Need some help using Kerberos Authentication for Windows Target

Archives Ansible Project
1

Hello,

I’ve configured a Windows 2016 Server using ConfigureRemotingForAnsible.ps1 and am able to do a simple ping test using basic auth.

Command I’m using is:
ansible all -i myinventory -m win_ping

I get a pong back.

When trying to use Kerberos, authentication … different story:
My inventory looks like:
xjaxd11133app.csxt.ad.csx.com ansible_user=networkaccount@CSXT.AD.CSX.COM ansible_password=secret ansible_port=5986 ansible_winrm_transport=kerberos ansible_connection=winrm ansible_winrm_server_cert_validation=ignore

Instead, I’m seeing:

ansible all -i kerbauth -m win_ping
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg force_preemptive, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg delegate, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg send_cbt, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg principal, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg sanitize_mutual_error_response, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg hostname_override, check installed version with pip list
% (str(function), name))
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: MutualAuthenticationError: Unable to authenticate <Response [200]>
xjaxd11133app.csxt.ad.csx.com | FAILED! => {
“msg”: “Unexpected failure during module execution.”,
“stdout”: “”
}

For more verbose:

[j8683@lnx30137 /home/j8683]$ ansible all -i kerbauth -m win_ping -vvvvv
ansible 2.6.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/home/j8683/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /home/j8683/kerbauth inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<xjaxd11133app.csxt.ad.csx.com> ESTABLISH WINRM CONNECTION FOR USER: networkaccount@CSXT.AD.CSX.COM on PORT 5986 TO xjaxd11133app.csxt.ad.csx.com
checking if winrm_host xjaxd11133app.csxt.ad.csx.com is an IPv6 address
creating Kerberos CC at /tmp/tmp8tVXsJ
calling kinit with subprocess for principal networkaccount@CSXT.AD.CSX.COM
kinit succeeded for principal networkaccount@CSXT.AD.CSX.COM
<xjaxd11133app.csxt.ad.csx.com> WINRM CONNECT: transport=kerberos endpoint=https://xjaxd11133app.csxt.ad.csx.com:5986/wsman
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg force_preemptive, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg delegate, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg send_cbt, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg principal, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg sanitize_mutual_error_response, check installed version with pip list
% (str(function), name))
/usr/lib/python2.7/site-packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg hostname_override, check installed version with pip list
% (str(function), name))
<xjaxd11133app.csxt.ad.csx.com> WINRM OPEN SHELL: 175244FF-08BF-4463-A577-1B800748F4B5
EXEC (via pipeline wrapper)
<xjaxd11133app.csxt.ad.csx.com> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-ExecutionPolicy’, ‘Unrestricted’, ‘-’]
<xjaxd11133app.csxt.ad.csx.com> WINRM CLOSE SHELL: 175244FF-08BF-4463-A577-1B800748F4B5
The full traceback is:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py”, line 138, in run
res = self._execute()
File “/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py”, line 576, in _execute
result = self._handler.run(task_vars=variables)
File “/usr/lib/python2.7/site-packages/ansible/plugins/action/normal.py”, line 46, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File “/usr/lib/python2.7/site-packages/ansible/plugins/action/init.py”, line 853, in _execute_module
res = self._low_level_execute_command(cmd, sudoable=sudoable, in_data=in_data)
File “/usr/lib/python2.7/site-packages/ansible/plugins/action/init.py”, line 960, in _low_level_execute_command
rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 524, in exec_command
result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True, stdin_iterator=stdin_iterator)
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 433, in _winrm_exec
command_id = self.protocol.run_command(self.shell_id, to_bytes(command), map(to_bytes, args), console_mode_stdin=(stdin_iterator is None))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 341, in run_command
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 234, in send_message
resp = self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 256, in send_message
response = self._send_message_request(prepared_request, message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 261, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 582, in send
r = dispatch_hook(‘response’, hooks, r, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/hooks.py”, line 41, in dispatch_hook
hook_data = hook(hook_data, **kwargs)
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos.py", line 267, in handle_response
r = self.handle_other(response)
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos.py", line 212, in handle_other
“{0}”.format(response))
MutualAuthenticationError: Unable to authenticate <Response [200]>

xjaxd11133app.csxt.ad.csx.com | FAILED! => {
“msg”: “Unexpected failure during module execution.”,
“stdout”: “”
}

I’ve got the following winrm, requests, and kerberos software installed…

pip list | grep -e winrm -e kerb
kerberos 1.3.0
pykerberos 1.2.1
pywinrm 0.3.0
requests-kerberos 0.12.0

Has anyone seen this?

Thanks,

Radesh

2

I haven’t seen this error before myself.
This line in your your errors makes it look to me like there is something unexpected about the underlying libs on your ansible controller.

/usr/lib/python2.7/site-
packages/winrm/transport.py:299: UserWarning: Function does not contain optional arg force_preemptive, check installed version with pip list

Sometimes things get scrambled when there is a mismatch between versions of libraries installed by your operating system package manager and the libraries that python expects.

In such cases sometimes you can fix things but uninstalling and reinstalling everything.

You don’t mention how you installed ansible but if its from pip I’d recommend upgrading pip itself to the latest version, then uninstalling and reinstalling ansible.

Hope this helps,

Jon

3

I thing the pykerberos module is missing

Check ansible docs

4

While pip is showing the packages are installed it seems like they were not installed properly or something is wrong with your Python environment. It is showing various warnings saying various kwargs pywinrm expects from requests-kerberos are not there which shouldn’t be happening if you are on the latest version. The actual error you are getting seems to be a bug, it is getting a 200 response but is expecting the server to reply with a token so the client can authenticate the host and verify it is who it is saying it is.

I would recommend you create a virtualenv and install all the dependencies there to verify you are working with a clean environment. To do this you can run;

`
virtualenv ansible-test
source ansible-test/bin/activate
pip install ansible pywinrm[kerberos]

ansible all -i kerbauth -m win_ping -vvvvv
`

Thanks

Jordan

5

Not sure of the original installation, but I’ve used yum to keep it updated.

I believe I’ve got version 18 of pip…

This is what I see when I check the version of pip…

pip -V
pip 18.0 from /usr/lib/python2.7/site-packages/pip (python 2.7)

Would you suggest doing a pip install ansible over yum install ansible?

6

I prefer using pip because system packages are system wide but I come from a developer focused background. Another reason why I’m not a fan of system packages is that they usually lag behind what is available in pip. There are definitely benefits to using system packages but it’s not for me.

When looking at the stracktrace we can see line 212 is in the handle_other function whereas it is in another function on the v0.12.0 release https://github.com/requests/requests-kerberos/blob/v0.12.0/requests_kerberos/kerberos_.py#L212. This tells me that an older (probably really old) version from the system package install is overriding whatever pip may have installed originally. To create a new environment not polluted by the system packages, please create a virtualenv with the following commands;

`
virtualenv ansible-test
source ansible-test/bin/activate
pip install ansible pywinrm[kerberos]

ansible all -i kerbauth -m win_ping -vvvvv

`

If this works then you know you need to look at the packages that are installed.

Thanks

Jordan