Kerberos incomplete context error during auth

baloncu commented 1 year ago

I am trying to use pypsrp to send remote commands to my windows machine which only accepts kerberos authentication. When I try the following code snippet, it complains about the shellID. I assumed shell Id would be randomly assigned and not something user has to provide. Just to note that I can do winrs using powershell from another windows machine to this target (windows machine), and it works okay.

PS C:\Users\mozsoy> python3.10.exe
Python 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:50:30) [MSC v.1933 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.wsman import WSMan
>>> from pypsrp.shell import Process, SignalCode, WinRS
>>> wsman=WSMan("<hostname>", auth="kerberos", username="MOzsoy", ssl=False)
>>> winrs_shell = WinRS(wsman)
>>> proc = Process(winrs_shell, "dir")
>>> proc.invoke()
Traceback (most recent call last):
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 855, in _send_request
    response.raise_for_status()
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\requests\models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error:  for url: <hostname>:5985/wsman

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 837, in send
    return self._send_request(prep_request)
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 862, in _send_request
    raise WinRMTransportError("http", code, response_text)
pypsrp.exceptions.WinRMTransportError: Bad HTTP response returned from the server. Code: 500, Content: '<s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action><a:MessageID>uuid:22E8A494-DE50-4A03-8122-AB8DFEFCD689</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:2B09A45A-DB37-4207-A9DB-57DDBEDAE8AF</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value>w:InvalidSelectors</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US">The WS-Management service cannot process the request because the request did not contain all required selectors. </s:Text></s:Reason><s:Detail><w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/InsufficientSelectors</w:FaultDetail><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858842" Machine="2nnrcs2.corp.intusurg.com"><f:Message>The Windows Remote Shell cannot process the request because it requires the following selector: ShellId. Retry with the correct selector.  </f:Message></f:WSManFault></s:Detail></s:Fault></s:Body></s:Envelope>'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\shell.py", line 399, in invoke
    self.begin_invoke()
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\shell.py", line 384, in begin_invoke
    response = self.shell.command(self.executable, self.arguments, no_shell=self.no_shell)
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\shell.py", line 151, in command
    return self.wsman.command(self.resource_uri, cmd, option_set=options, selector_set=self._selector_set)
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 268, in command
    res = self.invoke(WSManAction.COMMAND, resource_uri, resource, option_set, selector_set, timeout)
  File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\pypsrp\wsman.py", line 474, in invoke
    raise self._parse_wsman_fault(err.response_text)
pypsrp.exceptions.WSManFaultError: Received a WSManFault message. (Code: 2150858842, Machine: <hostname>, Reason: The Windows Remote Shell cannot process the request because it requires the following selector: ShellId. Retry with the correct selector.)

same code snippet on linux side gives me an error "No context has been established".

Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, SignalCode, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', auth='kerberos', ssl=False, username='MOzsoy')
>>> winrs_shell = WinRS(wsman)
>>> proc = Process(winrs_shell, "dir")
>>> proc.invoke()
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 399, in invoke
    self.begin_invoke()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 384, in begin_invoke
    response = self.shell.command(self.executable, self.arguments, no_shell=self.no_shell)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 151, in command
    return self.wsman.command(self.resource_uri, cmd, option_set=options, selector_set=self._selector_set)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 268, in command
    res = self.invoke(WSManAction.COMMAND, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token

Finally I wanted to test psrp only but that module is not found.

Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import psrp
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'psrp'

jborean93 commented 1 year ago

I assumed shell Id would be randomly assigned and not something user has to provide.

It does, you just need to open the shell first before you run a command.

wsman=WSMan("<hostname>", auth="kerberos", username="MOzsoy", ssl=False)

winrs_shell = WinRS(wsman)
winrs_shell.open()  # This sends the request to open the shell and get the ID

proc = Process(winrs_shell, "dir")
proc.invoke()

If writing a script it's best to use the with context to ensure it's cleaned up afterwards:

with WinRS(wsman) as winrs_shell:
    proc = Process(winrs_shell, "dir")
    proc.invoke()

The __enter__ method of WinRS calls open() for you as per https://github.com/jborean93/pypsrp/blob/c4c64817a64ff453bdd4675cf4e3d40194fc2923/src/pypsrp/shell.py#L95-L97

same code snippet on linux side gives me an error "No context has been established".

