-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker ubuntu aarch64 "acquiring creds with username only failed An invalid name was supplied SPNEGO cannot find mechanisms to negotiate" #71
Comments
Did you enable gss-ntlmssp in mechs config file, I believe Debian based distros place it under |
@jborean93 yes, i am seeing
The windows host is not on a domain, so i've tried the |
Unfortunately I'm not sure what the problem here is without stepping through the code. You could enable debug logging under https://github.com/jborean93/omi?tab=readme-ov-file#troubleshooting but I don't think this shows authentication details. For whatever reason the call to # podman run --rm -it ubuntu:22.04
apt-get update
apt-get install -y gcc python3 python3-dev python3-pip libkrb5-dev gss-ntlmssp
python3 -m pip install gssapi
python3 <<EOF
import gssapi
username = 'username'
password = b'password'
target = 'target-service'
mechs = [
gssapi.OID.from_int_seq('1.3.6.1.5.5.2'), # Spnego
gssapi.OID.from_int_seq('1.2.840.113554.1.2.2'), # Kerberos
gssapi.OID.from_int_seq('1.3.6.1.4.1.311.2.2.10'), # NTLM
]
cred = gssapi.raw.acquire_cred_with_password(
gssapi.Name('username', name_type=gssapi.NameType.user),
b'password',
usage='initiate',
mechs=mechs).creds
ctx = gssapi.SecurityContext(
name=gssapi.Name(f'http@{target}', name_type=gssapi.NameType.hostbased_service),
creds=cred,
mech=mechs[0],
usage='initiate')
print(ctx.step())
EOF You should see roughly in the middle a value When running the above in an Ubuntu 22.04 container I get
This would indicate the crypto policies is disabling algorithms required by NTLM (like md4, rc4, etc). You can re-enable them by allowing the legacy providers in OpenSSL either in the global file or through a custom config. For example with the above and a custom policy file I get
|
@jborean93 thank you for your help. So after updating
Now when I try
And we're onto I added the logging conf for omi (DEBUG) and got this:
from what I can see, the function Maybe I did something wrong when building the libraries? In case its helpful, heres a decoded auth tokens:
second
|
Is this still on the macOS or Ubuntu side? I can't say I'm aware of any encryption problems with anything outside of macOS but the code is quite messy so I can't guarantee there aren't any problems. Just as an FYI I tried out the docker example I shared above but with PSWSMan and it works. # podman run --rm -it ubuntu:22.04
apt-get update
apt-get install -y apt-transport-https software-properties-common libkrb5-dev gss-ntlmssp wget
source /etc/os-release
wget -q https://packages.microsoft.com/config/ubuntu/$VERSION_ID/packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
apt-get update
apt-get install -y powershell
pwsh -Command 'Install-Module -Name PSWSMan -Scope AllUsers -Force; Install-WSMan -Verbose'
cat > /tmp/openssl-legacy.cnf <<EOF
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
EOF
OPENSSL_CONF=/tmp/openssl-legacy.cnf pwsh
$cred = Get-Credential HOSTNAME\user
Invoke-Command -ComputerName hostname { whoami } -Credential $cred |
@jborean93 this is within an ubuntu 22.04 (aarch64) docker container thats running on a Mac OS m2 system. I'll try what you have above, but I dont think PSWSMAN worked in the docker container last time I tried it. EDIT: so since the container is run atop of the m2, I cant use the
EDIT 2: so I just learned you can run x86 containers on the ARM M2 platform. While shifting changes the original request, it should be sufficient for what I'm trying to do. output:
Dockerfile:
this is then built with:
|
SUMMARY
When trying to Enter a PSSession, it fails
As this seems like an NTLM issue, I've made sure I installed the
gss-ntlmssp
package, but it makes no difference. Hoping someone can point me in the right direction.MODULE VERSION
OS / ENVIRONMENT
Ubuntu 22.04docker container on Mac M2 (ARM)
Powershell Version
Libraries
STEPS TO REPRODUCE
Here is the very rough dockerfile i'm using to create the image
The text was updated successfully, but these errors were encountered: