Need some help using Kerberos Authentication for Windows Target
1,006 views
Skip to first unread message
Shawn Singh
Aug 10, 2018, 4:01:46 PM8/10/18
to Ansible Project
Hello,
I've configured a Windows 2016 Server using ConfigureRemotingForAnsible.ps1 and am able to do a simple ping test using basic auth.
Command I'm using is:
ansible all -i myinventory -m win_ping
ansible all -i myinventory -m win_ping
I get a pong back.
When trying to use Kerberos, authentication ... different story:
My inventory looks like:
xjaxd11133app.csxt.ad.csx.com ansible_user=network...@CSXT.AD.CSX.COM ansible_password=secret ansible_port=5986 ansible_winrm_transport=kerberos ansible_connection=winrm ansible_winrm_server_cert_validation=ignore
Instead, I'm seeing:
ansible all -i kerbauth -m win_ping
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg force_preemptive, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg delegate, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg send_cbt, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg principal, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg sanitize_mutual_error_response, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg hostname_override, check installed version with pip list
% (str(function), name))
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: MutualAuthenticationError: Unable to authenticate <Response [200]>
xjaxd11133app.csxt.ad.csx.com | FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
For more verbose:
[j8683@lnx30137 /home/j8683]$ ansible all -i kerbauth -m win_ping -vvvvv
ansible 2.6.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/j8683/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /home/j8683/kerbauth inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<xjaxd11133app.csxt.ad.csx.com> ESTABLISH WINRM CONNECTION FOR USER: network...@CSXT.AD.CSX.COM on PORT 5986 TO xjaxd11133app.csxt.ad.csx.com
checking if winrm_host xjaxd11133app.csxt.ad.csx.com is an IPv6 address
creating Kerberos CC at /tmp/tmp8tVXsJ
calling kinit with subprocess for principal network...@CSXT.AD.CSX.COM
kinit succeeded for principal network...@CSXT.AD.CSX.COM
<xjaxd11133app.csxt.ad.csx.com> WINRM CONNECT: transport=kerberos endpoint=https://xjaxd11133app.csxt.ad.csx.com:5986/wsman
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg force_preemptive, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg delegate, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg send_cbt, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg principal, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg sanitize_mutual_error_response, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function <unbound method HTTPKerberosAuth.__init__> does not contain optional arg hostname_override, check installed version with pip list
% (str(function), name))
<xjaxd11133app.csxt.ad.csx.com> WINRM OPEN SHELL: 175244FF-08BF-4463-A577-1B800748F4B5
EXEC (via pipeline wrapper)
<xjaxd11133app.csxt.ad.csx.com> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
<xjaxd11133app.csxt.ad.csx.com> WINRM CLOSE SHELL: 175244FF-08BF-4463-A577-1B800748F4B5
The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 138, in run
res = self._execute()
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 576, in _execute
result = self._handler.run(task_vars=variables)
File "/usr/lib/python2.7/site-packages/ansible/plugins/action/normal.py", line 46, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File "/usr/lib/python2.7/site-packages/ansible/plugins/action/__init__.py", line 853, in _execute_module
res = self._low_level_execute_command(cmd, sudoable=sudoable, in_data=in_data)
File "/usr/lib/python2.7/site-packages/ansible/plugins/action/__init__.py", line 960, in _low_level_execute_command
rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)
File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 524, in exec_command
result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True, stdin_iterator=stdin_iterator)
File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 433, in _winrm_exec
command_id = self.protocol.run_command(self.shell_id, to_bytes(command), map(to_bytes, args), console_mode_stdin=(stdin_iterator is None))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 341, in run_command
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 261, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 582, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/hooks.py", line 41, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 267, in handle_response
_r = self.handle_other(response)
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 212, in handle_other
"{0}".format(response))
MutualAuthenticationError: Unable to authenticate <Response [200]>
xjaxd11133app.csxt.ad.csx.com | FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
I've got the following winrm, requests, and kerberos software installed...
pip list | grep -e winrm -e kerb
kerberos 1.3.0
pykerberos 1.2.1
pywinrm 0.3.0
requests-kerberos 0.12.0
Has anyone seen this?
Thanks,
Radesh
J Hawkesworth
Aug 12, 2018, 7:14:16 AM8/12/18
to Ansible Project
I haven't seen this error before myself.
This line in your your errors makes it look to me like there is something unexpected about the underlying libs on your ansible controller.
/usr/lib/python2.7/site-
packages/winrm/transport.py:299:
UserWarning: Function <unbound method HTTPKerberosAuth.__init__>
does not contain optional arg force_preemptive, check installed version
with pip list
Sometimes things get scrambled when there is a mismatch between versions of libraries installed by your operating system package manager and the libraries that python expects.
In such cases sometimes you can fix things but uninstalling and reinstalling everything.
You don't mention how you installed ansible but if its from pip I'd recommend upgrading pip itself to the latest version, then uninstalling and reinstalling ansible.
Hope this helps,
Jon
David Baumann
Aug 12, 2018, 12:44:36 PM8/12/18
to Ansible Project
I thing the pykerberos module is missing
Check ansible docs
Jordan Borean
Aug 12, 2018, 7:26:50 PM8/12/18
to Ansible Project
While pip is showing the packages are installed it seems like they were not installed properly or something is wrong with your Python environment. It is showing various warnings saying various kwargs pywinrm expects from requests-kerberos are not there which shouldn't be happening if you are on the latest version. The actual error you are getting seems to be a bug, it is getting a 200 response but is expecting the server to reply with a token so the client can authenticate the host and verify it is who it is saying it is.
I would recommend you create a virtualenv and install all the dependencies there to verify you are working with a clean environment. To do this you can run;
virtualenv ansible-test
source ansible-test/bin/activate
pip install ansible pywinrm[kerberos]
ansible all -i kerbauth -m win_ping -vvvvvThanks
Jordan
Shawn Singh
Aug 13, 2018, 3:51:49 PM8/13/18
to Ansible Project
Not sure of the original installation, but I've used yum to keep it updated.
I believe I've got version 18 of pip...
This is what I see when I check the version of pip...
pip -V
pip 18.0 from /usr/lib/python2.7/site-packages/pip (python 2.7)
Would you suggest doing a pip install ansible over yum install ansible?
Jordan Borean
Aug 13, 2018, 6:46:47 PM8/13/18
to Ansible Project
I prefer using pip because system packages are system wide but I come from a developer focused background. Another reason why I'm not a fan of system packages is that they usually lag behind what is available in pip. There are definitely benefits to using system packages but it's not for me.
When looking at the stracktrace we can see line 212 is in the handle_other function whereas it is in another function on the v0.12.0 release https://github.com/requests/requests-kerberos/blob/v0.12.0/requests_kerberos/kerberos_.py#L212. This tells me that an older (probably really old) version from the system package install is overriding whatever pip may have installed originally. To create a new environment not polluted by the system packages, please create a virtualenv with the following commands;
virtualenv ansible-test
source ansible-test/bin/activate
pip install ansible pywinrm[kerberos]
ansible all -i kerbauth -m win_ping -vvvvvIf this works then you know you need to look at the packages that are installed.
Thanks
Jordan
Reply all
Reply to author
Forward
0 new messages