Remote PowerShell from Fedora to Windows
-
Tested on Fedora 31 with PowerShell Version: 6.2.3 and Windows 10 1909 and Windows Server 2012 R2
Normally you would type the following in Windows and you all good.
Enter-PSSession -ComputerName dns-or-ip -Credential username
But that doesn't work with Fedora. You'll end up getting a
MI_RESULT_ACCESS_DENIED
error message.Enter-PSSession : MI_RESULT_ACCESS_DENIED
The solution is to use
-Authentication Negotiate
Enter-PSSession -ComputerName dns-or-ip -Authentication Negotiate -Credential username
But wait, you thought that was it, now you'll see a
Unspecified GSS failure
error message.Enter-PSSession: Connecting to remote server <dns-or-ip> failed with the following error message : acquiring creds with username only failed Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.
The solution is to install
gssntlmssp
package.
sudo dnf install gssntlmssp
After all of that, now can remote powershell into your Windows hosts.
Enter-PSSession -ComputerName dns-or-ip -Authentication Negotiate -Credential username
References:
https://thomask.sdf.org/blog/2019/12/15/linux-windows-powershell-remoting-troubleshooting.html -
So your saying MS can't even get this right ?
-
On Ubuntu 19.10, after installing
powershell
orpowershell-preview
via snap, you still have to installedgss-ntlmssp
too. -
@DustinB3403 said in Remote PowerShell from Fedora to Windows:
So your saying MS can't even get this right ?
Using
-Authentication Negotiate
specifically, requires NTLM libraries that aren't in Linux by default.MS doesn't recommend using NTLM. You should be using SSH with Enter-PSSession. Ideally key based.
MS is doing it right in this case. The wrong doesn't appear to be on their end ^_^
-
Is this on a domain joined box? Can you just use Kerberos for your authentication?
-
@stacksofplates said in Remote PowerShell from Fedora to Windows:
Is this on a domain joined box?
Fedora is not joined but the Windows computer is joined to a domain.
-
@stacksofplates said in Remote PowerShell from Fedora to Windows:
Can you just use Kerberos for your authentication?
This didn't work for
Enter-PSSession -ComputerName hostname -Authentication Kerberos -Credential 'username'
Enter-PSSession : Connecting to remote server hostname failed with the following error message : Kerberos verify cred with password failed No credentials were supplied, or the credentials were unavailable or inaccessible For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName hostname -Authentication Kerberos -Cr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (hostname:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
-
@black3dynamite said in Remote PowerShell from Fedora to Windows:
@stacksofplates said in Remote PowerShell from Fedora to Windows:
Can you just use Kerberos for your authentication?
This didn't work for
Enter-PSSession -ComputerName hostname -Authentication Kerberos -Credential 'username'
Enter-PSSession : Connecting to remote server hostname failed with the following error message : Kerberos verify cred with password failed No credentials were supplied, or the credentials were unavailable or inaccessible For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -ComputerName hostname -Authentication Kerberos -Cr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (hostname:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
You'd have to join the Fedora system to the domain. Luckily it's really easy with sssd and realmd.
Then you can use Kerberos for both SSH and hopefully this connection as well.
-
@stacksofplates said in Remote PowerShell from Fedora to Windows:
You'd have to join the Fedora system to the domain. Luckily it's really easy with sssd and realmd.
That's annoying when you manage lots of different domains.
-
@scottalanmiller said in Remote PowerShell from Fedora to Windows:
@stacksofplates said in Remote PowerShell from Fedora to Windows:
You'd have to join the Fedora system to the domain. Luckily it's really easy with sssd and realmd.
That's annoying when you manage lots of different domains.
Sssd works with multiple domains. But that wasn't mentioned here.
Kerberos is more secure than strictly key based authentication, and easier from the user perspective anyway.
-
@stacksofplates said in Remote PowerShell from Fedora to Windows:
Sssd works with multiple domains.
If sssd is installed will I be able to use
-Authentication Kerberos
without needing to join to a domain or when accessing Windows machines that isn’t joined to a domain? -
@black3dynamite said in Remote PowerShell from Fedora to Windows:
@stacksofplates said in Remote PowerShell from Fedora to Windows:
Sssd works with multiple domains.
If sssd is installed will I be able to use
-Authentication Kerberos
without needing to join to a domain or when accessing Windows machines that isn’t joined to a domain?No it only works for domains.