This occurred because you didn't provide a password and there was no GSSAPI credential available. Either call kinit username@REALM.COM to get the Kerb ticket for use in the library or provide it with password on the WSMan object.

Finally I wanted to test psrp only but that module is not found.

The psrp namespace is still in pre-release at 1.0.0b1. To use this you need to do pip install pypsrp --pre. Keep in mind thepsrpnamespace is still in beta and is focused more on the PSRemoting side rather than the WinRS stuff that you are using on thepypsrpside. If you want to see the old docs forpypsrp` then go to the readme for the last release https://github.com/jborean93/pypsrp/tree/v0.8.1.

baloncu commented 1 year ago

If writing a script it's best to use the with context to ensure it's cleaned up afterwards:

this worked. I was able to run the remote command.

This occurred because you didn't provide a password and there was no GSSAPI credential available. Either call kinit username@REALM.COM to get the Kerb ticket for use in the library or provide it with password on the WSMan object.

However, this didn't work. I have tried to give a password. And also tried the kinit. For kinit, I first did a purge of all tickets and executed the code snippet. I got spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Can't find client principal MOzsoy@CORP.INTUSURG.COM in cache collection, Context: Getting GSSAPI credential error. Which makes sense.

>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy')
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()

Then I did kinit as follows and again received the No context has been established error.

(host) mozsoy@mozsoy-ud1:~$ kinit -f -V MOzsoy@<domain_name>
Using default cache: /tmp/krb5cc_cdc365090202_Z7xTcY
Using principal: MOzsoy@<domain_name>
Password for MOzsoy@<domain_name>:
Authenticated to Kerberos v5
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy')
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()
...
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
    self.open()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token

jborean93 commented 1 year ago

When you specify the user, try to make sure it's in the UPN format, so username='M0zsoy@REALM.COM'. Omitting the realm will have the GSSAPI library try to lookup the user using it's own mapping rules which may or may not work. By being explicitly you bypass these rules and it will lookup the principal as it is. You can also omit the user entirely and it will attempt to use whatever is in the credential cache.

baloncu commented 1 year ago

Okay, I tried that.

(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy@REALM.COM')
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()
...
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
    self.open()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token

Then I did purge the ticket list again, and used only kinit omitted the user altogether. It now had a ticket setup for mozsoy instead of MOzsoy. And when tried the wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='mozsoy') I get the same error. Btw, even if I purge the klist in windows, the code works okay without errors, no need to kinit.

jborean93 commented 1 year ago

Make sure the REALM.COM is your actual domain, for example on my test lap I do kinit vagrant-domain@DOMAIN.TEST so my username kwarg is username='vagrant-domain@DOMAIN.TEST'.

(ansible-311) jborean:~$ kinit vagrant-domain@DOMAIN.TEST
Password for vagrant-domain@DOMAIN.TEST:
(ansible-311) jborean:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: vagrant-domain@DOMAIN.TEST

Valid starting     Expires            Service principal
04/11/22 01:12:12  04/11/22 11:12:12  krbtgt/DOMAIN.TEST@DOMAIN.TEST
    renew until 05/11/22 01:12:10
(ansible-311) jborean:~$ python
Python 3.11.0 (main, Oct 31 2022, 10:45:54) [GCC 12.2.1 20220819 (Red Hat 12.2.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>>
>>> wsman = WSMan('server2022.domain.test', ssl=False, auth='kerberos', username='vagrant-domain@DOMAIN.TEST')
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()
...
>>> print(process.stdout.decode())
 Volume in drive C is Windows 2022
 Volume Serial Number is 5C6E-7B10

 Directory of C:\Users\vagrant-domain

11/03/2022  12:59 PM    <DIR>          .
10/31/2022  09:30 PM    <DIR>          ..
11/03/2022  12:59 PM    <DIR>          .dotnet
10/31/2022  10:43 PM               246 .gitconfig
11/03/2022  12:59 PM    <DIR>          .nuget
11/02/2022  02:07 PM    <DIR>          .omnisharp
...

Btw, even if I purge the klist in windows, the code works okay without errors, no need to kinit.

