带有 winrm 的 Ansible 只能以 root 身份工作?
Posted
技术标签:
【中文标题】带有 winrm 的 Ansible 只能以 root 身份工作?【英文标题】:Ansible with winrm only works as root? 【发布时间】:2020-04-14 14:18:59 【问题描述】:我正在使用 ansible 2.9.6,通过 pip 安装,在 debian buster 服务器上使用 python 3.7.3,我正在尝试使用它来管理我们的一些 windows 2016 服务器;我已经在其他 Windows 服务器上使用 powershell 远程处理没有问题。
奇怪的是,当命令在 buster 服务器上以 root 身份启动时,我只能连接到 windows 服务器。
对于 windows 部分,我在 ansible.cfg 中使用它:
[windows:vars]
ansible_become=false
ansible_user=Administrateur
ansible_password=somepassword
ansible_port=5985
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=credssp
ansible_become_method=runas
运行一个简单的 win_ping 检查的结果是:
作为根:
sudo ansible -m win_ping srv-prp-tb01c -vvvvvv
ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.3 (default, Dec 20 2019, 18:57:59) [GCC 8.3.0]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/local/lib/python3.7/dist-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /usr/local/lib/python3.7/dist-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<srv-prp-tb01c> ESTABLISH WINRM CONNECTION FOR USER: Administrateur on PORT 5985 TO srv-prp-tb01c
<srv-prp-tb01c> WINRM CONNECT: transport=credssp endpoint=http://srv-prp-tb01c:5985/wsman
<srv-prp-tb01c> WINRM OPEN SHELL: 067774F1-8E9A-4366-A5B1-C9A47A2D665F
EXEC (via pipeline wrapper)
<srv-prp-tb01c> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 'UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=']
<srv-prp-tb01c> WINRM RESULT '<Response code 0, out ""changed":false,"in", err "#< CLIXML\r\n<Objs Ver">'
<srv-prp-tb01c> WINRM STDOUT "changed":false,"invocation":"module_args":"data":"pong","ping":"pong"
<srv-prp-tb01c> WINRM STDERR #< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Préparation des modules à la première utilisation.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
<srv-prp-tb01c> WINRM CLOSE SHELL: 067774F1-8E9A-4366-A5B1-C9A47A2D665F
srv-prp-tb01c | SUCCESS =>
"changed": false,
"invocation":
"module_args":
"data": "pong"
,
"ping": "pong"
META: ran handlers
META: ran handlers
ansible -m win_ping srv-prp-tb01c -vvvvvv
ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/fluxvision/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.3 (default, Dec 20 2019, 18:57:59) [GCC 8.3.0]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/local/lib/python3.7/dist-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /usr/local/lib/python3.7/dist-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<srv-prp-tb01c> ESTABLISH WINRM CONNECTION FOR USER: Administrateur on PORT 5985 TO srv-prp-tb01c
<srv-prp-tb01c> WINRM CONNECT: transport=credssp endpoint=http://srv-prp-tb01c:5985/wsman
<srv-prp-tb01c> WINRM CONNECTION ERROR: Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual 'Negotiate, Kerberos, CredSSP'
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/ansible/plugins/connection/winrm.py", line 413, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/local/lib/python3.7/dist-packages/winrm/protocol.py", line 166, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/local/lib/python3.7/dist-packages/winrm/protocol.py", line 243, in send_message
resp = self.transport.send_message(message)
File "/usr/local/lib/python3.7/dist-packages/winrm/transport.py", line 310, in send_message
self.build_session()
File "/usr/local/lib/python3.7/dist-packages/winrm/transport.py", line 293, in build_session
self.setup_encryption()
File "/usr/local/lib/python3.7/dist-packages/winrm/transport.py", line 299, in setup_encryption
self._send_message_request(prepared_request, '')
File "/usr/local/lib/python3.7/dist-packages/winrm/transport.py", line 328, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 653, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/requests_credssp/credssp.py", line 448, in response_hook
response = self.handle_401(response, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/requests_credssp/credssp.py", line 484, in handle_401
step_name)
File "/usr/local/lib/python3.7/dist-packages/requests_credssp/credssp.py", line 517, in _get_credssp_token
raise AuthenticationException(error_msg)
requests_credssp.exceptions.AuthenticationException: Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual 'Negotiate, Kerberos, CredSSP'
srv-prp-tb01c | UNREACHABLE! =>
"changed": false,
"msg": "credssp: Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual 'Negotiate, Kerberos, CredSSP'",
"unreachable": true
我在这里有点不知所措。这是预期的行为吗?
感谢您的帮助,
尼古拉斯
【问题讨论】:
【参考方案1】:郑重声明,这与 root/non-root 无关。
普通用户环境有代理定义。 root 帐户没有它们。删除定义后,一切正常:
ansible@srv-prod-lnx01:~$ ansible -m win_ping srv-prp-tb01c
srv-prp-tb01c | UNREACHABLE! =>
"changed": false,
"msg": "credssp: Server did not response with a CredSSP token after step Step 1. TLS Handshake - actual 'Negotiate, Kerberos, CredSSP'",
"unreachable": true
ansible@srv-prod-lnx01:~$ unset HTTP_PROXY
ansible@srv-prod-lnx01:~$ ansible -m win_ping srv-prp-tb01c
srv-prp-tb01c | SUCCESS =>
"changed": false,
"ping": "pong"
更多详情: https://docs.microsoft.com/en-us/windows/win32/winrm/proxy-servers-and-winrm#configuring-a-proxy-server-for-winrm-20
抱歉打扰了。
尼古拉斯
【讨论】:
以上是关于带有 winrm 的 Ansible 只能以 root 身份工作?的主要内容,如果未能解决你的问题,请参考以下文章