Shell_command failing to run - return code 127

I am attempting start and stop windows services via HA using net rpc. I have the commands successfully starting and stopping services on a windows pc on the network via the web terminal add-on but can’t get them to run in a shell_command in the configuration.yaml.

Abbreviated error message down to the basics from the logs:

Error running command: `net rpc`, return code: 127
NoneType: None

I understand this means that the command net isn’t installed and so the command couldn’t be found. I installed the required samba toolkit in terminal to get it working but from my limited understanding, I am lead to believe the command is running in a different container to the terminal add-on.

To get HA running, I simply followed the guide on home-assistant.io and installed it directly on an SD card, I didn’t specifically set up docker instances. My knowledge on docker containers and Linux is pretty limited, I am very much a windows dev.

Shell command which I am testing via the developer tools:

shell_command:
  test_net: "net rpc"

Do I need to go down the complicated route of setting up ssh’ing to the other container or is there a simpler way to get this shell_command to work?

Actual commands I want to use (that work, with different creds, via the terminal add-on):

shell_command:
  start_service: "net rpc service start CustomService -I 192.168.1.64 -U user%password1"
  stop_service: "net rpc service stop CustomService -I 192.168.1.64 -U user%password1"

There is no getting around setting up keys for shell commands, unless you leave everything wide open and unsecured. This guide should make it pretty straight forward.

net is a pure windows command. You don’t have a choice but to ssh to the windows machine to execute it.

1 Like

Thanks for this. I will take another look at that guide and work my way through it.

From that article, I have generated the keys and now have to ssh-copy-id across to the other container. What user I should be using with the IP address?

The machine that you are logging into, your windows admin user.

1 Like

Thanks everyone. I thought I was ssh’ing from one HA docker container to another HA docker container to run the command I mentioned. Turns out I am obviously ssh’ing into windows to run the command.

I have got the command working successfully in HA now with the following steps. Hope it helps someone else. Or future me when I forget!

Steps

  • Install SSH & Web Terminal (I think I originally had Terminal & SSH installed which is different and doesn’t have the ‘protection mode’ setting).
  • Set a password in the HA ‘Supervisor’ → ‘SSH & Web Terminal’ → ‘Configuration’ tab.
  • Disable ‘Protection mode’.

Powershell (Install OpenSSH | Microsoft Docs)

Install the OpenSSH Client:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Install the OpenSSH Server:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Linux (HA Terminal)

Generate key:
ssh-keygen /config/.ssh

Copy key from Linux to Windows:
scp /config/.ssh.pub [email protected]:'C:\ProgramData\ssh\administrators_authorized_keys'

if using an alternate method, ensure file is not UTF-16 encoded

Set correct permissions on key:
chmod 700 /config/.ssh

Powershell (Because the user rdp is a local admin on windows)

icacls C:\ProgramData\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r
get-acl C:\ProgramData\ssh\ssh_host_dsa_key | set-acl C:\ProgramData\ssh\administrators_authorized_keys

Confirm passwordless connection with:
ssh [email protected] -I /config/.ssh

Linux (HA Terminal)

Best practice:
ssh -o UserKnownHostsFile=/config/.ssh/known_hosts [email protected] -i /config/.ssh 'net start service-name-here'

This didnt work for me so just used the next one as it seemed fine on a local network

Simple:
ssh [email protected] -o StrictHostKeyChecking=no -i /config/.ssh 'net start service-name-here'

Home Assistant configuration.yaml

shell_command:
  start: ssh [email protected] -o StrictHostKeyChecking=no -i /config/.ssh 'net start service-name-here'
  stop: ssh [email protected] -o StrictHostKeyChecking=no -i /config/.ssh 'net stop service-name-here'

At this point you can test it using the Developer Tools → Services tab to start/stop the service and use it in any HA config.