That's because Windows handles all the session tickets for you. It will always have your users ticket ready for use. Unlike on Linux where you effectively need to call kinit yourself or have some other service do that for you.

baloncu commented 1 year ago

I am not writing MOzsoy@REALM.COM I am using the actual realm, I just didn't want to print it to public space. But here actually how it looks like

(host) mozsoy@mozsoy-ud1:~$ kdestroy
(host) mozsoy@mozsoy-ud1:~$ kinit -f -V MOzsoy@CORP.INTUSURG.COM
Using default cache: /tmp/krb5cc_cdc365090202_Z7xTcY
Using principal: MOzsoy@CORP.INTUSURG.COM
Password for MOzsoy@CORP.INTUSURG.COM:
Authenticated to Kerberos v5
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('2nnrcs2.corp.intusurg.com', ssl=False, auth='kerberos', username='MOzsoy@CORP.INTUSURG.COM')
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()
...
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
    self.open()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This shoul
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incext: Processing security token

jborean93 commented 1 year ago

Hmm I can actually replicate this now. It seems to be a bug with straight Kerberos auth when Kerberos only is allowed. I'll have to step through the code to see what is different and why it might be doing this for the Kerberos only branch.

jborean93 commented 1 year ago

Scratch that, was another environment issue. Things work just fine.

Does it work with both the username and password set? Can you run with KRB5_TRACE=/dev/stdout (or some other path to log the data) and see if there is anything highlighting why it's failing to find the credential.

Can you also try running this after using kinit to get the ticket

import gssapi

username = "username@REALM.COM"
spn = "host@target-host.realm.com"

kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")

user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos])

c = gssapi.SecurityContext(
    name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service),
    creds=cred,
    mech=kerberos,
    usage="initiate",
)

c.step()

print(c.complete)
print(c.actual_flags)

This replicates the same steps pypsrp does to get the first Kerberos token for authentication.

baloncu commented 1 year ago

Okay, this is what I see when I direct krb_trace to stdout.

(host) mozsoy@mozsoy-ud1:~$ export KRB5_TRACE=/dev/stdout
(host) mozsoy@mozsoy-ud1:~$ echo $KRB5_TRACE
/dev/stdout
(host) mozsoy@mozsoy-ud1:~$ python3
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('2nnrcs2.corp.intusurg.com', ssl=False, auth='kerberos', username='MOzsoy@CORP.INTUSURG.COM', password="***")
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell, 'dir')
...     process.invoke()
...
[120850] 1667455254.729380: Getting initial credentials for MOzsoy@CORP.INTUSURG.COM
[120850] 1667455254.729444: Sending request (175 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.729459: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.739068: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.739730: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.744059: Received answer (207 bytes) from stream 172.20.250.95:88
[120850] 1667455254.744066: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.744093: Response was from master KDC
[120850] 1667455254.744106: Received error from KDC: -1765328359/Additional pre-authentication required
[120850] 1667455254.744125: Processing preauth types: 16, 15, 19, 2
[120850] 1667455254.744133: Selected etype info: etype aes256-cts, salt "CORP.INTUSURG.COMMeltem.Ozsoy", params ""
[120850] 1667455254.751992: AS key obtained for encrypted timestamp: aes256-cts/8ACD
[120850] 1667455254.752024: Encrypted timestamp (for 1667455254.751996): plain 301AA011180F32303232313130333036303035345AA10502030B797C, encrypted EA012F24AC
[120850] 1667455254.752034: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[120850] 1667455254.752038: Produced preauth for next request: 2
[120850] 1667455254.752049: Sending request (253 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.752056: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.760840: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.761512: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.766620: Received answer (3670 bytes) from stream 172.20.250.95:88
[120850] 1667455254.766626: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.766651: Response was from master KDC
[120850] 1667455254.766666: Processing preauth types: 19
[120850] 1667455254.766673: Selected etype info: etype aes256-cts, salt "CORP.INTUSURG.COMMeltem.Ozsoy", params ""
[120850] 1667455254.766679: Produced preauth for next request: (empty)
[120850] 1667455254.766685: AS key determined by preauth: aes256-cts/8ACD
[120850] 1667455254.766718: Decrypted AS reply; session key is: aes256-cts/9E90
[120850] 1667455254.766729: FAST negotiation: unavailable
[120850] 1667455254.766768: Resolving unique ccache of type MEMORY
[120850] 1667455254.766779: Initializing MEMORY:0EbdsVZ with default princ MOzsoy@CORP.INTUSURG.COM
[120850] 1667455254.766790: Storing MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM in MEMORY:0EbdsVZ
[120850] 1667455254.784492: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache MEMORY:0EbdsVZ
[120850] 1667455254.784521: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from MEMORY:0EbdsVZ with result: -1765328243/Matching credential not found
[120850] 1667455254.784534: Retrieving MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM from MEMORY:0EbdsVZ with result: 0/Success
[120850] 1667455254.784551: Starting with TGT for client realm: MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM
[120850] 1667455254.784558: Requesting tickets for WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, referrals on
[120850] 1667455254.784575: Generated subkey for TGS request: aes256-cts/1C37
[120850] 1667455254.784602: etypes requested in TGS request: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc
[120850] 1667455254.784655: Encoding request body and padata into FAST request
[120850] 1667455254.784712: Sending request (3813 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.784727: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.793970: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.794623: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.811948: Received answer (3797 bytes) from stream 172.20.250.95:88
[120850] 1667455254.811959: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.811994: Response was from master KDC
[120850] 1667455254.812012: Decoding FAST response
[120850] 1667455254.812089: FAST reply key: aes256-cts/7584
[120850] 1667455254.812118: TGS reply is for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM with session key aes256-cts/AA72
[120850] 1667455254.812141: TGS request result: 0/Success
[120850] 1667455254.812147: Received creds for desired service WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM
[120850] 1667455254.812157: Storing MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM in MEMORY:0EbdsVZ
[120850] 1667455254.812195: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 652471840, subkey aes256-cts/DDD0, session key aes256-cts/AA72
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
    self.open()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token

