TECHZEN Zenoss User Community ARCHIVE  
FORUMS / ZenPacks, JSON API, and Integrations / DISCUSSION

WinRM on fresh Zenoss Core 4.2.5 installation

Subject: WinRM on fresh Zenoss Core 4.2.5 installation
Author: [Not Specified]
Posted: 2014-08-26 07:31

Hi!
I'm stuck at getting any data through WinRM on a fresh Zenoss Core 4.2.5 installation. When I try to connect with a domain admin account (username@domain.local) I get this while doing a model device:

2014-08-26 14:23:51,086 INFO zen.ZenModeler: Connecting to localhost:8789
2014-08-26 14:23:51,095 INFO zen.ZenModeler: Connected to ZenHub
2014-08-26 14:23:51,125 INFO zen.ZenModeler: Collecting for device BIT.McAfee
2014-08-26 14:23:51,158 INFO zen.ZenModeler: skipping WMI-based collection, PySamba zenpack not installed
2014-08-26 14:23:51,163 INFO zen.ZenModeler: Python collection device BIT.McAfee
2014-08-26 14:23:51,163 INFO zen.ZenModeler: plugins: zenoss.winrm.OperatingSystem, zenoss.winrm.CPUs, zenoss.winrm.FileSystems, zenoss.winrm.Interfaces, zenoss.winrm.Services, zenoss.winrm.Processes, zenoss.winrm.Software, zenoss.winrm.IIS
2014-08-26 14:23:51,168 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,171 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,175 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,179 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,183 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,187 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,191 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,194 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,198 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,201 ERROR zen.PythonClient: Error on BIT.McAfee: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Cannot determine realm for numeric host address', -1765328141))
2014-08-26 14:23:51,202 INFO zen.PythonClient: Python client finished collection for BIT.McAfee
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.OperatingSystem returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.CPUs returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.FileSystems returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.Interfaces returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.Services returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.Processes returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.Software returned no results.
2014-08-26 14:23:51,202 WARNING zen.ZenModeler: The plugin zenoss.winrm.IIS returned no results.
2014-08-26 14:23:51,202 INFO zen.ZenModeler: No change in configuration detected
2014-08-26 14:23:51,203 INFO zen.ZenModeler: No command plugins found for BIT.McAfee
2014-08-26 14:23:51,203 INFO zen.ZenModeler: SNMP monitoring off for BIT.McAfee
2014-08-26 14:23:51,203 INFO zen.ZenModeler: No portscan plugins found for BIT.McAfee
2014-08-26 14:23:51,204 INFO zen.ZenModeler: Scan time: 0.08 seconds
2014-08-26 14:23:51,205 INFO zen.ZenModeler: Daemon ZenModeler shutting down

When doing the same for a local account (plain username) I get this message:

2014-08-26 14:26:43,876 INFO zen.ZenModeler: Connecting to localhost:8789
2014-08-26 14:26:43,884 INFO zen.ZenModeler: Connected to ZenHub
2014-08-26 14:26:43,952 INFO zen.ZenModeler: Collecting for device BIT.McAfee
2014-08-26 14:26:43,984 INFO zen.ZenModeler: skipping WMI-based collection, PySamba zenpack not installed
2014-08-26 14:26:43,990 INFO zen.ZenModeler: Python collection device BIT.McAfee
2014-08-26 14:26:43,991 INFO zen.ZenModeler: plugins: zenoss.winrm.OperatingSystem, zenoss.winrm.CPUs, zenoss.winrm.FileSystems, zenoss.winrm.Interfaces, zenoss.winrm.Services, zenoss.winrm.Processes, zenoss.winrm.Software, zenoss.winrm.IIS
2014-08-26 14:26:43,994 INFO zen.ZenModeler: No command plugins found for BIT.McAfee
2014-08-26 14:26:43,994 INFO zen.ZenModeler: SNMP monitoring off for BIT.McAfee
2014-08-26 14:26:43,995 INFO zen.ZenModeler: No portscan plugins found for BIT.McAfee
2014-08-26 14:26:44,002 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,004 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,005 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,007 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,009 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,010 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,012 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,013 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,017 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,020 ERROR zen.PythonClient: Query error on BIT.McAfee: Unauthorized: Check username and password
2014-08-26 14:26:44,020 INFO zen.PythonClient: Python client finished collection for BIT.McAfee
2014-08-26 14:26:44,020 WARNING zen.ZenModeler: The plugin zenoss.winrm.CPUs returned no results.
2014-08-26 14:26:44,020 WARNING zen.ZenModeler: The plugin zenoss.winrm.FileSystems returned no results.
2014-08-26 14:26:44,021 WARNING zen.ZenModeler: The plugin zenoss.winrm.OperatingSystem returned no results.
2014-08-26 14:26:44,021 WARNING zen.ZenModeler: The plugin zenoss.winrm.Services returned no results.
2014-08-26 14:26:44,021 WARNING zen.ZenModeler: The plugin zenoss.winrm.Processes returned no results.
2014-08-26 14:26:44,022 WARNING zen.ZenModeler: The plugin zenoss.winrm.IIS returned no results.
2014-08-26 14:26:44,022 WARNING zen.ZenModeler: The plugin zenoss.winrm.Software returned no results.
2014-08-26 14:26:44,022 WARNING zen.ZenModeler: The plugin zenoss.winrm.Interfaces returned no results.
2014-08-26 14:26:44,022 INFO zen.ZenModeler: No change in configuration detected
2014-08-26 14:26:44,023 INFO zen.ZenModeler: Scan time: 0.07 seconds
2014-08-26 14:26:44,026 INFO zen.ZenModeler: Daemon ZenModeler shutting down

