New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any plans to make the gem work on OS X ? #16
Comments
The WinRM protocol uses Kerberos session encryption via the GSSAPI library by default. This encryption type is dependent on certain functionality in the native GSSAPI C library. OS X (not sure about Lion) ships with an older version of the GSSAPI library that does not contain the needed methods but it can be updated to a newer version via MacPorts or I believe the Heimdal library has the appropriate functionality and can be retrieved from here => http://www.h5l.org/binaries.html. You can also configure WinRM to use SSL encryption which should work, but you'll need to configure the certificate on the client. Lastly, there is plaintext, but I would not recommend this approach unless the traffic on your network is secure. Cheers, Dan |
Follow-up in case that's useful for someone else: I tried to install the Heimdal package (using the provided DMG archive) on Lion but so far I still get the two warnings and the same error as @enrico. I'm investigating more, maybe there is some dynamic load path to be set before requiring 'winrm'. I'll report back - if anyone find out how to make the gem work on OS X, leave a comment! |
Have you tried: |
I tried to add the require in the Not sure if maybe some dynamic path must be set (things like in http://blog.leshill.org/blog/2010/04/24/dynamic-load-paths-in-osx.html)? I'm going to try to do a direct call now myself in irb. |
Simple question: if I get the warnings on missing IOV/AEAD methods, am I right to believe the default winrm connection should not work? |
You are correct. It needs the IOV methods in order to do the encryption. You can still use plaintext or SSL, but it's not nearly as clean. Unfortunately I do not have a Mac to test on or I could be a little more help. It most likely is a dynloader issue and you can muck with that in 'lib/gssapi/lib_gssapi_loader.rb' in the gssapi gem. It's not an elegant solution but until Mac ships with a more recent version of Kerberos/GSSAPI I'm afraid it's the best I can do. |
Thanks for the hint and for your suggestion, it's helpful! I'll try to have a closer look at the dynloader issue and will use plaintext or ssl in the meantime (plaintext worked already for sure!). If I manage to understand what's happening, I'll comment here. Here is the exact error I had, for the record:
|
Interesting stuff - using a bit of tweaking I forced heimdal in lib_gss_api_loader.rb and I think heimdal might have issues of its own (not sure completely yet). Before:
After (with hardcoded tweak to force heimdal):
The warning went from IOV to OID. I'm using http://www.h5l.org/dist/src/heimdal-1.5.2.dmg on Lion. Does that mean maybe Heimdal is not good for the job here? |
You won't need the OID or AEAD methods for encryption to work. You should be good to go if the IOV methods are loading. |
Excellent, thanks! |
I am sort of stuck at the same place. I have installed http://www.h5l.org/dist/src/heimdal-1.5.2.dmg and am testing with the following. Looks like the attach_variable isn't working for GSS_C_NT_HOSTBASED_SERVICE? Any thoughts on how I could troubleshoot this?
|
@ramarnat I think you might be seeing this issue because you're not passing a realm. Try this: winrm = WinRM::WinRMWebService.new(endpoint, :kerbers, :realm => your_krb_realm ) |
I am using this with ec2 instances, havent used realms before. Maybe a better question is how can I just use the encryption with the hostname based connection rather than kerberos and realms? |
See issue #23 |
I am also getting the EDIT: upon further investigation, I believe this may actually be an issue with the gssapi gem:
Since it appears that this project may be moving away from Kerberos in favor of NTLM, perhaps this issue should move to zenchild/gssapi. |
I'm using winrm-1.0.3 . The gem installs fine on OS X, but this is what I get when I try to use it:
The text was updated successfully, but these errors were encountered: