-
HIRO Engine Node <-> HIRO Repository (for ActionHandler Components)
-
HIRO Engine Node <-> CentOS/RHEL Repository (for Kerberos Workstation Components)
-
HIRO Engine Node <-> Windows Targets on ports 5985 (HTTP) and/or 5986 (HTTPS)
-
HIRO Engine Node <-> Windows Domain Controller on Kerberos Ports
-
On RHEL, execute
subscription-manager repos --enable rhel-6-server-optional-rpms
subscription-manager repos --enable rhel-server-rhscl-6-rpms-
On CentOS, execute
yum -y install centos-release-scl-rhAdd the following to your /etc/yum.repos.d/hiro.repo file:
[hiro-contrib]
name=arago HIRO contributions
baseurl=https://USERNAME:PASSWORD@repository.arago.de/hiro-contrib/centos/6/
gpgcheck=0
enabled=1Replace USERNAME and PASSWORD with your repository credentials.
|
💡
|
|
|
💡
|
To use the online RPM repository the target servers need to be able to connect to tcp/443 on "repository.arago.de". |
|
❗
|
If your username/password contains special characters you must replace them with the proper URL encode character. |
On the HIRO Engine Node install the Kerberos workstation components:
yum install krb5-libs krb5-workstationModify the Kerberos config /etc/krb5.conf to include the domain information.
krb5.conf sample:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WINLAB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WINLAB.LOCAL = {
kdc = dc1.winlab.local
admin_server = dc1.winlab.local
}
[domain_realm]
.winlab.local = WINLAB.LOCAL
winlab.local = WINLAB.LOCALUse kinit to manually test Kerberos authentication:
kinit user@WINLAB.LOCALThe command klist should now show a valid Kerberos TGT.
Run the command kdestroy to remove the above ticket, as it was only for testing.
On the HIRO Engine Node, use the following series of commands to create our Keytab file:
ktutil
addent -password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
- enter password for username -
wkt username.keytabThe default location for keytabs is /opt/autopilot/conf/external_actionhandlers/keytabs/.
Test Keytab file:
kinit -k -t /path/to/Keytab user@DOMAINklist should now show a valid Kerberos TGT. kdestroy will remove the ticket.
|
❗
|
HIRO will need permissions to access the keytab file to be able to utilize it |
Windows has a command for WinRM "Quick Configuration":
Set-wsmanquickconfigCheck if WinRM service is already running:
Get-Service WinRMCheck the WinRM service configuration:
winrm g winrm/config/ServiceSample output:
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true|
❗
|
winrm s winrm/config/Service '@{AllowUnencrypted="True"}'
winrm s winrm/config/Service/Auth '@{Kerberos="True"}'
|
Check for running Listeners:
winrm e winrm/config/listenerSample output:
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.105.240, ::1, fe80::5efe:192.168.105.240%15, fe80::ffff:ffff:fffe%14Add the following section to your /opt/autopilot/conf/aae.yaml and restart the engine.
ActionHandlers:
ActionHandler:
- URL: tcp://127.0.0.1:7289
SubscribeURL: ''
CapabilityYAML: /opt/autopilot/conf/external_actionhandlers/capabilities/winrm-actionhandler.yaml
RequestTimeout: 60|
❗
|
If you’re still using HIRO 5.3.x, replace |
To adjust the number of actions that can be executed concurrently
(both in total and per MARSNode), edit
/opt/autopilot/conf/external_actionhandlers/winrm-actionhandler.conf
[ActionHandler]
ZMQ_URL: tcp://*:7289
ParallelTasks: 10
ParallelTasksPerWorker: 5
WorkerMaxIdle: 300| Option | Default | Meaning |
|---|---|---|
ParallelTasks |
10 |
Number of overall commands the ActionHandler will execute in parallel. Additional commands will be enqueued. |
ParallelTasksPerWorker |
5 |
Number of commands the ActionHandler will execute in parallel on the same target machine. |
To apply the changes, restart the ActionHandler
service hiro-winrm-actionhandler restartThe WinRM ActionHandler provides two 'Capabilities':
-
ExecuteCommand: Execute standard DOS commands -
ExecutePowershell: Execute Powershell commands
Both capabilities support the execution of small scripts in their respective language (DOS batch or Powershell).
|
❗
|
The length of the whole script including all whitespace and line breaks must not exceed 5500 characters. |
ExecuteCommand is named exactly like in the Unix ActionHandler for
a reason: It does the same thing, executing a command.
Both ActionHandlers are limited by their Applicability. The Unix
ActionHandler will only work with Unix machines, the WinRM handler
only with Windows machines. Which one is used for execution depends
on the MachineClass of the MARSNode the AutomationIssue
resides on when the ActionHandler is called.
To learn more about Capabilities and Applicabilities, please
refer to the documentation of the Generic ActionHandler.
