Instructions to use Kerberos ?

[xifanyan]

Can anybody provide an example on how to get kerberos working for pywinrm ? I am trying to use this with Ansible 1.7 to manage windows server remotely and have spent half day on this topic online but could not find anything.

[vipulob]

Note: I am using Ubuntu

Step1: Generate kerberose tickit using cmd line.
http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html

Step 2: pywinrm code
from winrm.protocol import Protocol
winrm_url = 'http://windows_machine:5985/wsman'
win_connect = Protocol(endpoint=winrm_url,transport='kerberos')

Create a Shell

shell_id = win_connect.open_shell()

Run a command on shell

command_id = win_connect.run_command(shell_id, cmd)

Get the output of command

output,error_value,exit_status = win_connect.get_command_output(shell_id, command_id)

win_connect.cleanup_command(shell_id, command_id)

win_connect.close_shell(shell_id)

[dejanlevaja]

Hi.
Using the above code I get:
....
....
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 153, in init
kerberos.authGSSClientStep(krb_context, '')
kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))

I have a krb ticket and it works. I use it for smb:// access to domain controller (windows 2k8 r2)
Also, I would like to use keytab file. Is that possible?

Thanks!

[dejanlevaja]

OK, my bad. I have solved the problem by adding http:// in front of endpoint.
But now I get:
winrm.exceptions.WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was failed. Code 401

Any idea?
Thanks.

[vipulob]

Try to put the IP and Hostname of your Windows Host entry in /etc/hosts file and then try.

[dejanlevaja]

Thanks Vipul,
I am using DNS on Windows DC for name resolution, I have tried hosts file entry approach but it still doesn't work.
Here is the code:

import sys
from winrm.protocol import Protocol

HYPERV_SERVER = 'http://ad.lab.local:5985/wsman'

class RM():
    def __init__(self):
        self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport='kerberos')

    def test(self):
        shell_id = self.win_connect.open_shell()
        cmd = "ver"
        command_id = self.win_connect.run_command(shell_id, cmd)
        output,error_value,exit_status = self.win_connect.get_command_output(shell_id, command_id)
        self.win_connect.cleanup_command(shell_id, command_id)
        self.win_connect.close_shell(shell_id)


def main():
    rm = RM()
    rm.test()


if __name__ == '__main__':
    main()
    sys.exit()

Thanks!

[dejanlevaja]

Update:
Error: " Kerberos-based authentication was failed. Code 401" is a bit misleading/wrong.
WinRM Operational log in Windows Event Viewer shows that I was successfully authenticated using Kerberos. But the next step actually failed: Authorization.
I solved that by applying permissions to my winrm user using powershell:
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorU
WinRM AllowUnencrypted must be set to "True" or we will get an error again:
winrm set winrm/config/service @{AllowUnencrypted="true"}

Now I get:
Kerberos-based authentication was failed. Code 500
Again, it has nothing to do with Kerberos, since Windows says that we're OK, but it is code 500.
Still investigating...

[vipulob]

Hmmm ... code looks good, but don't know why its not working.
Just check firewall once if it is blocking your request.

Thanks
Vipul

On Tue, Oct 14, 2014 at 11:01 PM, Dejan Levaja notifications@github.com
wrote:

Update:
Error: " Kerberos-based authentication was failed. Code 401" is a bit
misleading/wrong.
WinRM Operational log in Windows Event Viewer shows that I was
successfully authenticated using Kerberos. But the next step actually
failed: Authorization.
I solved that by applying permissions to my winrm user using powershell:
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorU
WinRM AllowUnencrypted must be set to "True" or we will get an error again:
winrm set winrm/config/service @{AllowUnencrypted="true"}

Now I get:
Kerberos-based authentication was failed. Code 500
Again, it has nothing to do with Kerberos, since Windows says that we're
OK, but it is code 500.
Still investigating...

—
Reply to this email directly or view it on GitHub
#21 (comment).

Thanks

Vipul Borikar
"Our task must be to free ourselves...by widening our circle of compassion
to embrace all living creatures and the whole of nature and its beauty."

[dejanlevaja]

Solved with: winrm configSDDL default
Thanks Vipul!

[dgoade]

I have the same problem, I think. On which host did you run "winrm configSDDL default", the AD/DC or on the remote host? And then, what settings did you change when the "Permissions for Default" dialog popped-up?

[dejanlevaja]

@dgoade I ran the command at target (remote) host, unfortunately, I do not remember what permissions I have chosen. I guess read & execute, but I am not sure.
HTH,
Dejan

[dgoade]

My problem turned-out to be a SID conflict. It was apparent after observing on the remote host (not the AD/DC) that the domain admins group was not included in the local admins group, which is something that should be done automatically by Windows after adding a computer to the domain --- and SHOULD be reported as an error by Windows if it fails but wasn't. Anyway, the fix was to run sysprep on the remote host and re-add it to the domain. Then domain auth started working.

[oenpelli]

Had the same problem doing a local logon and got the 401 authorized error. The fix was as above to set AllowUnencrypted to true but you need to also add single quotes around or the command is invalid:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

[mateusz-blaszkowski]

Hi,

I'm also struggling with 401 authentication error. I've got Windows Server 2012 R2 and Ubuntu 14.04 machine. I'm trying to authenticate as test user (who belongs to Domain Admins group). This is the code that fails:

from winrm.protocol import Protocol
winrm_url = 'http://10.91.96.60:5985/wsman'
win_connect = Protocol(endpoint=winrm_url,transport='kerberos')
shell_id = win_connect.open_shell()

and the output:

Traceback (most recent call last):
  File "kerberos_test.py", line 12, in <module>
    shell_id = win_connect.open_shell()
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 121, in open_shell
    rs = self.send_message(xmltodict.unparse(rq))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 193, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 301, in send_message
    raise WinRMTransportError('kerberos', error_message)
winrm.exceptions.WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was failed. Code 401

I've already:

1. Synchronized the time between Linux and Windows machine.
2. Verified that my forward and reverse DNS lookups are working fine. nslookup <ip_address_of_windows_machine> returns the correct FQDN.
3. Enabled AllowUnencrypted option (although I've also tried with HTTPS and 5986 port).
4. Logged in as test user using kinit (which I believe proves that my krb5.conf file is correct):

kinit test@MYDOMAIN.LOCAL
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@MYDOMAIN.LOCAL

Valid starting       Expires              Service principal
03/04/2016 00:01:58  03/04/2016 10:01:58  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 03/05/2016 00:01:58

Now I'm running out of ideas. Any help would be much appreciated!

[SoftwareDaddy]

Do you have a Kerberos ticket for the target server? If you don't, that could be the reason why you are getting the 401. What happens when you use host name instead of IP?

[sangrealest]

Thank you vipulob, After I add IP and hostname into hosts file, ansible works!

[jborean93]

Initial issue was solved, if you still have problems please open a new issue.