Install Powershell 7.0 on Ubuntu 18.04 Invoke-command Access Denied

Welcome Forums General PowerShell Q&A Install Powershell 7.0 on Ubuntu 18.04 Invoke-command Access Denied

Viewing 19 reply threads
  • Author
    Posts
    • #223866
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Unbuntu 18.4 I use for Nagios to monitor my VM’s
      I am writing script to restart HTTP application pools on the VM
      The WM is a Windows 2019 Server in this case I have others
      So when Nagios chceks the application pool and finds it stopped I have a powershell command to restart the app pool.
      start-webapppool -name “SecurityTokenServiceApplicationPool”

      So I installed PowerShell 7.0 on my Unbuntu VM and when I run this powershell command

      PS /home/thomas> invoke-command -Computername SERV027-N1 -scriptblock {get-service nscp}
      Invoke-Command: MI_RESULT_ACCESS_DENIED

      The Ubuntu VM is domain joined to my Active Directory as is SERV027-N1

      WinRM is setup on all my servers. on the windows side.

      From my Windows 10 Desktop I can run the same command with success.

      PS C:\util> invoke-command -ComputerName SERV027-N1 -ScriptBlock {get-service nscp}

      Status Name DisplayName PSComputerName
      —— —- ———– ————–
      Running nscp NSClient++ (x64) SERV027-N1

      Any ideas

      I am new to powershell on Ubuntu

      Thank you

      Tom

    • #223917
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      Can you clarify if the working command on windows is PS7 or 5.1?

    • #223938
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug,

      All my Windows servers are running 5.1
      Have Windows 2012 R2
      Windows 2016
      Windows 2019

      I was researching this do I need openssh on the windows side ?

      Thank you
      Tom

    • #223980
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      I would just like you to test PS7 on windows as well. Maybe the issue is less of an “on Ubuntu” issue and more of a “PS7” one.

    • #224004
      Senior Moderator
      Topics: 8
      Replies: 1215
      Points: 4,334
      Helping Hand
      Rank: Community Hero

      You are connecting to a Windows VM and the user accounts on both Ubuntu and Windows are not same. Specify the credentials while connecting via Invoke-Command.

    • #224136
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      $cred = get-credential mydomain\administrator

      PS /home/thomas> $cred

      UserName Password
      ——– ——–
      mydomain\administrator System.Security.SecureString

      Using -Hostname
      PS /home/thomas> invoke-command -hostname “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
      Invoke-Command: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

      Using -Computername

      PS /home/thomas> invoke-command -computername “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
      Invoke-Command: MI_RESULT_ACCESS_DENIED

      cred not working either

    • #224151
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      Still curious if PS7 on windows works like 5.1 or not.

    • #224214
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug

      I install PowerShell 7.0 on my Windows server but 5.1 is still installed. So how do I know it is connecting via PowerShell 7.0?

      Tried with creds using -computername
      PS /home/thomas> invoke-command -computername “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
      Invoke-Command: MI_RESULT_ACCESS_DENIED

      tried with creds using -computername
      PS /home/thomas> invoke-command -computername “SERV027-N1” -scriptblock {get-service nscp}
      Invoke-Command: MI_RESULT_ACCESS_DENIED

      Without creds using -hostname

      PS /home/thomas> invoke-command -hostname “SERV027-N1” -scriptblock {get-service nscp}
      OpenError: [serv027-n1] The background process reported an error with the following message: The SSH client session has ended with error message: ssh: connect to host serv027-n1 port 22: Connection timed out.

      Then I added a inbound port on the Windows firewall for port 22

      PS /home/thomas> invoke-command -hostname “SERV027-N1” -scriptblock {get-service nscp}
      OpenError: [srv027-n1] The background process reported an error with the following message: The SSH client session has ended with error message: ssh: connect to host serv027-n1 port 22: Connection timed out.

      Using Creds with -hostname
      PS /home/thomas> invoke-command -hostname “SERV027-N1” -credential $cred -scriptblock {get-service nscp}
      Invoke-Command: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
      PS /home/thomas>

      Any ideas?

    • #224307
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      You run pwsh.exe instead of powershell.exe. If you run $PSVersiontable inside you will see which version. Once installed you should also be able to find shortcut for either version in your start menu.

      Can you give more details about the ubuntu machine. You said it’s a VM, is it running in hyperv, esxi, virtualbox?

    • #224310
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero
    • #224370
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug,

      My Ubuntu machine is a VM on VMware 6.7 ESXI 6.7 Host

      My windows Serve IS ALSO A vm on VMware 6.7 ESXI 6.7 host.
      From my Windows 2019 server
      PowerShell 7.0.0
      Copyright (c) Microsoft Corporation. All rights reserved.

      https://aka.ms/powershell
      Type ‘help’ to get help.

