Windows ansible Kerberos user privileges.
744 views
Skip to first unread message
Flavio Gobber
Mar 4, 2019, 6:34:50 AM3/4/19
to Ansible Project
Hello,
I am starting to use the ansible to manage server Joined to a domain.
I have started the test using a domain user account members of Domain Users but with the use member of local administrators on target.
When I execute the command:
ansible win_pibchs -m win_ping
and the command it's executed well.
Now I would like to do the same command without take the account member of the local admininstrators group.
When I try the command this terminate with this message:
fcvwsbdt.PIBCHS.ENET | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: Access is denied. (extended fault data: {u'fault_subcode': 'w:AccessDenied', u'fault_code': 's:Sender', u'wsmanfault_code': '5', 'transport_message': u'Bad HTTP response returned from server. Code 500', 'http_status_code': 500})",
"unreachable": true
}
"changed": false,
"msg": "kerberos: Access is denied. (extended fault data: {u'fault_subcode': 'w:AccessDenied', u'fault_code': 's:Sender', u'wsmanfault_code': '5', 'transport_message': u'Bad HTTP response returned from server. Code 500', 'http_status_code': 500})",
"unreachable": true
}
The group_vars of "win_pibchs" is:
---
ansible_user: wuu...@PIBCHS.ENET
ansible_password: UnaPassword
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_user: wuu...@PIBCHS.ENET
ansible_password: UnaPassword
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
I executed this command on the target server:
"Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force"
and assigned the account "wuu...@PIBCHS.ENET"
and execute the same thing with:
"Set-PSSessionConfiguration -Name Microsoft.PowerShell32 -ShowSecurityDescriptorUI -Force"
With this configuration I am able to give the command on onother server
winrs -r:fcvwsbdt.PIBCHS.ENET DIR C:\
Could someone give mesome help ?.
Thank you and best regards.
Flavio Gobber
Jordan Borean
Mar 5, 2019, 12:56:19 AM3/5/19
to Ansible Project
If the user is a member of the Administrators group on the remote host then you shouldn't have to touch the SDDL of the WinRM listener at all. This is only necessary if the user is a limited user and needs access. Also the `Set-PSSessionConfiguration` is touching the session configuration for the Microsoft.PowerShell endpoint which is not what Ansible is using. To configure the SDDL for the actual endpoint Ansible uses you can run;
winrm configSDDL default
Administrators should have Full Control, if you wish to add more users they need to have at least Read and Execute permissions.
The fact that the winrs command is working indicates something else is going on. The winrs command will use the credentials of the currently running user, if you are trying to verify if that account has access it is simpler to test with explicit credentials like;
winrs -r:fcvwsbdt.PIBCHS.ENET -u:wuuser@PIBCHS.ENET -p:UnaPassword DIR C:\
If that works then something else is at play. Can you share;
- The output of `winrm get winrm/config/service' on your Windows host
- The output of 'pip list' on your Ansible controller
Thanks
Jordan
Flavio Gobber
Mar 5, 2019, 1:19:08 AM3/5/19
to Ansible Project
Hi Jordan,
thank you for information.
I have done your suggestion and now it works well.
Best regards.
Flavio Gobber
Reply all
Reply to author
Forward
0 new messages