Kerberos connections immediately terminate when connecting to OMI server, despite OMI authorizing the given Kerberos ticket, returning a 200 OK and an encrypted body.
Upon decryption, the message is corrupted on the client side... which would seemingly indicate a problem like:
- A difference in expectations around payload structure
- Incorrect key negotiation?
The OMI server Kerberos configuration appears to be configured correctly as two other clients can use Kerberos to talk to the server:
omicli included with OMI itselfpwsh (6.2.1)
I have a full reproduction environment that's containerized at puppetlabs/bolt#1101
Follow the description in the PR and you'll end up with 3 containers:
- Samba serving as Active Directory
- OMI Server listening for winrm connections (domain joined)
- An Ubuntu dev environment that has Bolt / winrm gem (domain joined)
I've spent a little bit of time looking at the messages, poking around in pry and augmenting the omi source in an effort to hone in on where the negotiation problem is, but haven't had the a-ha moment just yet. Before I get too far into the weeds, figured I'd post this issue to see if there are any known issues around the Kerberos handling.
Thanks!
Kerberos connections immediately terminate when connecting to OMI server, despite OMI authorizing the given Kerberos ticket, returning a 200 OK and an encrypted body.
Upon decryption, the message is corrupted on the client side... which would seemingly indicate a problem like:
The OMI server Kerberos configuration appears to be configured correctly as two other clients can use Kerberos to talk to the server:
omicliincluded with OMI itselfpwsh(6.2.1)I have a full reproduction environment that's containerized at puppetlabs/bolt#1101
Follow the description in the PR and you'll end up with 3 containers:
I've spent a little bit of time looking at the messages, poking around in
pryand augmenting theomisource in an effort to hone in on where the negotiation problem is, but haven't had the a-ha moment just yet. Before I get too far into the weeds, figured I'd post this issue to see if there are any known issues around the Kerberos handling.Thanks!