Help test WinRM updates for NTLM, kerb delegation

Matt_Davis · May 9, 2016, 10:33pm

A new pywinrm release that supports NTLM, kerberos delegation, and much improved performance is just around the corner! Version 0.2.0 is at release candidate, and a test build has been published to testpypi. Just waiting for any final testing/review from Alexey before the final publish of the release build to PyPI.

Feel like giving it a whirl?

pip install pywinrm[kerberos]==0.2rc3 -i https://testpypi.python.org/pypi --extra-index-url https://pypi.python.org/pypi

will get you the RC3 test build from testpypi (along with the released dependencies from the real pypi), and the optional kerberos dependencies. If you don’t want kerberos, just get rid of the [kerberos] extras part in the pkgspec above.

This pywinrm build has been tested with Ansible 1.9.5, 2.0.2 and 2.1RC1.

Once you have it installed, ansible_winrm_transport=ntlm in your inventory for Windows hosts (sorry, this one only works for Ansible 2.0+) lets you use domain users with both domain\username and username@domain.com syntax. When using ansible_winrm_transport=kerberos, kerberos delegation support can be enabled just by adding ansible_winrm_kerberos_delegation=yes.

We’ve added a few new niceties around arg parsing in Ansible 2.1, like warnings if you pass inventory args that your installed version of pywinrm doesn’t understand (and not requiring things like username when not required) but otherwise, most of the goodies in here should work on older versions of Ansible too.

This release of pywinrm has switched the HTTP(S) client from urllib2 to requests, allowing us to take advantage of persistent connections, which give another significant performance boost to Windows on Ansible (especially over HTTPS, as we don’t have to repeat the TLS handshake for each WinRM request). In my testing, local VMs experienced about a 20% speed boost on small tasks, while remote VMs (eg, AWS instances) got more like a 50% speed boost to small tasks (due to the higher latency cost during connection setup). File transfer performance (eg, win_copy) should also be noticeably improved again with this release, though I haven’t benchmarked it.

Feel free to file issues at https://github.com/diyan/pywinrm/issues.

Enjoy!

Matt Davis

Principal Software Engineer (Ansible Core Windows)

Red Hat

j.r.hawkesworth · May 11, 2016, 5:30pm

I have given this a quick sanity check and I haven’t seen any problems yet, although haven’t yet had chance to test new features so far…

I don’t use pip much - do you happen to know if there is an easy way to back out to existing pywinrm (not tried, but would put it onto shared server and exercise it a bit more if I knew I could back it out easily).

Many thanks,

Jon

Matt_Davis · May 12, 2016, 5:13pm

Yeah, just do pip install pywinrm==0.1.1 (without all the other args to point at the test server)- it’ll automatically uninstall and downgrade you to the currently released version.

Mike_Fennemore · May 18, 2016, 12:44pm

Looks pretty good so far, tried a few playbooks and the ntlm auth. So far no issues. Any idea when the stable release is likely to be?

Matt_Davis · May 18, 2016, 10:29pm

Awesome, thanks for poking at it!

Waiting for another requests-kerberos release to include a bugfix I made for long-running kerberos ops (should happen today or tomorrow), and Alexey’s final code review on some Unicode issues I’ve been cleaning up. I’d expect sometime in the next week or so.

j.r.hawkesworth · May 23, 2016, 3:50pm

Looks like there is a new version available (0.2rc4) in test pypi (which depends on updated requests-kerberos)

I had to do the following to get it to install

pip install requests-kerberos --upgrade
pip install pywinrm[kerberos]==0.2rc4 -i https://testpypi.python.org/pypi --extra-index-url https://pypi.python.org/pypi

Enjoying the speed boost, looking forward to pushing this out past my test box.

Jon

Trond_Hindenes · May 24, 2016, 12:53am

Thanks for the updated instructions Jon,

Matt: great work! It feels way faster (esp against cloud servers)

Matt_Davis · May 25, 2016, 4:59pm

Thanks- looking forward to it getting published to PyPI for real…

Due to something strange on pypi or pip, the new version of requests-kerberos needed by rc4 only gets picked up automatically by changing the install command to the following (using the /simple endpoints instead of /pypi):

pip install pywinrm[kerberos]==0.2rc4 -i [https://testpypi.python.org/](https://testpypi.python.org/pypi)simple --extra-index-url [https://pypi.python.org/s](https://pypi.python.org/pypi)imple

They tell me this shouldn’t be an issue once we release to real PyPI, but I don’t have the ability to do it without making my own version of it.

Kenny_Evitt · June 7, 2016, 2:50pm

Thanks a lot Matt!

NTLM is working great for me.

Right now I’m working on automating a Windows Active Directory domain consolidation so I’m going to hold off on testing Kerberos for now. But I’ll try to remember to follow-up later if that changes and confirm whether the new versions are working for me.

Willem_Bos · June 8, 2016, 6:42am

Just tried pywinrm 0.2rc6. Both ansible_winrm_transport=ntlm and ansible_winrm_transport=kerberos work fine. Thanks!

Running on RHEL7 with Ansible 2.0.2.

Mike_Fennemore · June 23, 2016, 8:10am

Hi Matt,

Am I right in saying 0.2.0 is now released?

j.r.hawkesworth · June 23, 2016, 1:48pm

Not to steal Matt’s fire but I can confirm 0.2.0 is released.

I have been running some tests against 2.1.1 rc1 this week and I can run all the windows integration tests in just over 15 mins on my test box (against Server 2012 R2).
I installed pywinrm 0.2.0 and the same test runs in just over 10 minutes.

So well worth testing out now.

Jon

Trond_Hindenes · July 1, 2016, 9:05am

So we can get these bits simply by doing pip install pywinrm==0.2.0 now?

j.r.hawkesworth · July 1, 2016, 1:39pm

Might want to make it

pip install pywinrm[kerberos]==0.2.0

If you want to use kerberos (Active Directory) logins but otherwise yes.

Well worth it, been running in dev and testing for a week or so now and enjoying the faster run times against windows host, and I haven’t spotted any issues.

Jon

Trond_Hindenes · July 1, 2016, 8:17pm

Thanks!
My customer is not using kerb yet, so I just installed the “regular” 0.2.0 and it seems to be working great! Hope I’m not missing out on any speedy goodness by doing it that way.

Matt_Davis · July 1, 2016, 9:38pm

Nope, the kerberos extras just installs the right version of requests-kerberos (and prevents you from having to build the pykerberos bits if you don’t need them).

Charles_Meo · December 9, 2016, 5:12am

Hi Matt,

Poking this topic after a long gap–I’m just watching your webcast on ansible.com. Did the transport=ntlm stuff get integrated yet? I’ve just installed 2.3.0 (devel 1da20c9716) and it still doesn’t seem to be there.

Regards,

Charles

Charles_Meo · December 9, 2016, 5:43am

Ah, another d’oh! moment.
Got the python component via

pip install "pywinrm>=0.1.1"

Is that all that's needed? And is there any documentation--other than your webcast??

cm

Topic		Views
NTLM Delegation Ansible Project	5	July 21, 2016
Windows folks: help test the new pywinrm beta! Ansible Project windows	1	December 9, 2017
Enable Kerberos Authentication for WinRM and Powershell exection on Windows Hosts Ansible Project windows	6	July 31, 2014
Ansible connecting to Windows host using pywinrm module over HTTP Ansible Project windows	3	June 19, 2020
winrm.py tries SSL handshake on WinRM HTTP port Ansible Project windows	1	May 1, 2015

Help test WinRM updates for NTLM, kerb delegation

Related topics