      PS C:\Windows\System32> $PSVersionTable

      Name Value
      —- —–
      PSVersion 7.0.0
      PSEdition Core
      GitCommitId 7.0.0
      OS Microsoft Windows 10.0.17763
      Platform Win32NT
      PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
      PSRemotingProtocolVersion 2.3
      SerializationVersion 1.1.0.1
      WSManStackVersion 3.0

      From my Ubuntu

      ~# pwsh
      PowerShell 7.0.0
      Copyright (c) Microsoft Corporation. All rights reserved.

      https://aka.ms/powershell
      Type ‘help’ to get help.

      PS /root> $PSVersionTable

      Name Value
      —- —–
      PSVersion 7.0.0
      PSEdition Core
      GitCommitId 7.0.0
      OS Linux 4.4.0-177-generic #207-Ubuntu SMP Mon Mar…
      Platform Unix
      PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
      PSRemotingProtocolVersion 2.3
      SerializationVersion 1.1.0.1
      WSManStackVersion 3.0

      I tried enter-possession and I get same error

      I tried to enter possession from my ubuntu to my ubuntu that gets a little further

      PS /root> enter-pssession -Hostname TGCS018 -UserName thomas
      thomas@serv018’s password:
      Enter-PSSession: The background process reported an error with the following message: The SSH client session has ended with error message: subsystem request failed on channel 0.
      PS /root>

    • #224376
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      I whole heartedly believe the answer to your woes is in one of those links.

    • #224772
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug

      I am now able to SSH from my Ubuntu server to my Windows Server I had to install OpenSSH on the Windows Server Port 22 is now listening on the Windows server.

      But I still can not run the invoke-command with or without creds they are still failing.

      Any ideas? I would rather not need to use creds at all since this will be a script and will run standalone

      Thanks

      Tom

    • #224916
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug,

      Update 2 I am now able to run invoke-command from Ubuntu to Windows Server.

      It was the sshd_config file on the windows server that needed updating

      My only problem is it still prompts me for the password.
      Trying to be able to run this without creds

      Any ideas?

      • This reply was modified 3 weeks, 3 days ago by Tom Grassi.
    • #224970
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      When running the cmdlets interactively, you’re prompted for a password. You can also, use SSH key authentication using a private key file with the KeyFilePath parameter.

      And, you must enable password or key-based authentication.

      Need to figure out what’s wrong with your keys?

      https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7

    • #225042
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug,

      Yes

      My issue is that I am unable to copy my SSH Key from Ubuntu to my Windows Server for some reason

      Something on my Ubuntu server trying to troubleshoot that now.

      Very strange all I find is Openssh windows to windows examples the ubuntu to windows examples does not go into details

    • #225063
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug update

      I used scp to copy the file from ubuntu to windows but it still prompts me

      Still researching this.

    • #225093
      Participant
      Topics: 3
      Replies: 310
      Points: 1,016
      Helping Hand
      Rank: Community Hero

      The password works consistently otherwise?

    • #225108
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug

      Yes when I enter the password it presents the results.

      PS /home/thomas> invoke-command -hostname SERV027-N1 {get-service ssh-agent}
      thomas@serv027-n1’s password:

      Status Name DisplayName PSComputerName
      —— —- ———– ————–
      Running ssh-agent OpenSSH Authentication Agent serv027-n1

      Thanks for responding to my other posting too

    • #225204
      Participant
      Topics: 30
      Replies: 102
      Points: 505
      Rank: Major Contributor

      Doug,

      Now that I have OpenSSHUTilS module installed I was able to run this

      PS C:\Users\thomas\.ssh> Repair-AuthorizedKeyPermission authorized_keys
      [*] authorized_keys

      ‘NT AUTHORITY\SYSTEM’ needs FullControl access to ‘authorized_keys’.
      Shall I make the above change?
      [Y] Yes [A] Yes to All [N] No [L] No to All Suspend [?] Help (default is “Y”): y
      ‘NT AUTHORITY\SYSTEM’ now has FullControl to ‘authorized_keys’.
      Repaired permissions

      PS C:\Users\thomas\.ssh> get-acl authorized_keys

      Directory: C:\Users\thomas\.ssh

      Path Owner Access
      —- —– ——
      authorized_keys BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl…

      PS C:\Users\thomas\.ssh> get-acl authorized_keys | fl

      Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\thomas\.ssh\authorized_keys
      Owner : BUILTIN\Administrators
      Group : OUR\Domain Users
      Access : NT AUTHORITY\SYSTEM Allow FullControl
      OUR\thomas Allow FullControl
      Audit :
      Sddl : O:BAG:DUD:PAI(A;;FA;;;SY)(A;;FA;;;S-1-5-21-3054588571-1341459584-784128302-4702)

      The Repair-AuthorizedKeyPermission command set the proper permissions

      I then restarted sshd

      And now from my Ubuntu server I can run invoke-command with out creds

      I am documenting the process so I can work on my other servers.

      Thank you for your help

      This is resolved.

Viewing 19 reply threads
  • You must be logged in to reply to this topic.