Using Ansible on windows with domain user - authentication

I'm starting to learn Ansible but the documentation is not too helpful.
I have installed the control machine on RHEL and created the necessary hosts file and windows.yml.
But when trying to connect to the remote Windows server to get a pong back I get the following error:
[root#myd666 ansible_test]# ansible windows -i hosts -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
After Installing python-kerberos dependencies,
I now get this Error:
hostname | UNREACHABLE! => {
"changed": false,
"msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",
"unreachable": true
}
My windows.yml file contains:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_ssh_user: user#MYDOMAIN.NET
ansible_ssh_pass: password
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Am I doing anything wrong with the syntax of Domain\user? Maybe I forgot to install something on the Windows machine? I only ran the ConfigureRemotingForAnsible.ps1 script, and Python is not installed there.
This is my krb5.conf file:
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = hpeswlab.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
And I do get a token using Kinit:
kinit -C user#MYDOMAIN.NET
klist
Klist output:
Valid starting Expires Service principal
01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/MYDOMAIN.NET#MYDOMAIN.NET
renew until 02/01/2017 11:25:29

In windows.yml, please double-check and ensure that the ansible_ssh_user: user#MYDOMAIN.NET line does indeed have the realm MYDOMAIN.NET in upper case. Somewhere, the realm request to the KDC is being sent in lower case instead of upper case causing the 'KDC reply did not match expectations..' error.
In krb5.conf, case-sensitivity is also important. First I'll note that since the KDC name is the name of an IP host, so it needs to be specified as a fully-qualified host name, like in the example shown below. It assumes your KDC is named "dc1.mydomain.net". Next, the domain name should only be in lower case. On the other hand, Kerberos Realm names need be in upper case - if the realm name is incorrectly specified in lower case in this file that is another reason you may get this error message. Please modify your entire krb5.conf to look like that shown below (changing only "dc1" to the actual name) and it should work. Side note: You do not necessarily need the two dns_lookup_ lines in your krb5.conf, so please comment them out per the below. Those are fallback mechanisms only as per the MIT Kerberos Documentation and may actually cause issues in your simple use case. After modifying either configuration file, make sure to restart the Ansible engine before testing again.
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Please refer to this MIT reference for how to properly set up the krb5.conf: Sample krb5.conf File
In the Hosts file, check to ensure your IP to name mappings are correct. Per the RFCs, Kerberos requires a properly functioning DNS, and you are at risk of shortchanging that if your Hosts file has outdated entries in it.
Finally, though I wasn't able to tell which version of Ansible you were using, I did some research and found that "Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This could certainly be part of the problem. See: Ansible on Windows Documentation

Related

Update Kerberos Cache

I have to connect to different devices simultaneously using kerberos authenication. At present using default cache(File) to store kerberos ticket which stores only one ticket at a time. But for my requirement I have to store multiple tickets. Please suggest how to update cache which stores multiple tickets and how to access them. At present kerberos tickets are accessed using kinit.
Please share the detailed steps to update the cache to handle above requirement. I am new to this space your help is much appreciated.
Below is the sample krb5.conf configuration file. By default File cache is used.
{ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
}
Updating more information on my requirement, for example under single active directory there are 10 windows devices all share same domain name , username and password. From this network(say from one linux machine) I want access these devices using Kerberos authentication as different user but not as root user. Currently Kerberos uses default cache FILE which stores only one ticket a time. But for my requirement I want to maintain all 10 tickets and access them not as a root user.With FILE cache and as different user I am able to access device using Kerberos authentication. My application is running in multi threaded environment. Please share the detailed solution I am new to this space.

