winrm-1.0.3 . The gem installs fine on OS X, but this is what I get when I try to use it:

ruby-1.9.2-p290 :001 > require 'winrm'
WARNING: Could not load IOV methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update
 => [] 
ruby-1.9.2-p290 :002 > endpoint = 'http://mustard:5985/wsman'
 => "http://mustard:5985/wsman" 
ruby-1.9.2-p290 :003 > krb5_realm='foo.com'
 => "foo.com" 
ruby-1.9.2-p290 :004 > winrm = WinRM::WinRMWebService.new(endpoint, :kerberos, :realm => krb5_realm)
GSSAPI::GssApiError: gss_init_sec_context did not return GSS_S_COMPLETE.  Error code: maj: 851968, min: -1765328189
        from /usr/local/rvm/gems/ruby-1.9.2-p290@desktop/gems/gssapi-1.0.1/lib/gssapi/simple.rb:86:in `init_context'
        from /usr/local/rvm/gems/ruby-1.9.2-p290@desktop/gems/winrm-1.0.3/lib/winrm/http/transport.rb:106:in `init_krb'
        from /usr/local/rvm/gems/ruby-1.9.2-p290@desktop/gems/winrm-1.0.3/lib/winrm/http/transport.rb:71:in `initialize'
        from /usr/local/rvm/gems/ruby-1.9.2-p290@desktop/gems/winrm-1.0.3/lib/winrm/winrm_service.rb:27:in `new'
        from /usr/local/rvm/gems/ruby-1.9.2-p290@desktop/gems/winrm-1.0.3/lib/winrm/winrm_service.rb:27:in `initialize'
        from (irb):4:in `new'
@zenchild
Copy link
Member

zenchild commented Sep 7, 2011

The WinRM protocol uses Kerberos session encryption via the GSSAPI library by default. This encryption type is dependent on certain functionality in the native GSSAPI C library. OS X (not sure about Lion) ships with an older version of the GSSAPI library that does not contain the needed methods but it can be updated to a newer version via MacPorts or I believe the Heimdal library has the appropriate functionality and can be retrieved from here => http://www.h5l.org/binaries.html. You can also configure WinRM to use SSL encryption which should work, but you'll need to configure the certificate on the client. Lastly, there is plaintext, but I would not recommend this approach unless the traffic on your network is secure.

Cheers,

Dan

@zenchild zenchild closed this as completed Sep 7, 2011
@thbar
Copy link

thbar commented Feb 2, 2012

Follow-up in case that's useful for someone else: I tried to install the Heimdal package (using the provided DMG archive) on Lion but so far I still get the two warnings and the same error as @enrico.

I'm investigating more, maybe there is some dynamic load path to be set before requiring 'winrm'. I'll report back - if anyone find out how to make the gem work on OS X, leave a comment!

@zenchild
Copy link
Member

zenchild commented Feb 2, 2012

Have you tried: require gssapi/heimdal before loading the winrm gem?

@thbar
Copy link

thbar commented Feb 2, 2012

I tried to add the require in the em-winrm gem before it loads the winrm gem, but it still failed.

Not sure if maybe some dynamic path must be set (things like in http://blog.leshill.org/blog/2010/04/24/dynamic-load-paths-in-osx.html)?

I'm going to try to do a direct call now myself in irb.

@thbar
Copy link

thbar commented Feb 2, 2012

Simple question: if I get the warnings on missing IOV/AEAD methods, am I right to believe the default winrm connection should not work?

@zenchild
Copy link
Member

zenchild commented Feb 2, 2012

You are correct. It needs the IOV methods in order to do the encryption. You can still use plaintext or SSL, but it's not nearly as clean. Unfortunately I do not have a Mac to test on or I could be a little more help.

It most likely is a dynloader issue and you can muck with that in 'lib/gssapi/lib_gssapi_loader.rb' in the gssapi gem. It's not an elegant solution but until Mac ships with a more recent version of Kerberos/GSSAPI I'm afraid it's the best I can do.

@thbar
Copy link

thbar commented Feb 2, 2012

Thanks for the hint and for your suggestion, it's helpful! I'll try to have a closer look at the dynloader issue and will use plaintext or ssl in the meantime (plaintext worked already for sure!).

If I manage to understand what's happening, I'll comment here.

Here is the exact error I had, for the record:

WARNING: Could not load OID conversion methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update
FFI::NotFoundError: Function 'GSS_C_NT_HOSTBASED_SERVICE' not found in [#<FFI::DynamicLibrary:0x007fc1c9bd5000>, #<FFI::DynamicLibrary:0x007fc1c9bd4a88>]
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/ffi-1.0.11/lib/ffi/library.rb:316:in `attach_variable'
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:338:in `<module:LibGSSAPI>'
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:8:in `<module:GSSAPI>'
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:7:in `<top (required)>'
  from /Users/thbar/.rvm/rubies/ruby-1.9.3-p0/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  from /Users/thbar/.rvm/rubies/ruby-1.9.3-p0/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/gssapi-1.0.3/lib/gssapi.rb:17:in `<top (required)>'
  from /Users/thbar/.rvm/rubies/ruby-1.9.3-p0/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  from /Users/thbar/.rvm/rubies/ruby-1.9.3-p0/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  from /Users/thbar/.rvm/gems/ruby-1.9.3-p0@project/gems/winrm-1.0.4/lib/winrm/winrm_service.rb:25:in `initialize'

@thbar
Copy link

thbar commented Feb 2, 2012

Interesting stuff - using a bit of tweaking I forced heimdal in lib_gss_api_loader.rb and I think heimdal might have issues of its own (not sure completely yet).

