kerberos: the python kerberos library is not installed

10,571 views
Skip to first unread message

Aravind Sivaraman

unread,
Jan 27, 2020, 1:32:08 PM1/27/20
to Ansible Project

I am trying to authenticated to windows servers using "Kerberos” , but I am getting an error as “kerberos: the python kerberos library is not installed”. The basic authentication to the windows servers works well. Kerberos is installed and i cant authentication to the domain using kinit.


[ansible@NBP-HO7-Ansible01 windows]$ ansible all -i inventory -m win_ping -vvv
ansible 2.9.4
  config file = None
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
No config file found; using defaults
host_list declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
script declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
auto declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
Parsed /home/ansible/ansible/windows/inventory inventory source with ini plugin
META: ran handlers
Using module file /home/ansible/.local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<10.9.1.5> ESTABLISH WINRM CONNECTION FOR USER: ans...@DOMAIN.COM on PORT 5986 TO 10.9.1.5
10.9.1.5 | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: the python kerberos library is not installed",
    "unreachable": true
}

[ansible@NBP-HO7-Ansible01 windows]$

[ansible@NBP-HO7-Ansible01 windows]$ ^C

[ansible@NBP-HO7-Ansible01 windows]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ans...@DOMAIN.COM
 
Valid starting       Expires              Service principal
01/27/2020 14:04:59  01/28/2020 00:04:59  krbtgt/DOMAI...@DOMAIN.COM
        renew until 02/03/2020 14:04:50

[ansible@NBP-HO7-Ansible01 windows]$ ^C

[ansible@NBP-HO7-Ansible01 windows]$ cat group_vars/windows.yml

ansible_user: ans...@Domain.COM

ansible_password: xxxxxxx

#ansible_port: 5986

ansible_connection: winrm

ansible_winrm_server_cert_validation: ignore

ansible_winrm_transport: kerberos

[ansible@NBP-HO7-Ansible01 windows]$

 

Required packages are installed as you can below from pip freeze output

ansible@NBP-HO7-Ansible01 windows]$ pip freeze
backports.ssl-match-hostname==3.5.0.1
certifi==2019.11.28
cffi==1.13.2
chardet==3.0.4
configobj==4.7.2
cryptography==2.8
decorator==3.4.0
enum34==1.1.6
futures==3.1.1
idna==2.8
iniparse==0.4
ipaddress==1.0.16
kerberos==1.3.0
kitchen==1.1.1
langtable==0.0.31
ntlm-auth==1.4.0
pan-python==0.16.0
pandevice==0.14.0
perf==0.1
pycparser==2.19
pycurl==7.19.0
pygobject==3.22.0
pygpgme==0.3
pykerberos==1.2.1
pyliblzma==0.5.3
python-augeas==0.5.0
python-linux-procfs==0.4.9
pyudev==0.15
pywinrm==0.4.1
pyxattr==0.5.1
PyYAML==3.10
requests==2.22.0
requests-kerberos==0.12.0
requests-ntlm==1.1.0
schedutils==0.4
six==1.9.0
slip==0.4.0
slip.dbus==0.4.0
urlgrabber==3.10
urllib3==1.25.8
xmltodict==0.12.0
yum-langpacks==0.4.2
yum-metadata-parser==1.1.4
You are using pip version 8.1.2, however version 20.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command

Have got both python 2.7 and 3.6 installed on the machine and 3.6 is default version ansible is being used, whereas the python 2.7 is used as default version on the machine requests-kerberos and pykerberos are installed only pip and pip3.

Any pointers on what can be done here?
 

Jordan Borean

unread,
Jan 27, 2020, 2:41:56 PM1/27/20
to Ansible Project
Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case we don't really have to worry about that particular library in your pywinrm version. The pykerberos library is still required but it looks like you do have it there. Also you are saying you have both Python 2.7 and 3.6 installed, typically pip points to the 2.x install and pip3 is for Python 3.x (although that's not always the case).  You can run the following to test out what Python is actually being used and the installed libraries for that Python.

ANSIBLE_PYTHON=$(head -n 1 $(which ansible) | cut -c 3-)

echo $ANSIBLE_PYTHON
$ANSIBLE_PYTHON -m pip list
$ANSIBLE_PYTHON -c "import winrm; import kerberos"

The first step gets the shebang of ansible (#!/usr/bin/python), strips out the #1 part so we can determine what Python is set to execute Ansible. From there we echo the path so we know exactly what Python bin is being used. Finally it calls pip list for that Python then tries to import pywinrm and pykerberos which will tell you if it's installed properly or not.

Thanks

Jordan

Aravind Sivaraman

unread,
Jan 27, 2020, 2:53:42 PM1/27/20
to Ansible Project
Ansible is default to python3 
[ansible@NBP-HO7-Ansible01 windows]$ echo $ANSIBLE_PYTHON
/usr/bin/python3

And when I do pip list for pip3, kerberos doesnt get listed, its available only for pip 2. I did try to install using pip3 but just getting error as following

[ansible@NBP-HO7-Ansible01 windows]$ sudo pip3 install pykerberos
[sudo] password for ansible:
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting pykerberos
Building wheels for collected packages: pykerberos
  Running setup.py bdist_wheel for pykerberos ... error
  Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-p2kyf16m/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmpb0iu64ibpip-wheel- --python-tag cp36:
  running bdist_wheel
  running build
  running build_ext
  building 'kerberos' extension
  creating build
  creating build/temp.linux-x86_64-3.6
  creating build/temp.linux-x86_64-3.6/src
  gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python3.6m -c src/kerberos.c -o build/temp.linux-x86_64-3.6/src/kerberos.o -DGSSAPI_EXT
  src/kerberos.c:17:20: fatal error: Python.h: No such file or directory
   #include <Python.h>
                      ^
  compilation terminated.
  error: command 'gcc' failed with exit status 1

  ----------------------------------------
  Failed building wheel for pykerberos
  Running setup.py clean for pykerberos
Failed to build pykerberos
Installing collected packages: pykerberos
  Running setup.py install for pykerberos ... error
    Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-p2kyf16m/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-qvrbadjr-record/install-record.txt --single-version-externally-managed --compile:
    running install
    running build
    running build_ext
    building 'kerberos' extension
    creating build
    creating build/temp.linux-x86_64-3.6
    creating build/temp.linux-x86_64-3.6/src
    gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python3.6m -c src/kerberos.c -o build/temp.linux-x86_64-3.6/src/kerberos.o -DGSSAPI_EXT
    src/kerberos.c:17:20: fatal error: Python.h: No such file or directory
     #include <Python.h>
                        ^
    compilation terminated.
    error: command 'gcc' failed with exit status 1

    ----------------------------------------
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-p2kyf16m/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-qvrbadjr-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-p2kyf16m/pykerberos/

Jordan Borean

unread,
Jan 27, 2020, 3:49:28 PM1/27/20
to Ansible Project
That's telling you it can't compile the pykerberos library, it's trying to find headers that are not present. In this case you need the python3-devel package installed with yum/dnf. These headers are different from the Python 2 headers which is why you can install pykerberos in Python 2 and not 3. There may be other headers that are present but you just need to solve them 1 by 1.

Thanks

Jordan

Aravind Sivaraman

unread,
Jan 28, 2020, 8:47:46 AM1/28/20
to Ansible Project
After installing the python3-devel package, i was able to install the pykerberos successfully. 

Now i am able to win_ping using the kerberos credentials.

Thanks
Reply all
Reply to author
Forward
0 new messages