Remote wsus querying with ansible : 401 unauthorized with valid accounts - windows

I was writting my first powershell script to get statistics about around 300 servers dispatched on 3 WSUS servers. There's an upstream and two downstream servers (one autonomous and one replica).
The powershell script is sent to the upstream server before execution with the help of an ansible playbook (using winrm connection).
The script simply parses two configured hosts (the upstream and the autonomous downstream) then calls the Get-WsusServer and subsequent routines to get the data i need.
When the powershell script is ran directly on the upstream host, all is fine, and the Get-WsusServer with the autonomous server works.
When the powershell script is ran by the ansible playbook, it fails with the following error when the Get-WsusServer routine calls the autnonomous downstream server :
"stderr_lines": [
"Get-WsusServer : The request failed with HTTP status 401: Unauthorized.",
"At D:\\Reports\\wsusreport.ps1:74 char:11",
"+ $wsus = Get-WsusServer -Name $wsusserver -PortNumber 8530",
"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
" + CategoryInfo : InvalidData: (Microsoft.Updat...usServerCommand:GetWsusServerCommand) [Get-WsusServer], ",
" WebException",
" + FullyQualifiedErrorId : ServerIsInvalid,Microsoft.UpdateServices.Commands.GetWsusServerCommand",
" ",
"You cannot call a method on a null-valued expression.",
"At D:\\Reports\\wsusreport.ps1:80 char:3",
"+ $classifications=$wsus.GetUpdateClassifications() |",
"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~",
" + CategoryInfo : InvalidOperation: (:) [], RuntimeException",
" + FullyQualifiedErrorId : InvokeMethodOnNull",
" ",
"Exception calling \"AddRange\" with \"1\" argument(s): \"Value cannot be null.",
"Parameter name: value\"",
I tried using a domain account, with local admin privileges, and also with local admin accounts. But i cant put the finger on what the problem really is.
And i cant manage to explain the behavior difference between the local execution which is successful, and the execution with the playbook which fails when calling Get-WsusServer against the autonomous downstream server.
Additional information :
The powershell script loop looks like :
$Target_WSUS_Server_host = "upstream", "downstream"
foreach ($domain in $Target_WSUS_Server_Host) {
Write-Host "Working on : $domain"
[void][reflection.assembly]::LoadWithPartialName('Microsoft.UpdateServices.Administration')
$wsus = Get-WsusServer -Name $domain -PortNumber 8530
# Scope initialization
$computerscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerscope.IncludeDownstreamComputerTargets = 'true'
etc....
The ansible piece of playbook is quite basic and just plays the win_shell module after the script is copied. If i only query the upstream, the ansible play is 100% OK.
---
- name: wsus report generation
hosts: upstream
