Python WinRM - 指定的凭据被服务器拒绝
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/38105486/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
WinRM - the specified credentials were rejected by the server
提问by vikas027
I am unable to get WinRM session in a python script.
我无法在 python 脚本中获取 WinRM 会话。
Environment
环境
ad-dns.test.com - Windows 2012 AD and DNS Server
box88.test.com - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com - Windows 2012 R2 Standard (Joined to domain)
box63.test.com - Windows 10 (Joined to domain)
Configurations
配置
I have enabled WinRM on Windows 10 and 2012 server through ConfigureRemotingForAnsible.ps1PowerShell script. These are the WinRM configurations.
我已经通过ConfigureRemotingForAnsible.ps1PowerShell 脚本在 Windows 10 和 2012 服务器上启用了 WinRM 。这些是 WinRM 配置。
PS C:\Windows\system32> winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 10
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 25
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 30
PS C:\Windows\system32>
I have prepared CentOS box as below
我准备了 CentOS 盒子如下
# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict
# cat /etc/krb5.conf
[libdefaults]
default_realm = TEST.COM
[realms]
TEST.COM = {
kdc = ad-dns.test.com
admin_server = ad-dns.test.com
kpasswd_server = ad-dns.test.com
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
#
# kinit [email protected]
Password for [email protected]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2016-06-30T02:15:20 2016-06-30T12:15:20 krbtgt/[email protected]
renew until 2016-07-01T02:15:16
#
Problem
问题
Until now, everything appears smooth. The problem occurs when I try to use this kerberos ticket to authenticate the Windows servers using the below script.
直到现在,一切看起来都很顺利。当我尝试使用此 kerberos 票证使用以下脚本对 Windows 服务器进行身份验证时会出现问题。
#!/usr/bin/env python
import winrm
s = winrm.Session('box63.test.com', auth=('[email protected]', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err
# ./winrm_ipconfig.py
Traceback (most recent call last):
File "./winrm_ipconfig.py", line 6, in <module>
r = s.run_cmd('ipconfig', ['/all'])
File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
shell_id = self.protocol.open_shell()
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#
Not sure, why I see this error while Event Logson Windows server show success. Apparently, I see three Logonand Logoffoccurring at the same time.
不确定,为什么我Event Logs在 Windows 服务器上看到此错误显示成功。很显然,我看到三个Logon,并Logoff在同一时间发生。
Not sure what I am missing here. Firewall is stopped/disabled on both CentOS & Windows machines and times are also in sync.
不确定我在这里缺少什么。CentOS 和 Windows 计算机上的防火墙已停止/禁用,并且时间也同步。
回答by vikas027
Solved it finally, it was a permission issue and not invalid credentials as pointed out in logs. There are two solutions to this issue
最终解决了它,这是一个权限问题,而不是日志中指出的无效凭据。这个问题有两种解决方案
- Add the domain user to the
Domain AdminsGroup - Execute
winrm configSDDL defaulton the Windows server and checkReadandExecutepermissons like below
- 将域用户添加到
Domain Admins组 winrm configSDDL default在 Windows 服务器上执行并检查Read和Execute权限如下
回答by Ubuntuser
If you are using Basic authentication i.e. Local usernames , then you need to set it as True using the following commands in Powershell (As admin)
如果您使用的是基本身份验证,即本地用户名,那么您需要在 Powershell 中使用以下命令将其设置为 True(以管理员身份)
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
