Ansible to Windows 使用 Kerberos 不起作用 [英] Ansible to Windows using Kerberos not working

问题描述

我正在尝试使用 Ansible 1.9.0.1 来配置使用域用户名的 Windows 服务器.我已经成功设置了 Linux Ansible 控制盒，并且能够使用基本身份验证来运行 ansible/ansible-playbook 播放.但是，与域用户一起运行失败.Kerberos 在 Windows 节点上启用:

I am attempting to use Ansible 1.9.0.1 to configure Windows servers using a domain user name. I have successfully setup the Linux Ansible control box and have been able to use basic auth to run ansible/ansible-playbook plays. However running with a domain user fails. Kerberos is enabled on the Windows nodes:

winrm 获取 winrm/config/client/auth认证基本=真摘要 = 真Kerberos = 真协商=真证书=真CredSSP = true

我试图运行的剧本只是引用了 ansible 的 win_ping 模块，以下是输出:

The playbook I am trying to run just references the win_ping module of ansible and the following is the output:

PLAY [Manage SMI] *************************************************************

TASK: [Ping] ******************************************************************
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host1
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host2
<host1> REMOTE_MODULE win_ping
<host1> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-231225138744234").FullName | Write-Host -Separator >'';
<host2> REMOTE_MODULE win_ping
<host2> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-8060403929807").FullName | Write-Host -Separator '';

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/home/deck/test.retry

host1            : ok=0    changed=0    unreachable=1    failed=0
host2            : ok=0    changed=0    unreachable=1    failed=0

根据系统事件日志，用户正在通过正确的身份验证，因此看起来文件传输到 tmp 目录失败.

Per the System eventlog the user is being authenticated correctly so it looks like the file transfer to the tmp directory is failing.

非常感谢任何帮助.

推荐答案

一位同事找到了解决此问题的方法.使用 kerberos 时，pywinrm 中似乎存在问题，导致模块在尝试调用 Transport.py 中的 KerbosTicket 时死亡.如果您使用以下内容修补 transport.py:

A co-worker found a workaround for this issue. It appears there is an issue in the pywinrm when using kerberos that causes the module to die when attempting to call KerbosTicket inside the Transport.py. If you patch transport.py with the following:

class KerberosTicket:
"""
Implementation based on http://ncoghlan_devs-python-notes.readthedocs.org/en/latest/python_kerberos.html
"""
def __init__(self, service):
    # added line below
    self.test=1
    ignored_code, krb_context = kerberos.authGSSClientInit(service)
    kerberos.authGSSClientStep(krb_context, '')
    # TODO authGSSClientStep may raise following error:
    #GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968),
    # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))
    self._krb_context = krb_context
    gss_response = kerberos.authGSSClientResponse(krb_context)
    self.auth_header = 'Negotiate {0}'.format(gss_response)

我们不能 100% 确定为什么会这样，但目前这是我们的解决方法.

We are not 100% sure why this works but for now it is our workaround.

这篇关于Ansible to Windows 使用 Kerberos 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！