vars:
local_dir: "./data/"
local_script: "wsusreport.ps1"
remote_script_log: "wsusreport.log"
remote_dir: 'D:\Reports\'
script_log: "wsusreport.log"
yearmonth: "{{ lookup('pipe', 'date +%Y-%m') }}"
tasks:
- name: copy ps1 script to wsus server
tags:
- sendscript
win_copy:
src: "{{ local_dir }}/{{ local_script }}"
dest: "{{ remote_dir }}"
- name: execute script
tags:
- exescript
win_shell: "{{ remote_dir }}\\{{ local_script }} downstream {{ yearmonth }} > {{ remote_dir }}\\{{ remote_script_log }}"
The powershell script takes two parameters,
first one is a switch to determine if i want just the upstream data, the downstream data or both.
the second one is the time range i wanna retrieve, which defaults to current patch tuesday campaign.
Additionnal information
On the security event log, what happens when the script is dropped and called by ansible :
- There's a logon/logout events with those details :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-01-03T15:44:11.016233500Z" />
<EventRecordID>3662170</EventRecordID>
<Correlation ActivityID="{1715CB99-B4FA-0001-A1CB-1517FAB4D501}" />
<Execution ProcessID="792" ThreadID="4316" />
<Channel>Security</Channel>
<Computer>*FQDN of the downstream server*</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-7</Data>
<Data Name="TargetUserName">ANONYMOUS LOGON</Data> <===== /!\
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x13316e110</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">*Hostname of the upstream server*</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V1</Data>
<Data Name="KeyLength">128</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">*IP Adress of the upstream server*</Data>
<Data Name="IpPort">55186</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1843</Data>
</EventData>
</Event>
When the script is called directly on the upstream server, the logon process is far more verbose, and uses the local account which is the same between the two servers.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-01-03T15:44:46.197671000Z" />
<EventRecordID>3662174</EventRecordID>
<Correlation ActivityID="{1715CB99-B4FA-0001-A1CB-1517FAB4D501}" />
<Execution ProcessID="792" ThreadID="5672" />
<Channel>Security</Channel>
<Computer>DOWNSTREAM_SERVER_FQDN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-910770422-2570656215-934337312-1006</Data>
<Data Name="TargetUserName">ACCOUNT_USED_ON_BOTH_SERVERS</Data> <====== OK !
<Data Name="TargetDomainName">DOWNSTREAM_SERVER_HOSTNAME</Data>
<Data Name="TargetLogonId">0x13319dcbb</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">UPSTREAM_SERVER_HOSTNAME</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V2</Data>
<Data Name="KeyLength">128</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">UPSTREAM_SERVER_IP_ADDRESS</Data>
<Data Name="IpPort">55198</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>

