Connecting to Domain Controller without using a Domain Admin account

Archives Ansible Project
1

Hello,

I’ve been attempting to write playbooks that need to interact with Active Directory, I see now that a few official playbooks will be released in 2.4 that can manage AD groups and users which is sweet. My issue is that the only way I can run our current playbooks is by using a Domain Admin account to run them. To be more secure I don’t want my Ansible account to be a DA. WinRM works fine for DA’s from Ansible, however when I use an account that isn’t a DA I get this error in response.

Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
META: ran handlers
ESTABLISH WINRM CONNECTION FOR USER: nonDAacct@domain.COM on PORT 5986 TO
creating Kerberos CC at /tmp/tmpb3JbPz
calling kinit for principal nonDAacct@domain.COM
kinit succeeded for principal nonDAacct@domain.COM
WINRM CONNECT: transport=kerberos endpoint=https://DChostname:5986/wsman
WINRM CONNECTION ERROR: (u’http’, u’Bad HTTP response returned from server. Code 500’)
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 214, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 191, in send_message
raise WinRMTransportError(‘http’, error_message)
WinRMTransportError: (u’http’, u’Bad HTTP response returned from server. Code 500’)

WINRM CONNECT: transport=ssl endpoint=https://DChostname:5986/wsman
WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 214, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 179, in send_message
raise InvalidCredentialsError(“the specified credentials were rejected by the server”)
InvalidCredentialsError: the specified credentials were rejected by the server

DChostname | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: (u’http’, u’Bad HTTP response returned from server. Code 500’), ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}

The analytic logs on the DC show this event after the nonDAacct gets authenticated via kerberos:
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f=“http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=“5” Machine=“windows-host”><f:Message>Access is denied. </f:Message></f:WSManFault>

Ansible Inventory is setup like this:

[Windows:vars]
#ansible_user=DAacct@domain.COM

ansible_user=nonDAacct@domain.COM
ansible_port=5986
ansible_connection=winrm

The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:

ansible_winrm_server_cert_validation=ignore
ansible_winrm_kerberos_delegation=true

When I connect to a DC from my desktop using the PowerShell command “enter-pssession -credentials ” I can access the DC and manipulate AD objects just fine. It is only using Ansible that I cannot connect properly.

WinRM on the DC’s have been configured and can use SSL. The user in question has been placed into the “Remote Management Users” group in the domain and the permissions on the Root WMI object have been altered to include that group as remote enabled, execute methods, and enable account as per this page: https://www.sevecek.com/Lists/Posts/Post.aspx?ID=280. That seems to enable the ability for my account to run the previously mentioned connection command.

Does anyone else run commands that need to interact with AD objects as an account that is not a DA? Any other suggestions for things to try and or change? If anything isn’t clear or I need to add some more detail please let me know and I’ll be happy to share.

Thanks

2

Hey

I haven’t tested it when running on a non DA account (my test environments are very basic) but have tested running it on a non DC host with a DA account. I would assume it would be possible to run this on a non DC and non DA account if that is what you wish but believe you would need to satisfy the following requirements

  • The Windows feature ‘RSAT-AD-PowerShell’ is installed on the server
  • You are using an account that has permission to edit the AD objects
  • You are using a transport that support credential delegation (CredSSP or Kerberos with ansible_winrm_kerberos_delegation=true)
  • Account must be Administrator of remote server (not DC) or configured to allow non Administrators to connect

The 1st 3 are easy to achieve but the last I’ve never really investigated myself so cannot give you an in depth guide but that page you linked seemed to be along the lines of what I remembered was the case. I do know others have gotten it to work and the content on that guide seems a bit old/off but some of these pages might help.

https://serverfault.com/questions/590515/how-to-allow-access-to-winrs-for-non-admin-user

https://github.com/ansible/ansible/issues/16478 - this seems to be promising and looks quite easy to change

I would probably try and test it out with the following scenarios to try and narrow down your options and seeing what works and go from there, each of the options will rule out issues with a particular scenario and the further down means more configuration away from the default

  • Run module with domain admin account on DC
  • Run module with domain admin account on non DC
  • Run module with non domain admin account on DC
  • Run module with non domain admin account on non DC

Keep in mind Enter-PSSession uses the Powershell Remoting Protocol while Ansible just uses WSMan/WSMV/insert other name here, so they have different permissions and end points you need to change the SDDL for.

You can test the account by running the following command on one of your Windows hosts

winrs -r:http://192.168.1.1:5986/wsman -u:nonAdmin -p:password ipconfig

This will run with winrs instead of PSRP and if you get this to work with your non admin account it should work with Ansible.

Thanks

Jordan

3

Jordan,

Thanks for the info and the links. You were right, I missed assigning the permissions to the WsMan instance. The links you sent helped me solve the issue.

Ran on the DC and added my non-admin user. Got in the first time after.

Thanks again!
Adam