diff --git a/CHANGELOG.md b/CHANGELOG.md index 4569d744..9dd9201b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,11 @@ ## Unreleased changes None. +## Latest release: 0.8.2 +* [knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption + ## Latest release: 0.8.0 -* [knife-windows #98](https://github.com/opscode/knife-windows/issues/96) Get winrm command exit code if it is not expected +* [knife-windows #98](https://github.com/opscode/knife-windows/issues/98) Get winrm command exit code if it is not expected * [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614 * Remove the 'instance data' method of creating EC2 servers * Update winrm-s dependency along with em-winrm and winrm dependencies diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md index 465b198b..6491ef92 100644 --- a/DOC_CHANGES.md +++ b/DOC_CHANGES.md @@ -6,32 +6,18 @@ Example Doc Change: Description of the required change. --> -# knife-windows 0.8.0 doc changes +# knife-windows 0.8.2 doc changes ### Negotiate / NTLM authentication support -If `knife` is executed from a Windows system, it is no longer necessary to make -additional configuration of the WinRM listener on the remote node to enable -successful authentication from the workstation. It is sufficient to have a WinRM -listener on the remote node configured according to the operating system's `winrm -quickconfig` command default configuration because `knife-windows` now -supports the Windows negotiate protocol including NTLM authentication, which -matches the authentication requirements for the default WinRM listener configuration. - -If `knife` is executed on a non-Windows system, certificate authentication or Kerberos -should be used instead via the `kerberos_service` and related options of the subcommands. - -**NOTE**: In order to use NTLM / Negotiate to authenticate as the user - specified by the `--winrm-user` (`-x`) option, you must include the user's - Windows domain when specifying the user name using the format `domain\user` - where the backslash ('`\`') character separates the user from the domain. If - an account local to the node is being used to access, `.` may be used as the domain: - - knife bootstrap windows winrm web1.cloudapp.net -r 'server::web' -x 'proddomain\webuser' -P 'super_secret_password' - knife bootstrap windows winrm db1.cloudapp.net -r 'server::db' -x '.\localadmin' -P 'super_secret_password' - -For development and testing purposes, unencrypted traffic with Basic authentication can make it easier to test connectivity: - - winrm set winrm/config/service @{AllowUnencrypted="true"} - winrm set winrm/config/service/auth @{Basic="true"} - - +If you are running `knife-windows` subcommands from a Windows workstation, you +should not specify a username argument that includes a domain name (i.e. a +name formatted like `domain\user`) unless the remote host has WinRM's +`AllowUnencrypted` setting set to `$false` (the default setting on Windows if +the `winrm quickconfig` command was used to enable WinRM). If you've modified +the host to set this to `$true` instead of its default value and you run +subcommands from a Windows workstation where the username specified to +`knife-windows` contains a domain, the command will fail with an +authentication error. To avoid this, omit the domain name (this will only work +if the system is not joined to a domain, i.e. you were specifying the local +workstation as the domain), or set `AllowUnencrypted` to `$false` which is a +more secure setting. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 2144cc16..4bc89202 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -6,39 +6,57 @@ Example Note: ## Example Heading Details about the thing that changed that needs to get included in the Release Notes in markdown. --> -# knife-windows 0.8.0 release notes: -This release of knife-windows enables the Windows negotiate protocol to be -used with the `winrm` and `bootstrap windows winrm` subcommands and also -contains bug fixes and dependency updates. +# knife-windows 0.8.2.rc.0 release notes: +This release of knife-windows addresses a regression in knife-windows 0.8.0 +from previous releases where `knife winrm` and `knife bootstrap windows` +commands fail due to inability to authenticate: +[knife-windows #108](https://github.com/opscode/knife-windows/issues/108). -A thank you goes to contributor **Josh Mahowald** for contributing a fix to return nonzero exit codes. +You can install the fix for this issue by upgrading to this new version using +the `gem` command: -Issues with `knife-windows` should be reported in the ticketing system at -https://github.com/opscode/knife-windows/issues. Learn more about how you can -contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.opscode.com/community_contributions.html). + gem install knife-windows --pre -## Features added in knife-windows 0.8.0 +A thank you goes to **Richard Lavey** for reporting [knife-windows #108](https://github.com/opscode/knife-windows/issues/108). -### NTLM / Negotiate authentication for `winrm` and `bootstrap` -If `knife` is being used on a Windows workstation, it is no longer necessary -to use Kerberos or to use certificate authentication to authenticate securely -with a remote node in bootstrap or command execution scenarios. The `knife winrm` and `knife -windows bootstrap` commands now support the use of NTLM to authenticate to remote -nodes with the default WinRM listener configuration set by the operating -system's `winrm quickconfig` command. +## Impact of [knife-windows #108](https://github.com/opscode/knife-windows/issues/108) -When specifying the user name on the command-line or configuration, the format `domain\username` must be used for -the negotiate protocol to be invoked. If the account is local to the node, -'`.`' may be used for the domain. See the README.md for further detail. +[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) will affect a given user if all of the following are true: + +* You are running `knife-windows` subcommands on a Windows workstation +* The remote node you're interacting with via `knife-windows` has a WinRM + configuration with the `WSMan:\localhost\Service\AllowUnencrypted` (in + PowerShell's WinRM settings drive provider) + +In this situation, you will receive an authentication error message from +the `knife winrm` or `knife bootstrap windows` command such as +`Error: Unencrypted communication not supported`. To resolve this error, +simply install this version of the gem as described earlier. + +If you are running the `knife` commands from a non-Windows operating system, +[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) does +not affect you, so you don't need to upgrade just for this issue. + +## Reporting issues and contributing + +`knife-windows` issues like the one addressed in this release should be +reported in the ticketing system at https://github.com/opscode/knife-windows/issues. You can learn more about how to contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.opscode.com/community_contributions.html). + +## Features added in knife-windows 0.8.2 +None. + +## Issues fixed in knife-windows 0.8.2 +[knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption + +The fix in this release will cause a behavior change from the 0.8.0 release: + +* As described in the [documentation changes](https://github.com/opscode/knife-windows/blob/0.8.0/DOC_CHANGES.md) for the 0.8.0 release of the `knife-windows`, the negotiate authentication + protocol will only be used in this 0.8.2 release if a domain is specified (you can specify '.' as + the domain if you want to use the local workstation as the domain). Due to a + defect in the 0.8.0 release, the negotiate protocol was being used even when + the domain was not specified. ## knife-windows on RubyGems and Github https://rubygems.org/gems/knife-windows https://github.com/opscode/knife-windows -## Issues fixed in knife-windows 0.8.0 -* [knife-windows #98](https://github.com/opscode/knife-windows/issues/96) Get winrm command exit code if it is not expected -* [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614 -* Update winrm-s dependency along with em-winrm and winrm dependencies -* Return failure codes from knife winrm even when `returns` is not set -* Support Windows negotiate authentication protocol when running knife on Windows - diff --git a/lib/knife-windows/version.rb b/lib/knife-windows/version.rb index cec08340..186bf663 100644 --- a/lib/knife-windows/version.rb +++ b/lib/knife-windows/version.rb @@ -1,6 +1,6 @@ module Knife module Windows - VERSION = "0.8.0" + VERSION = "0.8.2.rc.0" MAJOR, MINOR, TINY = VERSION.split('.') end end