在 Windows 上与域用户一起使用 Ansible [英] Using Ansible on windows with domain user
问题描述
我开始学习 Ansible,但文档不是很有帮助.
我已经在 RHEL 上安装了控制机器并创建了必要的 hosts 文件和 windows.yml.
但是在尝试连接到远程 Windows 服务器以获取回球时,我收到以下错误:
[root@myd666 ansible_test]# ansible windows -i hosts -m win_ping主机名 |无法访问!=>{改变":假,"msg": "ssl: 指定的凭据被服务器拒绝",无法访问":true}我现在收到此错误:
主机名 |无法访问!=>{改变":假,"msg": "Kerberos 身份验证失败:kinit:获取初始凭据时 KDC 回复与预期不符",无法访问":true}我的 windows.yml 文件包含:
# 建议使用 ansible-vault 加密:# ansible-vault 编辑 group_vars/windows.ymlansible_ssh_user: user@MYDOMAIN.NETansible_ssh_pass:密码ansible_ssh_port:5986ansible_connection: winrmansible_winrm_server_cert_validation:忽略我在域\用户的语法上做错了吗?也许我忘了在 Windows 机器上安装一些东西?我只运行了 ConfigureRemotingForAnsible.ps1 脚本,并没有安装 Python.
这是我的 krb5.conf 文件:
[libdefaults]default_realm = MYDOMAIN.NET#dns_lookup_realm = 真#dns_lookup_kdc = 真[领域]MYDOMAIN.NET = {kdc = dc1.mydomain.netdefault_domain = hpeswlab.net}[domain_realm].mydomain.net = MYDOMAIN.NETmydomain.net = MYDOMAIN.NET而且我确实使用 Kinit 获得了一个令牌:
kinit -C user@MYDOMAIN.NET列表Klist 输出:
有效起始到期服务主体01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/MYDOMAIN.NET@MYDOMAIN.NET更新至 02/01/2017 11:25:29在 windows.yml 中,请仔细检查并确保 ansible_ssh_user: user@MYDOMAIN.NET 行确实有大写的领域 MYDOMAIN.NET.在某处,向 KDC 发送的领域请求以小写而不是大写形式发送,导致KDC 回复与预期不符.."错误.
在 krb5.conf 中,区分大小写也很重要.首先我要注意,由于 KDC 名称是 IP 主机的名称,因此需要将其指定为完全限定的主机名,如下面的示例所示.它假定您的 KDC 名为dc1.mydomain.net".接下来,域名应该只使用小写.另一方面,Kerberos 领域名称需要大写 - 如果此文件中的领域名称错误地以小写形式指定,这是您可能会收到此错误消息的另一个原因.请将整个 krb5.conf 修改为如下所示(仅将dc1"更改为实际名称),它应该可以工作.旁注:您的 krb5.conf 中不一定需要这两行 dns_lookup_,因此请按照下面的说明将它们注释掉.这些是仅根据 MIT Kerberos 文档 并且实际上可能会在您的简单用例中引起问题.修改任一配置文件后,请确保在再次测试之前重新启动 Ansible 引擎.
[libdefaults]default_realm = MYDOMAIN.NET#dns_lookup_realm = 真#dns_lookup_kdc = 真[领域]MYDOMAIN.NET = {kdc = dc1.mydomain.netdefault_domain = mydomain.net}[domain_realm].mydomain.net = MYDOMAIN.NETmydomain.net = MYDOMAIN.NET有关如何正确设置 krb5.conf 的信息,请参阅此 MIT 参考:示例 krb5.conf 文件
在 Hosts 文件中,检查以确保您的 IP 到名称的映射正确.根据 RFC,Kerberos 需要一个正常运行的 DNS,如果您的 Hosts 文件中包含过时的条目,您就有可能会缩短 DNS.
最后,虽然我无法确定您使用的是哪个版本的 Ansible,但我做了一些研究,发现Ansible 2.0 已弃用 ansible_ssh_user、ansible_ssh_host 和 ansible_ssh_port 中的ssh",改为 ansible_user、ansible_host、和 ansible_port."这当然可能是问题的一部分.请参阅:Windows 上的 Ansible 文档
I'm starting to learn Ansible but the documentation is not too helpful.
I have installed the control machine on RHEL and created the necessary hosts file and windows.yml.
But when trying to connect to the remote Windows server to get a pong back I get the following error:
[root@myd666 ansible_test]# ansible windows -i hosts -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
After Installing python-kerberos dependencies,
I now get this Error:
hostname | UNREACHABLE! => {
"changed": false,
"msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",
"unreachable": true
}
My windows.yml file contains:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_ssh_user: user@MYDOMAIN.NET
ansible_ssh_pass: password
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Am I doing anything wrong with the syntax of Domain\user? Maybe I forgot to install something on the Windows machine? I only ran the ConfigureRemotingForAnsible.ps1 script, and Python is not installed there.
This is my krb5.conf file:
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = hpeswlab.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
And I do get a token using Kinit:
kinit -C user@MYDOMAIN.NET
klist
Klist output:
Valid starting Expires Service principal
01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
renew until 02/01/2017 11:25:29
In windows.yml, please double-check and ensure that the ansible_ssh_user: user@MYDOMAIN.NET line does indeed have the realm MYDOMAIN.NET in upper case. Somewhere, the realm request to the KDC is being sent in lower case instead of upper case causing the 'KDC reply did not match expectations..' error.
In krb5.conf, case-sensitivity is also important. First I'll note that since the KDC name is the name of an IP host, so it needs to be specified as a fully-qualified host name, like in the example shown below. It assumes your KDC is named "dc1.mydomain.net". Next, the domain name should only be in lower case. On the other hand, Kerberos Realm names need be in upper case - if the realm name is incorrectly specified in lower case in this file that is another reason you may get this error message. Please modify your entire krb5.conf to look like that shown below (changing only "dc1" to the actual name) and it should work. Side note: You do not necessarily need the two dns_lookup_ lines in your krb5.conf, so please comment them out per the below. Those are fallback mechanisms only as per the MIT Kerberos Documentation and may actually cause issues in your simple use case. After modifying either configuration file, make sure to restart the Ansible engine before testing again.
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Please refer to this MIT reference for how to properly set up the krb5.conf: Sample krb5.conf File
In the Hosts file, check to ensure your IP to name mappings are correct. Per the RFCs, Kerberos requires a properly functioning DNS, and you are at risk of shortchanging that if your Hosts file has outdated entries in it.
Finally, though I wasn't able to tell which version of Ansible you were using, I did some research and found that "Ansible 2.0 has deprecated the "ssh" from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This could certainly be part of the problem. See: Ansible on Windows Documentation
这篇关于在 Windows 上与域用户一起使用 Ansible的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
