WinRM - 指定的凭据被服务器拒绝

WinRM - the specified credentials were rejected by the server

我无法在 python 脚本中获取 WinRM 会话。

环境

ad-dns.test.com    - Windows 2012 AD and DNS Server
box88.test.com     - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com     - Windows 2012 R2 Standard (Joined to domain)
box63.test.com     - Windows 10 (Joined to domain)

配置

我已经通过 ConfigureRemotingForAnsible.ps1 PowerShell 脚本在 Windows 10 和 2012 服务器上启用了 WinRM。这些是 WinRM 配置。

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30
PS C:\Windows\system32> 

我准备了如下的CentOS box

# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install  "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict

# cat /etc/krb5.conf
[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = ad-dns.test.com
  admin_server   = ad-dns.test.com
  kpasswd_server = ad-dns.test.com
  default_domain = test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
#

# kinit vkumar@TEST.COM
Password for vkumar@TEST.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: vkumar@TEST.COM

Valid starting       Expires              Service principal
2016-06-30T02:15:20  2016-06-30T12:15:20  krbtgt/TEST.COM@TEST.COM
    renew until 2016-07-01T02:15:16
#

问题

到目前为止,一切看起来都很顺利。当我尝试使用此 kerberos 票证使用以下脚本验证 Windows 服务器时出现问题。

#!/usr/bin/env python

import winrm

s = winrm.Session('box63.test.com', auth=('vkumar@TEST.COM', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err


# ./winrm_ipconfig.py
Traceback (most recent call last):
  File "./winrm_ipconfig.py", line 6, in <module>
    r = s.run_cmd('ipconfig', ['/all'])
  File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#

不确定,为什么我在 Windows 服务器上的 Event Logs 显示成功时看到此错误。显然,我看到三个 LogonLogoff 同时出现。

不确定我在这里遗漏了什么。 CentOS 和 Windows 机器上的防火墙都是 stopped/disabled 并且时间也是同步的。

终于解决了,这是一个权限问题,而不是日志中指出的无效凭据。这个问题有两种解决方案

  1. 将域用户添加到 Domain Admins
  2. 在 Windows 服务器上执行 winrm configSDDL default 并检查 ReadExecute 权限,如下所示

如果您使用的是基本身份验证,即本地用户名,那么您需要在 Powershell 中使用以下命令将其设置为 True(以管理员身份)

winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'