This is what I've done so far:
- I have done a firewall opening on the server to accept all incoming traffic from the Zenoss Server (not sure this is needed)
- I've enabled WinRM service in the firewall on the server and done the recommended WinRM settings (+ kerberos) as described in the Microsoft_Windows Zenpack (http://wiki.zenoss.org/ZenPack:Microsoft_Windows).
- Also double checked I got correct values for WinRm as described here (http://www.zenoss.org/forum/1646)
- I have setup zWinRMUser/Password/KDC, scheme is http and port 5985.

What did I miss

Regards,
Cambora


Subject: Do anyone have any input? I'm
Author: [Not Specified]
Posted: 2014-08-28 09:04

Do anyone have any input I'm stuck as it is now, any help will be highly appreciated!

EDIT:
I have found one oddity when comparing my settings to http://www.zenoss.org/forum/1646, if i check winrm setup with command "winrm g winrm/config/service" under Auth it shows "Basic=false". I assume this is why local account doesn't work I've looked around but can't find any way to set it to true (winrm g winrm/config/client is correct). I set the service vaule with the command "winrm s winrm/config/service @{AllowUnencrypted="true"}".

Thanks in advance!


Subject: Same issue fixed by allowing Basic authentication
Author: [Not Specified]
Posted: 2014-10-09 16:09

Hello Cambra,

I was seeing the exact results you were and discovered that WinRM by default uses kerberos authentication. For some reason, Zenoss was not using Kerberos authentication to connect with the WinRM server.

I changed the policy on the Windows Server to allow 'Basic Authentication' and now the modeling of that server completes.

I used the following link as a guide to allow Basic Authentication on the Windows Server.
http://www.verboon.info/2011/11/enable-windows-remote-management-through...

More troubleshooting tips I used were found at:
http://wiki.zenoss.org/ZenPack:Microsoft_Windows

In the troubleshooting section. I dove into the pcap of the tcpdump from my zenoss server to the windows server and I found that the windows server was only accepting Kerberos authentication.

I hope this helps.


Subject: Is there a way to make this
Author: [Not Specified]
Posted: 2014-10-13 15:01

Is there a way to make this work without basic authentication Allowing basic auth is a bad idea, I cant imagine zenoss would have to function this way.

thanks,

Dan


Subject: I agree SF Dan
Author: [Not Specified]
Posted: 2014-10-17 16:08

In the group policy, there is a section to only listen on port 5985 for specified IPs. However, communication is still unencrypted plain text compared to the token based encrypted Kerberos method. This is good for testing, but obviously not a permanent solution.

As for fixing the Kerberos issue, I have a feeling it's a domain issue as our zenoss server has not joined our domain or the Kerberos package is not configured correctly.



< Previous
Zenoss crashing 		  Next
Zenoss is not showing server memory graph suddenly 		>