-
HIRO Engine Node <-> HIRO Repository (for ActionHandler Components)
-
HIRO Engine Node <-> CentOS/RHEL Repository (for Kerberos Workstation Components)
-
HIRO Engine Node <-> Windows Targets on ports 5985 (HTTP) and/or 5986 (HTTPS)
-
HIRO Engine Node <-> Windows Domain Controller on Kerberos Ports
-
On RHEL, execute
subscription-manager repos --enable rhel-6-server-optional-rpms
subscription-manager repos --enable rhel-server-rhscl-6-rpms
-
On CentOS, execute
yum -y install centos-release-scl-rh
Add the following to your /etc/yum.repos.d/hiro.repo
file:
[hiro-contrib]
name=arago HIRO contributions
baseurl=https://USERNAME:PASSWORD@repository.arago.de/hiro-contrib/centos/6/
gpgcheck=0
enabled=1
Replace USERNAME
and PASSWORD
with your repository credentials.
💡
|
|
💡
|
To use the online RPM repository the target servers need to be able to connect to tcp/443 on "repository.arago.de". |
❗
|
If your username/password contains special characters you must replace them with the proper URL encode character. |
On the HIRO Engine Node install the Kerberos workstation components:
yum install krb5-libs krb5-workstation
Modify the Kerberos config /etc/krb5.conf to include the domain information.
krb5.conf sample:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WINLAB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WINLAB.LOCAL = {
kdc = dc1.winlab.local
admin_server = dc1.winlab.local
}
[domain_realm]
.winlab.local = WINLAB.LOCAL
winlab.local = WINLAB.LOCAL
Use kinit to manually test Kerberos authentication:
kinit user@WINLAB.LOCAL
The command klist should now show a valid Kerberos TGT.
Run the command kdestroy to remove the above ticket, as it was only for testing.
On the HIRO Engine Node, use the following series of commands to create our Keytab file:
ktutil
addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
- enter password for username -
wkt username.keytab
The default location for keytabs is /opt/autopilot/conf/external_actionhandlers/keytabs/
.
Test Keytab file:
kinit -k -t /path/to/Keytab user@DOMAIN
klist should now show a valid Kerberos TGT. kdestroy will remove the ticket.
❗
|
HIRO will need permissions to access the keytab file to be able to utilize it |
Windows has a command for WinRM "Quick Configuration":
Set-wsmanquickconfig
Check if WinRM service is already running:
Get-Service WinRM
Check the WinRM service configuration:
winrm g winrm/config/Service
Sample output:
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
❗
|
winrm s winrm/config/Service '@{AllowUnencrypted="True"}'
winrm s winrm/config/Service/Auth '@{Kerberos="True"}' |
Check for running Listeners:
winrm e winrm/config/listener
Sample output:
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.105.240, ::1, fe80::5efe:192.168.105.240%15, fe80::ffff:ffff:fffe%14
Add the following section to your /opt/autopilot/conf/aae.yaml
and restart the engine.
ActionHandlers:
ActionHandler:
- URL: tcp://127.0.0.1:7289
SubscribeURL: ''
CapabilityYAML: /opt/autopilot/conf/external_actionhandlers/capabilities/winrm-actionhandler.yaml
RequestTimeout: 60
❗
|
If you’re still using HIRO 5.3.x, replace |
To adjust the number of actions that can be executed concurrently
(both in total and per MARSNode), edit
/opt/autopilot/conf/external_actionhandlers/winrm-actionhandler.conf
[ActionHandler]
ZMQ_URL: tcp://*:7289
ParallelTasks: 10
ParallelTasksPerWorker: 5
WorkerMaxIdle: 300
Option | Default | Meaning |
---|---|---|
ParallelTasks |
10 |
Number of overall commands the ActionHandler will execute in parallel. Additional commands will be enqueued. |
ParallelTasksPerWorker |
5 |
Number of commands the ActionHandler will execute in parallel on the same target machine. |
To apply the changes, restart the ActionHandler
service hiro-winrm-actionhandler restart
The WinRM ActionHandler provides two 'Capabilities':
-
ExecuteCommand
: Execute standard DOS commands -
ExecutePowershell
: Execute Powershell commands
Both capabilities support the execution of small scripts in their respective language (DOS batch or Powershell).
❗
|
The length of the whole script including all whitespace and line breaks must not exceed 5500 characters. |
ExecuteCommand
is named exactly like in the Unix ActionHandler for
a reason: It does the same thing, executing a command.
Both ActionHandlers are limited by their Applicability
. The Unix
ActionHandler will only work with Unix machines, the WinRM handler
only with Windows machines. Which one is used for execution depends
on the MachineClass
of the MARSNode
the AutomationIssue
resides on when the ActionHandler is called.
To learn more about Capabilities
and Applicabilities
, please
refer to the documentation of the Generic ActionHandler.