Harness uses pywinrm library for winrm kerberos connection, So to run any command using winrm/kerberos there are two parts involved in it:
- TGT generation using kinit
- Command execution
How delegate is selected:
Delegate will try to create TGT using kinit command and each delegate who has access to create the tgt will be eligible for delegate selection to execute the command.
Then finally one of the delegate will be selected to run the actual command.
We have seen in some special case that a delegate was having access to create tgt successfully but do not have permission to run the command so in those scenario we might see error (Failed to establish a new connection/Can’t find client principal user@domain in cache collection) after tgt generation was successful but command fails.
Below is the sample command you can run to test and verify if your delegate has both access:
from winrm.protocol import Protocol import sys def run_command(endpoint, username, server_cert_validation, command, environment, workingDir, timeout): p = Protocol( endpoint=endpoint, transport='kerberos', username=username, server_cert_validation=server_cert_validation, operation_timeout_sec=timeout, read_timeout_sec=timeout + 10) shell_id = p.open_shell(env_vars=environment, working_directory=workingDir) command_id = p.run_command(shell_id, command) std_out, std_err, status_code = p.get_command_output(shell_id, command_id) if status_code == 0: sys.stdout.buffer.write(std_out) p.cleanup_command(shell_id, command_id) p.close_shell(shell_id) else: sys.stdout.buffer.write(std_err) p.cleanup_command(shell_id, command_id) p.close_shell(shell_id) sys.exit(1)
Output for successful execution:
Volume in drive C has no label. Volume Serial Number is xxxxx Directory of C:\Users\username\AppData\Local\Temp 04/27/2021 01:07 PM <DIR> . 04/27/2021 01:07 PM <DIR> .. 04/27/2021 01:08 PM <DIR> 2 0 File(s) 0 bytes 3 Dir(s) 190,836,162,560 bytes free
And below is output for one of the failure:
kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ("Can't find client principal user@domain in cache collection", -1765328243))