Ok,
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#authentication-options
https://docs.ansible.com/ansible/2.5/user_guide/become.html#become-and-windows
The ntlm method doesnt let you assume the correct grants of the account you are using to run a win_shell command or instruction.
I had to swap ntlm for kerberos and use become feature with runas method, and specify the exact same account i'm using for the winrm connection.
It is working.

Related

How to solve NO_ROUTE_DESTINATION when connecting from two FreeSWITCH

I am new to FreeSWITCH and I am trying to bridge a call from two different FreeSWITCH (SwitchA -> SwitchB ).
But when I am trying to make a call, It says NO_ROUTE_DESTINATION .
Here is my current configuration for FreeSWITCH-A (the call originates)
My sip_profile/external
<include>
<gateway name="fs-test2">
<param name="proxy" value="ipOfSwitch-B:5080"/>
<param name="register" value="false"/>
<param name="called-id-in-from" value="true"/>
<variables>
<variable name="verbose_sdb" value="true"/>
<variable name="absolute_codec_string" value="PCMU, PCMA" direction="oubound"/>
</variables>
</gateway>
</include>
My DialPlan
dialplan/default
<include>
<extension name="outbound_call">
<condition field="destination_number" expression="^(18881)$">
<action application="bridge" data="sofia/gateway/fs-test2/$1"/>
</condition>
</extension>
</include>
dialplan/public
<include>
<extension name="public-did">
<condition field="destination_number" expression="^(19991)$">
<action application="set" data="domain_name=$${domain}"/>
<action application="transfer" data="1000 XML default"/>
<action application="answer"/>
<action application="sleep" data="1000"/>
</condition>
</extension>
</include>
And here is my current configuration for FreeSWITCH-B
My sip_profile/external
<include>
<gateway name="fs-test1">
<param name="proxy" value="ipOfSwitch-A:5080"/>
<param name="register" value="false"/>
<param name="caller-id-in-from" value="true"/>
</gateway>
</include>
My dialplan
dialplan/default
<include>
<extension name="outbound_call">
<condition field="destination_number" expression="^(18881)$">
<action application="bridge" data="sofia/gateway/fs-test1/$1"/>
</condition>
</extension>
</include>
dialplan/public
<include>
<extension name="public-did">
<condition field="destination_number" expression="^(18881)$">
<action application="set" data="domain_name=$${domain}"/>
<action application="transfer" data="1000 XML default"/>
</condition>
</extension>
</include>
This is my sofia status profile looks like in SWITCH A-
-----------------------------------------------------------------
Profile::Gateway-Name| Data | Status |
-----------------------------------------------------------------
external::fs-test2 | sip:FreeSWITCH#ipOfSwitchB:5080 | NOREG |
-----------------------------------------------------------------
This is my sofia status profile looks like in SWITCH B-
-----------------------------------------------------------------
Profile::Gateway-Name| Data | Status |
-----------------------------------------------------------------
external::fs-test1 | sip:FreeSWITCH#ipOfSwitchA:5080 | NOREG |
-----------------------------------------------------------------
and when I type the command for sofia status gateway fs-test2 in SWITCH A , the result looks like this:
Name | fs-test2
Profile | external
Scheme | Digest
Realm | ipOfSwitchB:5080
username | FreeSWITCH
Password | no
From | <sip:FreeSWITCH#ipOfSwitchB:5080>
Contact | <sip:gw+fs-test2#103.62.152.227:5080;transport=udp;gw=fs-test2>
Exten | FreeSWITCH
To | sip:FreeSWITCH#ipOfSwitchB:5080
Proxy | sip:FreeSWITCH#ipOfSwitchB:5080
Status | UP
State | NOREG
After I've done all the changes , I run "reloadxml", "reload mod_sofia"
When I trigger a call(18881) from SWITCH A, there is a logs showing on SWITCH B, and it says :
sofia.c:10362 sofia/external/FreeSWITCH#ipOfSWITCHB:5080 receiving invite from ipOfSWITCHB:5080 version: 1.10.6 -release-18-1ff9d0a60e 64bit call-id: fd37ba89-54d1-123a-db86-080027337ad5,
and the moment the call ended from SWITCHA, the logs shows on SWITCHA as:
switch_core_state_machine.c:276 Dialplan [default] not found, skipping
switch_core_state_machine.c:312 No Route, Aborting
switch_core_state_machine.c:313 Hangup sofia/external/1000#ipOfSWITCHA [CS_ROUTING] [NO_ROUTE_DESTINATION]
there is also a log showing on SwitchB:
sofia.c:8641 Hangup sofia/external/18881 [CS_CONSUME_MEDIA] [NO_ROUTE_DESTINATION]
mod_dptools.c:3643 Originate Failed. Cause: NO_ROUTE_DESTINATION
switch_channel.c:4942 Hangup sofia/external/FreeSWITCH#ipOfSwitchB:5080 [CS_EXECUTE] [NO_ROUTE_DESTINATION]
Am I missing something?
Thanks in advance.
I think this is what happened when SIP INVITE send into your Switch-B:
reach extension "public-did", and transfer to extension "1000" of default context.
since you don't have extension "1000" in default context, so you got error "No Route"

How to redirect long string with single/double quotes var in Rundeck?