I'm having trouble authenticating over AD to windows machines from my ansible host. 'Server not found in Kerberos Database' on Ubuntu 16.10

I'm having trouble authenticating over AD to windows machines from my ansible host. I have a valid kerberos ticket -
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: ansible#SOMEDOMAIN.LOCAL
Issued Expires Principal
Mar 10 09:15:27 2017 Mar 10 19:15:24 2017 krbtgt/SOMEDOMAIN.LOCAL#SOMEDOMAIN.LOCAL
My kerberos config looks fine to me -
cat /etc/krb5.conf
[libdefaults]
default_realm = SOMEDOMAIN.LOCAL
# dns_lookup_realm = true
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# forwardable = true
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
# v4_instance_resolve = false
# v4_name_convert = {
# host = {
# rcmd = host
# ftp = ftp
# }
# plain = {
# something = something-else
# }
# }
# fcc-mit-ticketflags = true
[realms]
SOMEDOMAIN.LOCAL = {
kdc = prosperitydc1.somedomain.local
kdc = prosperitydc2.somedomain.local
default_domain = somedomain.local
admin_server = somedomain.local
}
[domain_realm]
.somedomain.local = SOMEDOMAIN.LOCAL
somedomain.local = SOMEDOMAIN.LOCAL
When running a test command - ansible windows -m win_ping -vvvvv I get
'Server not found in Kerberos database'.
ansible windows -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/windows/win_ping.ps1
<kerberostest.somedomain.local> ESTABLISH WINRM CONNECTION FOR USER: ansible#SOMEDOMAIN.LOCAL on PORT 5986 TO kerberostest.somedomain.local
<kerberostest.somedomain.local> WINRM CONNECT: transport=kerberos endpoint=https://kerberostest.somedomain.local:5986/wsman
<kerberostest.somedomain.local> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/transport.py", line 181, in send_message
prepared_request = self.session.prepare_request(request)
File "/home/prosperity/.local/lib/python2.7/site-packages/requests/sessions.py", line 407, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/home/prosperity/.local/lib/python2.7/site-packages/requests/models.py", line 306, in prepare
self.prepare_auth(auth, url)
File "/home/prosperity/.local/lib/python2.7/site-packages/requests/models.py", line 543, in prepare_auth
r = auth(self)
File "/home/prosperity/.local/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 308, in __call__
auth_header = self.generate_request_header(None, host, is_preemptive=True)
File "/home/prosperity/.local/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header
raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args)))
KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
kerberostest.somedomain.local | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
I am able to ssh to the target machine
ssh -v1 kerberostest.somedomain.local -p 5986
OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to kerberostest.somedomain.local [10.10.20.84] port 5986.
debug1: Connection established.
I can also ping all hosts with their hostname. I'm at a loss :(
Here is the ansible host file-
sudo cat /etc/ansible/hosts
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
## [webservers]
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
## www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
## [dbservers]
##
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
## db-[99:101]-node.example.com
[monitoring-servers]
#nagios
10.10.20.75 ansible_connection=ssh ansible_user=nagios
[windows]
#fileserver.somedomain.local#this machine isnt joined to the domain yet.
kerberostest.SOMEDOMAIN.LOCAL
[windows:vars]
#the following works for windows local account authentication
#ansible_ssh_user = prosperity
#ansible_ssh_pass = *********
#ansible_connection = winrm
#ansible_ssh_port = 5986
