Hello,
I’ve been attempting to write playbooks that need to interact with Active Directory, I see now that a few official playbooks will be released in 2.4 that can manage AD groups and users which is sweet. My issue is that the only way I can run our current playbooks is by using a Domain Admin account to run them. To be more secure I don’t want my Ansible account to be a DA. WinRM works fine for DA’s from Ansible, however when I use an account that isn’t a DA I get this error in response.
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
META: ran handlers
ESTABLISH WINRM CONNECTION FOR USER: nonDAacct@domain.COM on PORT 5986 TO
creating Kerberos CC at /tmp/tmpb3JbPz
calling kinit for principal nonDAacct@domain.COM
kinit succeeded for principal nonDAacct@domain.COM
WINRM CONNECT: transport=kerberos endpoint=https://DChostname:5986/wsman
WINRM CONNECTION ERROR: (u’http’, u’Bad HTTP response returned from server. Code 500’)
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 214, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 191, in send_message
raise WinRMTransportError(‘http’, error_message)
WinRMTransportError: (u’http’, u’Bad HTTP response returned from server. Code 500’)
WINRM CONNECT: transport=ssl endpoint=https://DChostname:5986/wsman
WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 214, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 179, in send_message
raise InvalidCredentialsError(“the specified credentials were rejected by the server”)
InvalidCredentialsError: the specified credentials were rejected by the server
DChostname | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: (u’http’, u’Bad HTTP response returned from server. Code 500’), ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}
The analytic logs on the DC show this event after the nonDAacct gets authenticated via kerberos:
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f=“http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=“5” Machine=“windows-host”><f:Message>Access is denied. </f:Message></f:WSManFault>
Ansible Inventory is setup like this:
[Windows:vars]
#ansible_user=DAacct@domain.COM
ansible_user=nonDAacct@domain.COM
ansible_port=5986
ansible_connection=winrm
The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation=ignore
ansible_winrm_kerberos_delegation=true
When I connect to a DC from my desktop using the PowerShell command “enter-pssession -credentials ” I can access the DC and manipulate AD objects just fine. It is only using Ansible that I cannot connect properly.
WinRM on the DC’s have been configured and can use SSL. The user in question has been placed into the “Remote Management Users” group in the domain and the permissions on the Root WMI object have been altered to include that group as remote enabled, execute methods, and enable account as per this page: https://www.sevecek.com/Lists/Posts/Post.aspx?ID=280. That seems to enable the ability for my account to run the previously mentioned connection command.
Does anyone else run commands that need to interact with AD objects as an account that is not a DA? Any other suggestions for things to try and or change? If anything isn’t clear or I need to add some more detail please let me know and I’ll be happy to share.
Thanks