thank you for taking time reading this question.
I've a Rundeck job with multiple steps. Basically, step 1 and 2 is fetching a long string which is under ' '. Example:
'This is a long string.. and is also under "double quotes" '. -> This variable is stored as the following form: #option.mylongstring#
Third step of my Rundeck job is failing because I'm having issues with single and multiple quotes in my string. I want to extract specific values from that long string
My solution was to send the content of #option.mylongstring# in a temp file and apply sed to convert single quotes into double quotes (sed "s/'/\"/g") and from there, extract the information that I need.
Anyway, seems that the redirection is not happening in Rundeck: echo #option.mylongstring# &> $TEMPFILE is doing nothing, generating an empty file.
Anyone faced the same issue?
Using inline-script works without problems, let me share the job definition example:
<joblist>
<job>
<defaultTab>nodes</defaultTab>
<description></description>
<executionEnabled>true</executionEnabled>
<id>5e7123ce-c9b7-4bfa-a0e8-6484a9bd7c4f</id>
<loglevel>INFO</loglevel>
<name>LongStringExample</name>
<nodeFilterEditable>false</nodeFilterEditable>
<plugins />
<scheduleEnabled>true</scheduleEnabled>
<sequence keepgoing='false' strategy='node-first'>
<command>
<fileExtension>.sh</fileExtension>
<script><![CDATA[echo 'hello "world"' > myfile.txt]]></script>
<scriptargs />
<scriptinterpreter>/bin/bash</scriptinterpreter>
</command>
</sequence>
<uuid>5e7123ce-c9b7-4bfa-a0e8-6484a9bd7c4f</uuid>
</job>
</joblist>
Using an option:
<joblist>
<job>
<context>
<options preserveOrder='true'>
<option name='opt1' />
</options>
</context>
<defaultTab>nodes</defaultTab>
<description></description>
<executionEnabled>true</executionEnabled>
<id>22d7286f-7be9-4aaf-92ae-8e5bf5277d67</id>
<loglevel>INFO</loglevel>
<name>AnotherLongStringExample</name>
<nodeFilterEditable>false</nodeFilterEditable>
<plugins />
<scheduleEnabled>true</scheduleEnabled>
<sequence keepgoing='false' strategy='node-first'>
<command>
<fileExtension>.sh</fileExtension>
<script><![CDATA[echo 'this is another "#option.opt1#"' > another_file.txt]]></script>
<scriptargs />
<scriptinterpreter>/bin/bash</scriptinterpreter>
</command>
</sequence>
<uuid>22d7286f-7be9-4aaf-92ae-8e5bf5277d67</uuid>
</job>
</joblist>

Call variable in CURL Command

I am trying to define a variable for a curl command.
curl --location -k --request GET 'https://myprojt.test9.abc.com/api/part/config=8594&select=parts,Action,refernceNumber&SalesID=333&partNumber=789-635'
I want to call a variable for &partNumber=789-635
Tried defining $part='#option.partnumber#', this is the input parameter which takes a value.
curl --location -k --request GET 'https://myprojt.test9.abc.com/api/part/config=8594&select=parts,Action,refernceNumber&SalesID=333&partNumber=$part'
I even tried replacing single quotes (') by double (") but not working, kindly help.
You can assign directly like MYVAR=#option.myoption#
I leave a working example:
<joblist>
<job>
<context>
<options preserveOrder='true'>
<option name='myoption' value='world' />
</options>
</context>
<defaultTab>nodes</defaultTab>
<description></description>
<executionEnabled>true</executionEnabled>
<id>e781836f-e0f8-4ccb-b03f-a384be306860</id>
<loglevel>INFO</loglevel>
<name>JobInlineScript</name>
<nodeFilterEditable>false</nodeFilterEditable>
<plugins />
<scheduleEnabled>true</scheduleEnabled>
<sequence keepgoing='false' strategy='node-first'>
<command>
<fileExtension>.sh</fileExtension>
<script><![CDATA[# starting
MYVAR=#option.myoption#
# print
echo "hello $MYVAR"]]></script>
<scriptargs />
<scriptinterpreter>/bin/bash</scriptinterpreter>
</command>
</sequence>
<uuid>e781836f-e0f8-4ccb-b03f-a384be306860</uuid>
</job>
</joblist>
And here the result.

Q: How to sanitise XML files with xmlstarlet?