#ansible_winrm_server_cert_validation = ignore
#vars needed to authenticate on the windows domain using kerberos
ansible_user = ansible#SOMEDOMAIN.LOCAL
ansible_connection = winrm
ansible_winrm_scheme = https
ansible_winrm_transport = kerberos
ansible_winrm_server_cert_validation = ignore
I also tried connecting to the domain with realmd with success, but running the ansible command produced the same result.
This looks like a case of a missing SPN.
Here's the relevant error snippet:
<kerberostest.prosperityerp.local> ESTABLISH WINRM CONNECTION FOR USER: ansible#PROSPERITYERP.LOCAL on PORT 5986 TO kerberostest.prosperityerp.local
<kerberostest.prosperityerp.local> WINRM CONNECT: transport=kerberos endpoint=https://kerberostest.prosperityerp.local:5986/wsman
<kerberostest.prosperityerp.local> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
And that is based off something I noticed in your Ansible configuration file:
[windows]
#fileserver.prosperityerp.local#this machine isnt joined to the domain yet.
kerberostest.PROSPERITYERP.LOCAL
I think the this machine isnt joined to the domain yet line in that file is a good indicator that the SPN HTTP/kerberostest.prosperityerp.local does not exist in Active Directory which would be causing the "server not found" message. You can SSH to kerberostest.prosperityerp.local, probably because it exists in DNS or in a Hosts file of the client machine, but unless and until the SPN HTTP/kerberostest.prosperityerp.local is created in Active Directory you will continue to get that error message. Adding that SPN properly in at this point would be a whole other topic of discussion.
You could use a command like this to test if you have that SPN defined:
setspn -Q HTTP/kerberostest.prosperityerp.local
SPNs exists to represent to a Kerberos client where to find the service instance for that service on the network.
Also run:
nslookup kerberostest.prosperityerp.local
on at least two client machines to make sure the FQDN of the IP host where the Kerberized is running exists DNS. DNS is a requirement for Kerberos to properly run in a network.
Finally, you could use Wireshark on the client for further analysis, use the filter kerberos to highlight only kerberos traffic.
In my case, the Server not found in Kerberos database error was a result of the target Windows machine's DNS name not being mapped to the right realm, as hinted at in this line from this Microsoft Technet Article:
The error “Server not found in Kerberos database” is common and can be misleading because it often appears when the service principal is not missing. The error can be caused by domain/realm mapping problems or it can be the result of a DNS problem where the service principal name is not being built correctly. Server logs and network traces can be used to determine what service principal is actually being requested.
I had playbook whoami.yaml:
- hosts: windows-machine.mydomain.com
tasks:
- name: Run 'whoami' command
win_command: whoami
Hosts file:
[windows]
windows-machine.mydomain.com
[windows:vars]
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_user=user#FOO.BAR.MYDOMAIN.COM
ansible_password=<password>
ansible_port=5985
Since the DNS name was windows-machine.mydomain.com, but the AD realm was FOO.BAR.MYDOMAIN.COM I had to fix the mapping in my /etc/krb5.conf file on my Ansible host:
INCORRECT
This won't work for our case since this mapping rule won't apply to windows-machine.mydomain.com:
[domain_realm]
foo.bar.mydomain.com = FOO.BAR.MYDOMAIN.COM
CORRECT
This will correctly map windows-machine.mydomain.com to realm FOO.BAR.MYDOMAIN.COM
[domain_realm]
.mydomain.com = FOO.BAR.MYDOMAIN.COM

