本文介绍了WinRM-指定的凭据被服务器拒绝的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我无法在python脚本中获得WinRM会话.

I am unable to get WinRM session in a python script.

ad-dns.test.com    - Windows 2012 AD and DNS Server
box88.test.com     - CentOS 7.2 : Kerberos, Python (Not joined to domain)
box62.test.com     - Windows 2012 R2 Standard (Joined to domain)
box63.test.com     - Windows 10 (Joined to domain)


配置

我已通过在Windows 10和2012服务器上启用WinRM ConfigureRemotingForAnsible.ps1 PowerShell脚本.这些是WinRM配置.


Configurations

I have enabled WinRM on Windows 10 and 2012 server through ConfigureRemotingForAnsible.ps1 PowerShell script. These are the WinRM configurations.

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30
PS C:\Windows\system32>

我准备了如下的CentOS盒

I have prepared CentOS box as below

# yum -y install python-pip python-devel krb5-devel krb5-libs krb5-workstation
# pip install --upgrade pip
# pip install  "pywinrm>=0.1.1" kerberos pykerberos requests-kerberos isodate xmltodict

# cat /etc/krb5.conf
[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = ad-dns.test.com
  admin_server   = ad-dns.test.com
  kpasswd_server = ad-dns.test.com
  default_domain = test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
#

# kinit [email protected]
Password for [email protected]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2016-06-30T02:15:20  2016-06-30T12:15:20  krbtgt/[email protected]
    renew until 2016-07-01T02:15:16
#

问题

直到现在,一切看起来都很顺利.当我尝试使用此kerberos票证通过以下脚本对Windows服务器进行身份验证时,会发生问题.

Problem

Until now, everything appears smooth. The problem occurs when I try to use this kerberos ticket to authenticate the Windows servers using the below script.

#!/usr/bin/env python

import winrm

s = winrm.Session('box63.test.com', auth=('[email protected]', 'IamUsingKerbTicket'), transport='kerberos')
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err


# ./winrm_ipconfig.py
Traceback (most recent call last):
  File "./winrm_ipconfig.py", line 6, in <module>
    r = s.run_cmd('ipconfig', ['/all'])
  File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
#

不确定,为什么我在Windows服务器上的Event Logs显示成功时看到此错误.显然,我看到同时出现了三个LogonLogoff.

Not sure, why I see this error while Event Logs on Windows server show success. Apparently, I see three Logon and Logoff occurring at the same time.

不确定我在这里想念的是什么.防火墙在CentOS& amp; amp; amp; amp;上均已停止/禁用. Windows机器和时间也同步.

Not sure what I am missing here. Firewall is stopped/disabled on both CentOS & Windows machines and times are also in sync.

推荐答案

终于解决了它,这是一个权限问题,不是日志中指出的无效凭据.这个问题有两种解决方法

Solved it finally, it was a permission issue and not invalid credentials as pointed out in logs. There are two solutions to this issue

  1. 将域用户添加到Domain Admins
  2. 在Windows服务器上执行winrm configSDDL default,并检查如下所示的ReadExecute权限
  1. Add the domain user to the Domain Admins Group
  2. Execute winrm configSDDL default on the Windows server and check Read and Execute permissons like below

这篇关于WinRM-指定的凭据被服务器拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-10 06:51