Connecting to Domain Controller without using a Domain Admin account

1,063 views
Skip to first unread message

Adam Michaels

unread,
Aug 28, 2017, 11:44:41 AM8/28/17
to Ansible Project
Hello,

I've been attempting to write playbooks that need to interact with Active Directory, I see now that a few official playbooks will be released in 2.4 that can manage AD groups and users which is sweet.  My issue is that the only way I can run our current playbooks is by using a Domain Admin account to run them.  To be more secure I don't want my Ansible account to be a DA.  WinRM works fine for DA's from Ansible, however when I use an account that isn't a DA I get this error in response.  

Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
META: ran handlers
<DChostname> ESTABLISH WINRM CONNECTION FOR USER: nonD...@domain.COM on PORT 5986 TO <DChostname>
creating Kerberos CC at /tmp/tmpb3JbPz
calling kinit for principal nonD...@domain.COM
kinit succeeded for principal nonD...@domain.COM
<DChostname> WINRM CONNECT: transport=kerberos endpoint=https://DChostname:5986/wsman
<DChostname> WINRM CONNECTION ERROR: (u'http', u'Bad HTTP response returned from server. Code 500')
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 214, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 191, in send_message
    raise WinRMTransportError('http', error_message)
WinRMTransportError: (u'http', u'Bad HTTP response returned from server. Code 500')

<DChostname> WINRM CONNECT: transport=ssl endpoint=https://DChostname:5986/wsman
<DChostname> WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 214, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
InvalidCredentialsError: the specified credentials were rejected by the server

DChostname | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), ssl: the specified credentials were rejected by the server",
    "unreachable": true
}

The analytic logs on the DC show this event after the nonDAacct gets authenticated via kerberos: 
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="windows-host"><f:Message>Access is denied. </f:Message></f:WSManFault>


Ansible Inventory is setup like this:
[Windows:vars]
#ansible_user=DAa...@domain.COM
ansible_user=nonD...@domain.COM
ansible_port=5986
ansible_connection=winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation=ignore
ansible_winrm_kerberos_delegation=true

When I connect to a DC from my desktop using the PowerShell command "enter-pssession <DC name> -credentials <nonDAacct>"  I can access the DC and manipulate AD objects just fine.  It is only using Ansible that I cannot connect properly.

WinRM on the DC's have been configured and can use SSL.  The user in question has been placed into the "Remote Management Users" group in the domain and the permissions on the Root WMI object have been altered to include that group as remote enabled, execute methods, and enable account as per this page: https://www.sevecek.com/Lists/Posts/Post.aspx?ID=280.  That seems to enable the ability for my account to run the previously mentioned connection command.

Does anyone else run commands that need to interact with AD objects as an account that is not a DA?  Any other suggestions for things to try and or change?  If anything isn't clear or I need to add some more detail please let me know and I'll be happy to share.

Thanks

Jordan Borean

unread,
Aug 28, 2017, 5:10:08 PM8/28/17
to Ansible Project
Hey

I haven't tested it when running on a non DA account (my test environments are very basic) but have tested running it on a non DC host with a DA account. I would assume it would be possible to run this on a non DC and non DA account if that is what you wish but believe you would need to satisfy the following requirements

* The Windows feature 'RSAT-AD-PowerShell' is installed on the server
* You are using an account that has permission to edit the AD objects
* You are using a transport that support credential delegation (CredSSP or Kerberos with ansible_winrm_kerberos_delegation=true)
* Account must be Administrator of remote server (not DC) or configured to allow non Administrators to connect

The 1st 3 are easy to achieve but the last I've never really investigated myself so cannot give you an in depth guide but that page you linked seemed to be along the lines of what I remembered was the case. I do know others have gotten it to work and the content on that guide seems a bit old/off but some of these pages might help.

https://github.com/ansible/ansible/issues/16478 - this seems to be promising and looks quite easy to change

I would probably try and test it out with the following scenarios to try and narrow down your options and seeing what works and go from there, each of the options will rule out issues with a particular scenario and the further down means more configuration away from the default

* Run module with domain admin account on DC
* Run module with domain admin account on non DC
* Run module with non domain admin account on DC
* Run module with non domain admin account on non DC

Keep in mind Enter-PSSession uses the Powershell Remoting Protocol while Ansible just uses WSMan/WSMV/insert other name here, so they have different permissions and end points you need to change the SDDL for.

You can test the account by running the following command on one of your Windows hosts

winrs -r:http://192.168.1.1:5986/wsman -u:nonAdmin -p:password ipconfig

This will run with winrs instead of PSRP and if you get this to work with your non admin account it should work with Ansible.

Thanks

Jordan

Adam Michaels

unread,
Aug 29, 2017, 2:41:59 PM8/29/17
to Ansible Project
Jordan,

Thanks for the info and the links.  You were right, I missed assigning the permissions to the WsMan instance.  The links you sent helped me solve the issue.

Ran <winrm configSDDL default> on the DC and added my non-admin user.  Got in the first time after.

Thanks again!
Adam
Reply all
Reply to author
Forward
0 new messages