I've got several xml files to sanitise via the command line tool xmlstarlet (1.6.1).
Sample 1
<?xml version="1.0" encoding="utf-8"?>
<!-- Some license comment
- with some link to http://example.com/foo/ -->
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>Name Sample 1</ShortName>
<Description>Description Sample 1</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image height="16" width="16">data:...</Image>
<Url type="text/html" method="get" template="https://examplesearch.com/" rel="searchform">
<Param name="q" value="{searchTerms}"/>
<MozParam name="m1" condition="purpose" value="abc"/>
<MozParam name="m2" condition="purpose" value="cde"/>
</Url>
</OpenSearchDescription>
Sample 2
<!-- Some license comment
- with some link to http://example.com/foo/ -->
<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Name Sample 2</ShortName>
<Description>Description Sample 2</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height="16">data:...</Image>
<Url type="application/x-suggestions+json" method="GET" template="https://www.examplesearch.com/search?client=firefox&q={searchTerms}"/>
<Url type="text/html" method="GET" template="https://examplesearch.com/search" rel="searchform">
<Param name="q" value="{searchTerms}"/>
</Url>
</SearchPlugin>
I try to clear the Description node first which works for sample 2:
xml ed -L -u "//_:SearchPlugin/_:Description" -v "" sample2.xml
The result is the node <Description/>, but the same logic does not work for sample 1:
xml ed -L -u "//_:OpenSearchDescription/_:Description" -v "" sample1.xml
I'd like to receive <Description><Description/> as results for both xml samples.
Update: The previous part has been solved.
Secondly, in sample 2 I'd like to remove client=firefox& out of the second Url template value:
"https://www.examplesearch.com/search?client=firefox&q={searchTerms}"
I've got no clue how to apply a regex/xslt operation on the value to achieve this. Any suggestions how this could be done?

Windows - Automatically extract Task/Subcategory per Event ID

I need to extract all the Event IDs with their tasks (or subcategory) for the Windows-Microsoft-Security-Auditing provider.
it works, via Powershell to extract all the Tasks with this command:
PS C:\WINDOWS\system32> (Get-WinEvent -listprovider "microsoft-windows-security-auditing").Tasks
Name Value DisplayName EventGuid
---- ----- ----------- ---------
SE_ADT_SYSTEM_SECURITYSTATECHANGE 12288 Security State Change 00000000-0000-0...
SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION 12289 Security System Extension 00000000-0000-0...
SE_ADT_SYSTEM_INTEGRITY 12290 System Integrity 00000000-0000-0...
SE_ADT_SYSTEM_IPSECDRIVEREVENTS 12291 IPsec Driver 00000000-0000-0...
SE_ADT_SYSTEM_OTHERS 12292 Other System Events 00000000-0000-0...
SE_ADT_LOGON_LOGON 12544 Logon 00000000-0000-0...
SE_ADT_LOGON_LOGOFF 12545 Logoff 00000000-0000-0...
SE_ADT_LOGON_ACCOUNTLOCKOUT 12546 Account Lockout 00000000-0000-0...
SE_ADT_LOGON_IPSECMAINMODE 12547 IPsec Main Mode 00000000-0000-0...
I can also list an Event ID.
(Get-WinEvent -listprovider "microsoft-windows-security-auditing").events[100]
Id : 4734
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Description : Un groupe local dont la sécurité est activée a été supprimé.
Sujet :
ID de sécurité : %4
Nom du compte : %5
Domaine du compte : %6
ID d’ouverture de session : %7
Groupe :
ID de sécurité : %3
Nom du groupe : %1
Domaine du groupe : %2
Informations supplémentaires :
Privilèges : %8
But when I ask for the Task of an EventID it always output 0
PS C:\WINDOWS\system32> (Get-WinEvent -listprovider "microsoft-windows-security-auditing").events[100].Task
Name Value DisplayName EventGuid
---- ----- ----------- ---------
0 00000000-0000-0000-0000-000000000000
Same problems with wevtutil MSDOS command :
wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
event:
value: 4615
version: 0
opcode: 0
channel: 10
level: 4
task: 0
keywords: 0x8000000000000000
message: Utilisation incorrecte du port LPC.
Sujet :
ID de sécurité : %1
Nom du compte : %2
Domaine du compte : %3
ID d’ouverture de session : %4
Informations sur le processus :
PID : %7
Nom : %8
Any help ? =D

Resources