WinRM - 指定的凭据被服务器拒绝
WinRM - the specified credentials were rejected by the server
我无法在 python 脚本中获取 WinRM 会话。
环境
ad-dns.test.com - Windows 2012 AD and DNS Server
box88.test.com - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com - Windows 2012 R2 Standard (Joined to domain)
box63.test.com - Windows 10 (Joined to domain)
配置
我已经通过 ConfigureRemotingForAnsible.ps1 PowerShell 脚本在 Windows 10 和 2012 服务器上启用了 WinRM。这些是 WinRM 配置。
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
PS C:\Windows\system32>
我准备了如下的CentOS box
# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict
# cat /etc/krb5.conf
[libdefaults]
default_realm = TEST.COM
[realms]
TEST.COM = {
kdc = ad-dns.test.com
admin_server = ad-dns.test.com
kpasswd_server = ad-dns.test.com
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
#
# kinit vkumar@TEST.COM
Password for vkumar@TEST.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vkumar@TEST.COM
Valid starting Expires Service principal
2016-06-30T02:15:20 2016-06-30T12:15:20 krbtgt/TEST.COM@TEST.COM
renew until 2016-07-01T02:15:16
#
问题
到目前为止,一切看起来都很顺利。当我尝试使用此 kerberos 票证使用以下脚本验证 Windows 服务器时出现问题。
#!/usr/bin/env python
import winrm
s = winrm.Session('box63.test.com', auth=('vkumar@TEST.COM', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err
# ./winrm_ipconfig.py
Traceback (most recent call last):
File "./winrm_ipconfig.py", line 6, in <module>
r = s.run_cmd('ipconfig', ['/all'])
File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
shell_id = self.protocol.open_shell()
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#
不确定,为什么我在 Windows 服务器上的 Event Logs
显示成功时看到此错误。显然,我看到三个 Logon
和 Logoff
同时出现。
不确定我在这里遗漏了什么。 CentOS 和 Windows 机器上的防火墙都是 stopped/disabled 并且时间也是同步的。
终于解决了,这是一个权限问题,而不是日志中指出的无效凭据。这个问题有两种解决方案
- 将域用户添加到
Domain Admins
组
- 在 Windows 服务器上执行
winrm configSDDL default
并检查 Read
和 Execute
权限,如下所示
如果您使用的是基本身份验证,即本地用户名,那么您需要在 Powershell 中使用以下命令将其设置为 True(以管理员身份)
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
我无法在 python 脚本中获取 WinRM 会话。
环境
ad-dns.test.com - Windows 2012 AD and DNS Server
box88.test.com - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com - Windows 2012 R2 Standard (Joined to domain)
box63.test.com - Windows 10 (Joined to domain)
配置
我已经通过 ConfigureRemotingForAnsible.ps1 PowerShell 脚本在 Windows 10 和 2012 服务器上启用了 WinRM。这些是 WinRM 配置。
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
PS C:\Windows\system32>
我准备了如下的CentOS box
# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict
# cat /etc/krb5.conf
[libdefaults]
default_realm = TEST.COM
[realms]
TEST.COM = {
kdc = ad-dns.test.com
admin_server = ad-dns.test.com
kpasswd_server = ad-dns.test.com
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
#
# kinit vkumar@TEST.COM
Password for vkumar@TEST.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vkumar@TEST.COM
Valid starting Expires Service principal
2016-06-30T02:15:20 2016-06-30T12:15:20 krbtgt/TEST.COM@TEST.COM
renew until 2016-07-01T02:15:16
#
问题
到目前为止,一切看起来都很顺利。当我尝试使用此 kerberos 票证使用以下脚本验证 Windows 服务器时出现问题。
#!/usr/bin/env python
import winrm
s = winrm.Session('box63.test.com', auth=('vkumar@TEST.COM', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err
# ./winrm_ipconfig.py
Traceback (most recent call last):
File "./winrm_ipconfig.py", line 6, in <module>
r = s.run_cmd('ipconfig', ['/all'])
File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
shell_id = self.protocol.open_shell()
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#
不确定,为什么我在 Windows 服务器上的 Event Logs
显示成功时看到此错误。显然,我看到三个 Logon
和 Logoff
同时出现。
不确定我在这里遗漏了什么。 CentOS 和 Windows 机器上的防火墙都是 stopped/disabled 并且时间也是同步的。
终于解决了,这是一个权限问题,而不是日志中指出的无效凭据。这个问题有两种解决方案
- 将域用户添加到
Domain Admins
组 - 在 Windows 服务器上执行
winrm configSDDL default
并检查Read
和Execute
权限,如下所示
如果您使用的是基本身份验证,即本地用户名,那么您需要在 Powershell 中使用以下命令将其设置为 True(以管理员身份)
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'