baloncu commented 1 year ago

for the code snippet you have, I do not know exactly what spn = "host@target-host.realm.com" refers to

baloncu commented 1 year ago

The code couldn't make it to use the spn. It failed on cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos]) line. However, if this is exact same code in pypsrp, then shouldn't I see this error instead of the context related one?

(host) mozsoy@mozsoy-ud1:~$ python3
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gssapi
>>> username= "MOzsoy@CORP.INTUSURG.COM"
>>> kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
>>> user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
>>> cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos])
[122139] 1667457049.776915: Retrieving MOzsoy@CORP.INTUSURG.COM from FILE:/etc/krb5/user/365090202/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/365090202/client.keytab' not found

jborean93 commented 1 year ago

for the code snippet you have, I do not know exactly what spn = "host@target-host.realm.com" refers to

It's the service principal name, essentially what Kerberos will request a key for. You need to change target-host.realm.com to the fully qualified name of the host you are connecting to. Essentially the value of "<server>" in your pypsrp code.

However, if this is exact same code in pypsrp, then shouldn't I see this error instead of the context related one?

You should but it is interesting that it's saying it can't find your client keytab. Do you have any of these env vars defined?

KRB5_CLIENT_KTNAME or default_client_keytab_name in krb5.conf - defines the default keytab path to use for auth
KRB5CCNAME or default_ccache_name in krb5.conf - defines the ccache location to store creds in

You can use the following to authenticate with a password and replicate kinit inside the Python process

import gssapi

username = "username@REALM.COM"
password = b"password"
spn = "host@target-host.realm.com"

kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")

user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
cred = gssapi.raw.acquire_cred_with_password(user_princ, password', usage='initiate', mechs=[kerberos]).creds

c = gssapi.SecurityContext(
    name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service),
    creds=cred,
    mech=kerberos,
    usage="initiate",
)

c.step()

print(c.complete)
print(c.actual_flags)

Lastly, what's the output or krb5-config --version on your host?

baloncu commented 1 year ago

KRB5_CLIENT_KTNAME or default_client_keytab_name in krb5.conf - defines the default keytab path to use for auth

I do not have neither of these setup

KRB5CCNAME or default_ccache_name in krb5.conf - defines the ccache location to store creds in

I have the environment variable setup but not the one in config.

