Windows无法使用Kerberos正常工作 [英] Ansible to Windows using Kerberos not working

问题描述

我正在尝试使用Ansible 1.9.0.1通过域名用户名配置Windows服务器.我已经成功设置了Linux Ansible控制箱，并且能够使用基本身份验证来运行ansible/ansible-playbook播放.但是，与域用户一起运行失败.在Windows节点上启用了Kerberos:

I am attempting to use Ansible 1.9.0.1 to configure Windows servers using a domain user name. I have successfully setup the Linux Ansible control box and have been able to use basic auth to run ansible/ansible-playbook plays. However running with a domain user fails. Kerberos is enabled on the Windows nodes:

winrm get winrm/config/client/auth Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true

winrm get winrm/config/client/auth Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true

我要运行的剧本仅引用ansible的win_ping模块，并且输出如下:

The playbook I am trying to run just references the win_ping module of ansible and the following is the output:

PLAY [Manage SMI] *************************************************************

TASK: [Ping] ******************************************************************
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host1
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host2
<host1> REMOTE_MODULE win_ping
<host1> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-231225138744234").FullName | Write-Host -Separator >'';
<host2> REMOTE_MODULE win_ping
<host2> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-8060403929807").FullName | Write-Host -Separator '';

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/home/deck/test.retry

host1            : ok=0    changed=0    unreachable=1    failed=0
host2            : ok=0    changed=0    unreachable=1    failed=0

根据系统事件日志，用户已正确身份验证，因此似乎文件传输到tmp目录失败.

Per the System eventlog the user is being authenticated correctly so it looks like the file transfer to the tmp directory is failing.

任何帮助将不胜感激.

Any help is greatly appreciated.

推荐答案

一位同事找到了解决此问题的方法.似乎在使用kerberos时pywinrm中存在一个问题，导致在尝试调用Transport.py中的KerbosTicket时模块死亡.如果使用以下命令修补transport.py:

A co-worker found a workaround for this issue. It appears there is an issue in the pywinrm when using kerberos that causes the module to die when attempting to call KerbosTicket inside the Transport.py. If you patch transport.py with the following:

class KerberosTicket:
"""
Implementation based on http://ncoghlan_devs-python-notes.readthedocs.org/en/latest/python_kerberos.html
"""
def __init__(self, service):
    # added line below
    self.test=1
    ignored_code, krb_context = kerberos.authGSSClientInit(service)
    kerberos.authGSSClientStep(krb_context, '')
    # TODO authGSSClientStep may raise following error:
    #GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968),
    # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))
    self._krb_context = krb_context
    gss_response = kerberos.authGSSClientResponse(krb_context)
    self.auth_header = 'Negotiate {0}'.format(gss_response)

我们不是100％知道为什么会这样，但是现在这是我们的解决方法.

We are not 100% sure why this works but for now it is our workaround.

这篇关于Windows无法使用Kerberos正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！