Connector is not working with unprivileged user #54
Description
Describe the bug
Connector is not working with unprivileged user and produces error winrm.exceptions.WinRMError: Access is denied. When user is in group Domain Admins it is working.
To Reproduce
Steps to reproduce the behavior:
- Prepare unprivileged user
- Configure CZERTAINLY to use connector with this user.
- See the error
Expected behavior
We need working solution even for non-privileged users.
Additional context
Our testing user:
I tried to implement minimalist client using winrm winrm-test.py.gz it fails just in moment calling p.open_shell() - it fails before sending any command to the server. Complete error message looks this way:
Traceback (most recent call last):
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/transport.py", line 328, in _send_message_request
response.raise_for_status()
File "/home/semik/.venv/lib/python3.11/site-packages/requests/models.py", line 1024, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error: for url: http://winlab01.3key.company:5985/wsman
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/protocol.py", line 243, in send_message
resp = self.transport.send_message(message)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/transport.py", line 322, in send_message
response = self._send_message_request(prepared_request, message)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/transport.py", line 338, in _send_message_request
raise WinRMTransportError('http', ex.response.status_code, response_text)
winrm.exceptions.WinRMTransportError: Bad HTTP response returned from server. Code 500
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/semik/winrm-test/winrm-test.py", line 51, in <module>
shell_id = p.open_shell()
^^^^^^^^^^^^^^
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/protocol.py", line 166, in open_shell
res = self.send_message(xmltodict.unparse(req))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/semik/.venv/lib/python3.11/site-packages/winrm/protocol.py", line 281, in send_message
raise WinRMError('{0} (extended fault data: {1})'.format(error_message, fault_data))
winrm.exceptions.WinRMError: Access is denied. (extended fault data: {'transport_message': 'Bad HTTP response returned from server. Code 500', 'http_status_code': 500, 'wsmanfault_code': '5', 'fault_code': 's:Sender', 'fault_subcode': 'w:AccessDenied'})
When we use user who is meber of Domain Admins group it works.
I found at least two Issues diyan/pywinrm#336 diyan/pywinrm#275 filled on pywinrm where it is stated that PSSession is something different from thing pywinrm is using. At this moment we are testing the unprivileged user with:
$sessOptions = New-PSSessionOption -SkipCACheck -SkipRevocationCheck
Enter-PSSession -ComputerName "winlab01.3key.company" -Credential "WINLAB\czertainly-unprivileged" -Authentication CredSSP -Port 5986 -UseSSL -SessionOption $sessOptions
And it works. But if those issues are right we should test with mentioned winrs:
PS C:\Users\jan> winrs -r:http://winlab01.3key.company:5985/wsman -unencrypted -u:WINLAB\czertainly-unpriv -p:3KeyPKI2000 ipconfig
Winrs error:Access is denied.
PS C:\Users\jan> winrs -r:http://winlab01.3key.company:5985/wsman -unencrypted -u:WINLAB\czertainly -p:3KeyPKI2000 ipconfig
Winrs error:Access is denied.
However it fails both for privileged and unprivileged user. 🤯 So maybe this is blind track, I'm not sure.
There is also different implementation of @#! Remoting Protocol https://github.com/jborean93/pypsrp which was mentioned in those issues. I didn't tested it.