Getting exception using pypsrp with Python 3.11 and user name in lower case

[sabman3]

I'm using pypsrp with ansible-core 2.14 on RHEL 9.2. Issue was a specific user account was getting an exception with pypsrp. Username was in format of @ (exception list below). looked at various aspects of account in AD and did not see anything different. View security logs on system that pypsrp was connecting to and noticed different logs for the account in question that led me to believe it could be a matter of text case for user. Switched user name to format of @ and exception went away. Have other logons that use @ with no issues. I'm being told that with Python 3.9 and pypsrp this was not a problem. Fix may be to try multiple formats for user name in module?

ansible group vars PSRP settings (non-working): ansible_user: @ ansible_password: ansible_port: 5985 ansible_connection: psrp ansible_psrp_protocol: http ansible_psrp_cert_validation: ignore ansible_psrp_auth: kerberos ansible_psrp_negotiate_delegate: true ansible_psrp_negotiate_service: HOST ansible_psrp_connection_timeout: 60 ansible_psrp_operation_timeout: 300 ansible_psrp_read_timeout: 350 ansible_psrp_reconnection_retries: 2

Ansible exception: The full traceback is: Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/spnego/_context.py", line 67, in wrapper return func(*args, kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/spnego/_gss.py", line 551, in step out_token = self._context.step(in_token) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), *kw) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib64/python3.11/site-packages/gssapi/_utils.py", line 165, in check_last_err return func(self, args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), *kw) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib64/python3.11/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token return func(self, args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib64/python3.11/site-packages/gssapi/sec_contexts.py", line 584, in step return self._initiator_step(token=token) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib64/python3.11/site-packages/gssapi/sec_contexts.py", line 606, in _initiator_step res = rsec_contexts.init_sec_context(self._target_name, self._creds, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Matching credential not found

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ansible/executor/task_executor.py", line 158, in run res = self._execute() ^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ansible/executor/task_executor.py", line 629, in _execute result = self._handler.run(task_vars=vars_copy) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ansible/plugins/action/normal.py", line 47, in run result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ansible/plugins/action/init.py", line 1167, in _execute_module res = self._low_level_execute_command(cmd, sudoable=sudoable, in_data=in_data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ansible/plugins/action/init.py", line 1320, in _low_level_execute_command rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ansible/plugins/connection/psrp.py", line 428, in exec_command super(Connection, self).exec_command(cmd, in_data=in_data, File "/usr/lib/python3.11/site-packages/ansible/plugins/connection/init.py", line 35, in wrapped self._connect() File "/usr/lib/python3.11/site-packages/ansible/plugins/connection/psrp.py", line 392, in _connect self.runspace.open() File "/usr/local/lib/python3.11/site-packages/pypsrp/powershell.py", line 548, in open self.shell.open(options, open_content) File "/usr/local/lib/python3.11/site-packages/pypsrp/shell.py", line 205, in open response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pypsrp/wsman.py", line 290, in create res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pypsrp/wsman.py", line 470, in invoke response = self.transport.send(xml) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pypsrp/wsman.py", line 803, in send self._send_request(prep_request) File "/usr/local/lib/python3.11/site-packages/pypsrp/wsman.py", line 840, in _send_request response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This should not happen ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/sessions.py", line 662, in send r = dispatch_hook('response', hooks, r, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/hooks.py", line 31, in dispatch_hook _hook_data = hook(hook_data, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pypsrp/negotiate.py", line 96, in response_hook response = self.handle_401(response, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pypsrp/negotiate.py", line 141, in handle_401 out_token = context.step() ^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/spnego/_context.py", line 70, in wrapper raise SpnegoError(base_error=native_err, context_msg=context) from native_err spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Matching credential not found, Context: Processing security token srvmgmtrpts.devsrp.local | FAILED! => { "msg": "Unexpected failure during module execution: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Matching credential not found, Context: Processing security token", "stdout": "" }

[jborean93]

This error indicates that no password was actually set and the spnego module is trying to find a cached credential. The lookup behaviour of this is really down to the krb5 libraries so it could potentially just be a new change to those underlying libs were made to be case sensitive.

[massimiliano-dalcero]

I have same problem using username in lowercase when samAccountName on Active Directory is all in upper case.

I discovered the problem when the system administrator recreated the user for me using uppercase characters and the login via Kerberos stopped working.

If I change the username to all caps it works fine, but this is not correct since active directory is case INsensitive

pypsrp version: 0.8.1 on Ubuntu 22.04 and Python 3.10.12

[jborean93]

See https://github.com/jborean93/pypsrp/issues/189#issuecomment-2212548238 as to why usernames are case sensitive with Kerberos on non-Windows platforms.