Before:

USING mit /usr/lib/libgssapi_krb5.dylib
WARNING: Could not load IOV methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update

After (with hardcoded tweak to force heimdal):

USING heimdal /usr/heimdal/lib/libgssapi.dylib libc.dylib
WARNING: Could not load OID conversion methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update

The warning went from IOV to OID.

I'm using http://www.h5l.org/dist/src/heimdal-1.5.2.dmg on Lion.

Does that mean maybe Heimdal is not good for the job here?

@zenchild
Copy link
Member

zenchild commented Feb 2, 2012

You won't need the OID or AEAD methods for encryption to work. You should be good to go if the IOV methods are loading.

@thbar
Copy link

thbar commented Feb 2, 2012

Excellent, thanks!

@ramarnat
Copy link

I am sort of stuck at the same place. I have installed http://www.h5l.org/dist/src/heimdal-1.5.2.dmg and am testing with the following. Looks like the attach_variable isn't working for GSS_C_NT_HOSTBASED_SERVICE?

Any thoughts on how I could troubleshoot this?

1.9.2-p290 :002 > require "gssapi/heimdal"
=> true 
1.9.2-p290 :003 > require 'winrm'
WARNING: Could not load OID conversion methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update
=> true 
1.9.2-p290 :004 > endpoint = 'http://172.19.2.47:5985/wsman'
=> "http://172.19.2.47:5985/wsman" 
1.9.2-p290 :005 > winrm = WinRM::WinRMWebService.new(endpoint)
WARNING: Could not load OID conversion methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update
FFI::NotFoundError: Function 'GSS_C_NT_HOSTBASED_SERVICE' not found in [#<FFI::DynamicLibrary:0x007fc78b912170>, #<FFI::DynamicLibrary:0x007fc78b90af38>]
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/ffi-1.0.11/lib/ffi/library.rb:316:in `attach_variable'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:338:in `<module:LibGSSAPI>'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:8:in `<module:GSSAPI>'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:7:in `<top (required)>'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/gssapi-1.0.3/lib/gssapi.rb:17:in `require'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/gems/gssapi-1.0.3/lib/gssapi.rb:17:in `<top (required)>'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/bundler/gems/WinRM-593aced2ea5f/lib/winrm/winrm_service.rb:43:in `require'
    from /usr/local/rvm/gems/ruby-1.9.2-p290@full360-elasticpm/bundler/gems/WinRM-593aced2ea5f/lib/winrm/winrm_service.rb:43:in `initialize'
    from (irb):5:in `new'
    from (irb):5
    from /usr/local/rvm/rubies/ruby-1.9.2-p290/bin/irb:16:in `<main>'

@zenchild
Copy link
Member

@ramarnat I think you might be seeing this issue because you're not passing a realm. Try this:

winrm = WinRM::WinRMWebService.new(endpoint, :kerbers, :realm => your_krb_realm )

@ramarnat
Copy link

I am using this with ec2 instances, havent used realms before. Maybe a better question is how can I just use the encryption with the hostname based connection rather than kerberos and realms?

@zenchild
Copy link
Member

See issue #23

@jaylevitt jaylevitt mentioned this issue Sep 25, 2012
Merged
@justinclayton
Copy link

I am also getting the Function 'GSS_C_NT_HOSTBASED_SERVICE' not found error. @ramarnat @thbar Did either of you get this working? I am on Mac OS X 10.8.4 with Heimdal 1.5.3 installed from the .dmg. I am also doing a require 'gssapi/heimdal' before require 'winrm'.

EDIT: upon further investigation, I believe this may actually be an issue with the gssapi gem:

1.9.3p429 :001 > require 'gssapi/heimdal'
 => true
1.9.3p429 :002 > require 'gssapi'
WARNING: Could not load OID conversion methods. Check your GSSAPI C library for an update
WARNING: Could not load AEAD methods. Check your GSSAPI C library for an update
FFI::NotFoundError: Function 'GSS_C_NT_HOSTBASED_SERVICE' not found in [#<FFI::DynamicLibrary:0x007ff382a05690>, #<FFI::DynamicLibrary:0x007ff382a05000>]
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/ffi-1.9.0/lib/ffi/library.rb:318:in `attach_variable'
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:338:in `<module:LibGSSAPI>'
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:8:in `<module:GSSAPI>'
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/gssapi-1.0.3/lib/gssapi/lib_gssapi.rb:7:in `<top (required)>'
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/gssapi-1.0.3/lib/gssapi.rb:17:in `require'
    from /Users/justin/.rvm/gems/ruby-1.9.3-p429@winrm/gems/gssapi-1.0.3/lib/gssapi.rb:17:in `<top (required)>'
    from (irb):2:in `require'
    from (irb):2
    from /Users/justin/.rvm/rubies/ruby-1.9.3-p429/bin/irb:16:in `<main>'

Since it appears that this project may be moving away from Kerberos in favor of NTLM, perhaps this issue should move to zenchild/gssapi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@enrico @thbar @ramarnat @zenchild @justinclayton