Ansible Windows Kerberos 身份验证错误的 HTTP 响应从服务器代码 500 返回

Ansible Windows Kerberos Authentification Bad HTTP response returned from server Code 500

在 windows 服务器上配置 winRM 并填写连接所需的所有信息后:

---
### winrm / win connection ###
ansible_winrm_realm: *My AD Domain*
ansible_connection: winrm
ansible_winrm_kerberos_delegation: yes
ansible_port: 5985
ansible_winrm_transport: kerberos

我得到了一个

fatal: [MyServer]: UNREACHABLE! => {"changed": false, "msg": "kerberos: ('http', 'Bad HTTP response returned from server. Code 500')", "unreachable": true}

我已经尝试了很多事情,包括更改我的配置和检查 WinRm 是否可以访问,一切都很好:

C:\Users\ME>winrs -r :http://myserver:5985/wsman -u:My_User -p:Password ipconfig

我的 WinRM 配置:

PS C:\Users\XXXX> winrm get winrm/config/Service
Service
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = false
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true


PS C:\Users\XXXX> winrm get winrm/config/Winrs
Winrs
    AllowRemoteShellAccess = true
    IdleTimeout = 7200000
    MaxConcurrentUsers = 2147483647
    MaxShellRunTime = 2147483647
    MaxProcessesPerShell = 2147483647
    MaxMemoryPerShellMB = 2147483647
    MaxShellsPerUser = 2147483647

由于我正在尝试使用 HTTP 而不是 HTTPS,解决方案是通过 运行 以下命令更改 WinRm 服务配置以允许加密连接:

Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value true

我 运行 遇到了这个异常,我的解决方案是安装 python-kerberos 包装器。

pip3 install pywinrm[kerberos]

最后通过升级pykerberos到1.2.1版本解决

pip3 install pykerberos --upgrade

作为解决方法,您可以使用 python2 到 运行 这个剧本:

/usr/bin/python2 /usr/bin/ansible-playbook WindowsTest.yml 

主机节点上的以下命令解决了该问题。我们需要接受未加密的流量。

Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value true