nginx: not ask password for localnet + satisfy any cause 403

I try to solve problem similar to described here:
Nginx authentication except those on local network
I protect all my site with ldap auth,
but I want one "location" to make available without
auth for localnet, so I have config like this:
server {
auth_ldap "LDAP Authentication";
auth_ldap_servers auth1;
location /for_localnet/ {
satisfy any;
allow 192.168.0.0/16;
deny all;
#I try with and without lines bellow
auth_ldap "LDAP Authentication";
auth_ldap_servers auth1;
}
}
It works as expected for "localnet(192.168.x.x)", but for
access from internet it shows error 403, if I open http://site/for_localnet/.
So I have to open "http://site" it ask password, and after that I can open
http://site/for_localnet/, so question how to force nginx to ask password
when I open "http://site/for_localnet/" from internet?
The problem was in bug in nginx 1.4.6 (default for Ubuntu 14.04.2 LTS).
It is described here: http://trac.nginx.org/nginx/ticket/285

Cant connect to database pymysql using a .my.cnf file

This function should connect to database because I've used an exception I'll get my own created message, when incorrect input is found. But when I remove try and except I get : "Acces denied for /'user/'#'/'localhost' (using password : NO).
It seems that it doesnt read my password I have no clue why a little help will be appreciated. Without this file connection to the database works fine without any errors.
try:
self.conn = pymysql.connect(read_default_file="~/my.cnf")
self.curr = self.conn.cursor()
except pymysql.err.OperationalError :
sys.exit("Invalid Input: Wrong username/database or password found, please try again")
Information found in the .my.cnf file is :
[client]
host = 'localhost'
port = 3306
user = myusername
password = "mypassword"
You used:
pymysql.connect(read_default_file="~/my.cnf")
You should have used:
pymysql.connect(read_default_file='~/.my.cnf')
-------------------------------------^
Note the missing dot in the filename. You were just loading a different or non existent file.
The ~ is being expanded as shown here:
https://github.com/PyMySQL/PyMySQL/blob/18b62f6e1d6f65b403c9e8b650f4c3bb27b665e7/pymysql/connections.py#L619
Also I can confirm that no quotes or spaces are required in the .my.cnf file:
echo -e "[client]\nuser=root\npassword=defaultrootpwd" > ~/.my.cnf
First off, can you connect to your database using the following command.
import pymysql
conn = pymysql.connect(host='localhost',
port=3306,
user='myusername',
passwd='mypasswd')
If that doesn't work, then you might have some other problem (for instance, your database may be configured to only connect via socket for local clients)
As for the config file, I think this will work if you remove the quotation marks, like this:
[client]
host = localhost
port = 3306
user = myusername
password = mypassword
I saved your config file as test.cnf and ran the following code
# test.cnf
[client]
host = 'localhost'
port = 3306
user = myusername
password = "mypassword"
$ python3
>>> import configparser
>>> reader = configparser.RawConfigParser()
>>> reader.read('test.cnf')
>>> reader.get('client', 'host')
"'localhost'"
>>> reader.get('client', 'user')
'myusername'
As you can see, the config parser is treating quotes as part of the value.
Update: Workaround
The OP mentioned the provided solution (i.e. removal of quotes did not solve the problem he was facing). Here's a workaround that achieves separation of configuration / connection properties from program logic.
Save the configuration in a python file called dbsettings.py.
# dbsettings.py
connection_properties = {
'host': 'localhost',
'port': 3306,
'user': 'myusername',
'passwd': 'mypassword'
}
And then in your main program use the following lines for setting up the connection.
try:
from dbsettings import connection_properties
self.conn = pymysql.connect(**connection_properties)
self.curr = self.conn.cursor()
except pymysql.err.OperationalError :
sys.exit("Invalid Input: Wrong username/database or password found, please try again")
If your entire program is written in python, then this allows the same separation of connection / config info from program logic as using the my.cnf method, and it is just as flexible if not mroe so. However, if other non python scripts need to reference the my.cnf file, then you'll have to maintain two separate mysql config files.

Connecting to Cassandra (2.1.0) over SSL from cqlsh

i have cassandra 2.1.0 running on Debian 7.6.0 and cqlsh running on the same machine. when i try to connect through cqlsh,
$/usr/local/cassandra-2.1.0/bin/cqlsh --ssl --debug
i get the following error message:
Using CQL driver: <module 'cassandra' from '/usr/local/cassandra-2.1.0/bin/../lib/cassandra-driver-internal-only-2.1.0.post.zip/cassandra-driver-2.1.0.post/cassandra/__init__.py'>
Connection error: ('Unable to connect to any servers', {'127.0.0.1': SSLError(0, '_ssl.c:340: error:00000000:lib(0):func(0):reason(0)')})
the details are as follows. pls. let me know how to resolve this issue. thanks in advance.
server side
as explained in (http://www.datastax.com/documentation/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html), i have generated a keystore and have modified cassandra.yaml as follows:
client_encryption_options:
enabled: true
keystore: /usr/local/cassandra-2.1.0/ssl/.keystore
keystore_password: ***********
i have exported the public key of the server.
client side
copied the public key exported from the previous step into ~/keys/cassandra_node0.cert.
modified ~/.cassandra/cqlshrc as follows:
[connection]
hostname = 127.0.0.1
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory
[tracing]
max_trace_wait = 10.0
[ssl]
certfile = ~/keys/cassandra_node0.cert
validate = true
I had the same issue
Although you probably found the solution by now, but I think it can be beneficial to record the solution for other people.
I followed the documentation from here to create a .pem certificate.
My cqlshrc ssl configuration looks as follows
[ssl]
certfile = /ssl/cqlsh.pem
validate = false
That worked for me.
As with all ssl related topics in cassandra's documentation, this part isn't covered well enough.