search

jborean93 / pypsrp

PowerShell Remoting Protocol for Python
MIT License
328 stars 49 forks source link

Failed to find server in Kerberos database #176

Closed jaimusx closed 1 year ago

jaimusx commented 1 year ago

Hi,

I have been successful in setting up PSRP connections for the majority of my servers (over 90% successful), but I have a small number that will not connect. Here is the following error:

"msg": "Unexpected failure during module execution: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database, Context: Processing security token", "stdout": ""

These are the settings Im using in my ini file:

[all:vars]
ansible_user='myusername'
ansible_connection=psrp
ansible_psrp_port=5985
ansible_psrp_auth=kerberos
ansible_psrp_protocol=http
ansible_psrp_cert_validation=ignore

This is what I am using in my krb5.conf file for the libdefaults:

[libdefaults]
  default_realm = MY.REALM.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 1
  default_ccache_name = FILE:/tmp/krb5cc_%{uid}

Here is the full error traceback:

Traceback (most recent call last):
  File "/home/jaimus/.local/lib/python3.10/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/spnego/_gss.py", line 430, in step
    out_token = self._context.step(in_token)
  File "/home/jaimus/.local/lib/python3.10/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/jaimus/.local/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/jaimus/.local/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token
    return func(self, *args, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 584, in step
    return self._initiator_step(token=token)
  File "/home/jaimus/.local/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 606, in _initiator_step
    res = rsec_contexts.init_sec_context(self._target_name, self._creds,
  File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/executor/task_executor.py", line 158, in run
    res = self._execute()
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/executor/task_executor.py", line 629, in _execute
    result = self._handler.run(task_vars=vars_copy)
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/action/normal.py", line 47, in run
    result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/action/__init__.py", line 1167, in _execute_module
    res = self._low_level_execute_command(cmd, sudoable=sudoable, in_data=in_data)
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/action/__init__.py", line 1320, in _low_level_execute_command
    rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/connection/psrp.py", line 428, in exec_command
    super(Connection, self).exec_command(cmd, in_data=in_data,
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/connection/__init__.py", line 35, in wrapped
    self._connect()
  File "/home/jaimus/.local/lib/python3.10/site-packages/ansible/plugins/connection/psrp.py", line 392, in _connect
    self.runspace.open()
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/powershell.py", line 548, in open
    self.shell.open(options, open_content)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/home/jaimus/.local/lib/python3.10/site-packages/requests/sessions.py", line 708, in send
    r = dispatch_hook("response", hooks, r, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/requests/hooks.py", line 30, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/jaimus/.local/lib/python3.10/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/jaimus/.local/lib/python3.10/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database, Context: Processing security token
fatal: [IPLASP-AS-1P.cable.comcast.com]: FAILED! => {
    "msg": "Unexpected failure during module execution: SpnegoError (4294967295): Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database, Context: Processing security token",
    "stdout": ""
}

I am wondering if this is a config issue on my end or there is something on the server side or some sort of group policy on the servers. Its strange that I can connect to the majority of the servers but only a small number are unreachable. Any help you can provide is immensely appreciated. Thanks in advance.

jborean93 commented 1 year ago

The current code that Ansible uses when targeting a Kerberos endpoint is to use the WSMan service which I've noticed for some servers isn't present (domain controllers mostly). What you can do is set ansible_psrp_negotiate_service=http to use the http SPN service component and things should start working.

jaimusx commented 1 year ago

That did the trick! Thank you immensely Jordan. You have my utmost gratitude!

jborean93 commented 1 year ago

You’re welcome.