Help test WinRM updates for NTLM, kerb delegation

2,619 views
Skip to first unread message

Matt Davis

unread,
May 9, 2016, 6:33:33 PM5/9/16
to Ansible Project

A new pywinrm release that supports NTLM, kerberos delegation, and much improved performance is just around the corner! Version 0.2.0 is at release candidate, and a test build has been published to testpypi. Just waiting for any final testing/review from Alexey before the final publish of the release build to PyPI. 


Feel like giving it a whirl?


pip install pywinrm[kerberos]==0.2rc3 -i https://testpypi.python.org/pypi --extra-index-url https://pypi.python.org/pypi


will get you the RC3 test build from testpypi (along with the released dependencies from the real pypi), and the optional kerberos dependencies. If you don't want kerberos, just get rid of the [kerberos] extras part in the pkgspec above.


This pywinrm build has been tested with Ansible 1.9.5, 2.0.2 and 2.1RC1.


Once you have it installed, ansible_winrm_transport=ntlm in your inventory for Windows hosts (sorry, this one only works for Ansible 2.0+) lets you use domain users with both domain\username and user...@domain.com syntax. When using ansible_winrm_transport=kerberos, kerberos delegation support can be enabled just by adding ansible_winrm_kerberos_delegation=yes


We've added a few new niceties around arg parsing in Ansible 2.1, like warnings if you pass inventory args that your installed version of pywinrm doesn't understand (and not requiring things like username when not required) but otherwise, most of the goodies in here should work on older versions of Ansible too.


This release of pywinrm has switched the HTTP(S) client from urllib2 to requests, allowing us to take advantage of persistent connections, which give another significant performance boost to Windows on Ansible (especially over HTTPS, as we don't have to repeat the TLS handshake for each WinRM request). In my testing, local VMs experienced about a 20% speed boost on small tasks, while remote VMs (eg, AWS instances) got more like a 50% speed boost to small tasks (due to the higher latency cost during connection setup). File transfer performance (eg, win_copy) should also be noticeably improved again with this release, though I haven't benchmarked it.


Feel free to file issues at https://github.com/diyan/pywinrm/issues.


Enjoy!


Matt Davis

Principal Software Engineer (Ansible Core Windows)

Red Hat

J Hawkesworth

unread,
May 11, 2016, 1:30:00 PM5/11/16
to Ansible Project
I have given this a quick sanity check and I haven't seen any problems yet, although haven't yet had chance to test new features so far...

I don't use pip much - do you happen to know if there is an easy way to back out to existing pywinrm (not tried, but would put it onto shared server and exercise it a bit more if I knew I could back it out easily).

Many thanks,

Jon

Matt Davis

unread,
May 12, 2016, 1:13:56 PM5/12/16
to Ansible Project
Yeah, just do pip install pywinrm==0.1.1 (without all the other args to point at the test server)- it'll automatically uninstall and downgrade you to the currently released version.

Mike Fennemore

unread,
May 18, 2016, 4:59:48 PM5/18/16
to Ansible Project
Looks pretty good so far, tried a few playbooks and the ntlm auth. So far no issues. Any idea when the stable release is likely to be?


Matt Davis

unread,
May 18, 2016, 6:29:22 PM5/18/16
to Ansible Project
Awesome, thanks for poking at it! 

Waiting for another requests-kerberos release to include a bugfix I made for long-running kerberos ops (should happen today or tomorrow), and Alexey's final code review on some Unicode issues I've been cleaning up. I'd expect sometime in the next week or so. 

J Hawkesworth

unread,
May 23, 2016, 11:50:26 AM5/23/16
to Ansible Project
Looks like there is a new version available (0.2rc4) in test pypi (which depends on updated requests-kerberos)

I had to do the following to get it to install

 pip install requests-kerberos --upgrade
 pip install pywinrm[kerberos]==0.2rc4 -i https://testpypi.python.org/pypi --extra-index-url https://pypi.python.org/pypi

Enjoying the speed boost, looking forward to pushing this out past my test box.

