我正在Ansible中构建一个Playbook,它将为多个Windows 2012 R2域控制器(DC)添加一些DNS条目 . 尝试通过HTTP进行身份验证时,DC会拒绝我的凭据 .
我按照Ansible网站上的文档在我的控制机器上配置了kerberos .
http://docs.ansible.com/ansible/intro_windows.html#active-directory-support
我还确认我可以使用我的凭据登录域:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my-user@<REDACTED>
Valid starting Expires Service principal
10/06/2016 09:47:03 10/06/2016 19:47:03 krbtgt/<REDACTED>@<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:47:48 10/06/2016 19:47:03 HTTP/phx-dev-mwad01.<REDACTED>@<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 09:54:15 10/06/2016 19:47:03 HTTP/phx-dev-mwad02.<REDACTED>@<REDACTED>
renew until 10/07/2016 09:46:59
10/06/2016 12:08:28 10/06/2016 19:47:03 HTTP/phx-dev-want01.<REDACTED>@<REDACTED>
renew until 10/07/2016 09:46:59
我出于安全目的编辑了域名 .
这是我的winrm配置文件:
ansible_user: my-user@<REDACTED>
ansible_password: SomePass
ansible_port: 5985
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
我能够通过端口5986(HTTPS)连接到Windows服务器,但是在 生产环境 中,域控制器没有配置为5986,因此Ansible must 能够通过端口5985(HTTP) Build 连接 . 此要求不会改变 生产环境 .
尝试5985以上的连接时,我的凭据被拒绝;
fatal: [phx-dev-mwad02]: UNREACHABLE! => {"changed": false, "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), plaintext: the specified credentials were rejected by the server", "unreachable": true}
WinRM设置为允许远程管理:
$winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
以下是我们的WinRM配置的要点:
https://gist.github.com/anonymous/f2baaff517287c535453dbba4ef03b69
是的,我已经确认我的凭据是正确的 .
1 回答
查看winrm服务器's config. It seems for now python winrm doesn' t支持message encryption without https中的
AllowUnencrypted = false
. 作为解决方法,您可以将其设置为true,即 insecure ,所以我强烈建议不要这样做(cmd):见https://pypi.python.org/pypi/pywinrm的
HTTP or HTTPS endpoint
部分