Jon

Trond Hindenes

unread,
May 23, 2016, 8:53:32 PM5/23/16
to Ansible Project
Thanks for the updated instructions Jon, 

Matt: great work! It feels way faster (esp against cloud servers)

Matt Davis

unread,
May 25, 2016, 12:59:13 PM5/25/16
to Ansible Project
Thanks- looking forward to it getting published to PyPI for real...

Due to something strange on pypi or pip, the new version of requests-kerberos needed by rc4 only gets picked up automatically by changing the install command to the following (using the /simple endpoints instead of /pypi):

pip install pywinrm[kerberos]==0.2rc4 -i https://testpypi.python.org/simple --extra-index-url https://pypi.python.org/simple

They tell me this shouldn't be an issue once we release to real PyPI, but I don't have the ability to do it without making my own version of it.

Kenny Evitt

unread,
Jun 7, 2016, 1:01:52 PM6/7/16
to Ansible Project
Thanks a lot Matt!

NTLM is working great for me.

Right now I'm working on automating a Windows Active Directory domain consolidation so I'm going to hold off on testing Kerberos for now. But I'll try to remember to follow-up later if that changes and confirm whether the new versions are working for me.

Willem Bos

unread,
Jun 8, 2016, 2:42:27 AM6/8/16
to Ansible Project
Just tried pywinrm 0.2rc6. Both ansible_winrm_transport=ntlm and ansible_winrm_transport=kerberos work fine. Thanks!

Running on RHEL7 with Ansible 2.0.2.

Mike Fennemore

unread,
Jun 23, 2016, 4:10:41 AM6/23/16
to Ansible Project
Hi Matt,

Am I right in saying 0.2.0 is now released?


On Tuesday, May 10, 2016 at 12:33:33 AM UTC+2, Matt Davis wrote:

J Hawkesworth

unread,
Jun 23, 2016, 9:48:31 AM6/23/16
to Ansible Project
Not to steal Matt's fire but I can confirm 0.2.0 is released.

I have been running some tests against 2.1.1 rc1 this week and I can run all the windows integration tests in just over 15 mins on my test box (against Server 2012 R2).
I installed pywinrm 0.2.0 and the same test runs in just over 10 minutes.

So well worth testing out now.

Jon

Trond Hindenes

unread,
Jul 1, 2016, 5:05:21 AM7/1/16
to Ansible Project
So we can get these bits simply by doing pip install pywinrm==0.2.0 now? 

J Hawkesworth

unread,
Jul 1, 2016, 9:39:13 AM7/1/16
to Ansible Project
Might want to make it 

pip install pywinrm[kerberos]==0.2.0

If you want to use kerberos  (Active Directory) logins but otherwise yes.

Well worth it, been running in dev and testing for a week or so now and enjoying the faster run times against windows host, and I haven't spotted any issues.

Jon

Trond Hindenes

unread,
Jul 1, 2016, 4:17:27 PM7/1/16
to Ansible Project
Thanks!
My customer is not using kerb yet, so I just installed the "regular" 0.2.0 and it seems to be working great! Hope I'm not missing out on any speedy goodness by doing it that way.

Matt Davis

unread,
Jul 1, 2016, 5:38:19 PM7/1/16
to Ansible Project
Nope, the kerberos extras just installs the right version of requests-kerberos (and prevents you from having to build the pykerberos bits if you don't need them).

Charles Meo

unread,
Dec 9, 2016, 5:57:09 PM12/9/16
to Ansible Project
Ah, another d'oh! moment.
Got the python component via 
pip install "pywinrm>=0.1.1"

Is that all that's needed? And is there any documentation--other than your webcast??

cm

Charles Meo

unread,
Dec 9, 2016, 5:57:09 PM12/9/16
to Ansible Project
Hi Matt,

Poking this topic after a long gap--I'm just watching your webcast on ansible.com. Did the transport=ntlm stuff get integrated yet? I've just installed  2.3.0 (devel 1da20c9716) and it still doesn't seem to be there.

Regards,

Charles
Reply all
Reply to author
Forward
0 new messages