Lastly, what's the output or krb5-config --version on your host?
(host) mozsoy@mozsoy-ud1:~$ krb5-config --version
Kerberos 5 release 1.13.2

I am seeing the error for the context not being established when I run the code for replicating kinit in python. Should have used something else for spn btw? I tried to use spn = "MOzsoy@2NNRCS2.CORP.INTUSURG.COM" but that gave me the following error File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database

(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gssapi
>>> username= "MOzsoy@CORP.INTUSURG.COM"
>>> password= b"***"
>>> spn = "WSMAN@2NNRCS2.CORP.INTUSURG.COM"
>>> kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
>>> user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
>>> cred = gssapi.raw.acquire_cred_with_password(user_princ, password, usage='initiate', mechs=[kerberos]).creds
>>> c = gssapi.SecurityContext(name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service), creds=cred, mech=kerberos, usage="initiate")
>>> large_output = c.step()
[62727] 1667496810.417540: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[62727] 1667496810.417609: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: 0/Success
[62727] 1667496810.417658: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 596339957, subkey aes256-cts/5849, session key aes256-cts/6F3B
>>> print(c.complete)
False
>>> print(c.actual_flags)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

jborean93 commented 1 year ago

Cool so that's the same problem we see in pypsrp. I'll try to install your version and see if I can replicate. In any case I think we can work around this behaviour but it's best to see if I can replicate the problem first to make sure nothing else happens.

baloncu commented 1 year ago

what would be the workaround to this? I haven't had any code that passed this point yet. :(

jborean93 commented 1 year ago

I would need to update pyspnego to try/except that particular call and potentially ignore a failure. The trouble is I don't know if that will have any side effects going forward which is why I really want to try and replicate the problem.

Another workaround is to update the krb5 libs on your host as 1.13.2 is from 2015 https://web.mit.edu/kerberos/krb5-1.13/krb5-1.13.2.html. Unfortunately that's easier said than done and usually means either compiling it yourself (not easy) or updating the base host. For example CentOS 8 Stream comes with 1.18.2, even CentOS 7 which is one of the oldest still supported OSs out there is on 1.15.1

baloncu commented 1 year ago

I had another system with ubuntu 20.04 and it had newer version of kerberos.

$ krb5-config --version
Kerberos 5 release 1.17

and it did work as you expected, once I have done kinit and installed required libraries, the command went through. :) It would be great to have it working with 1.13.2 as well though.

jborean93 commented 1 year ago

The PR https://github.com/jborean93/pyspnego/pull/54 should fix this problem for the older MIT krb5 versions https://github.com/jborean93/pyspnego/pull/54. I haven't found the PR that actually fixed the issue but when testing locally it goes away with MIT krb5 1.14.x and newer. There's nothing in the changelog for 1.14 that would indicate it fixed the problem but it definitely doesn't happen anymore since then https://web.mit.edu/kerberos/krb5-1.14/.

So while the changes in pyspnego will help you, I highly recommend you find a way to move off this host as this version of krb5 is really old. There are many improvements and bugfixes since 1.13 and while I can workaround this problem I can't guarantee that if you come across another that I can do the same.

baloncu commented 1 year ago

Thanks for merging the fix, I will test and report. In the meantime, I tried to move my kerberos version to 1.20. It seemed like a successful upgrade but now I get a connection error. Maybe some settings got messed up.

requests.exceptions.ConnectionError: HTTPConnectionPool(host='2nnrcs2.corp.intusurg.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7fa26bcd8d90>: Failed to establish a new connection: [Errno -2] Name or service not known'))

jborean93 commented 1 year ago

That's a DNS problem, the host is unable to resolve 2nnrcs2.corp.intusurg.com.

baloncu commented 1 year ago

The previous one seems like a DNS issue, you are right. I just retried it. I still get the security context related error. Even though seems like my kerberos version is 1.20

(host) mozsoy@mozsoy-ud1:~/orion2/run$ klist -V
Kerberos 5 version 1.20

(host) mozsoy@mozsoy-ud1:~/orion2/run$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman=WSMan("2nnrcs2.corp.intusurg.com", auth="kerberos", username="MOzsoy", ssl=False)
>>> with wsman, WinRS(wsman) as shell:
...     process = Process(shell,"dir")
...     process.invoke()
...
[121266] 1667521295.549561: Retrieving MOzsoy@CORP.INTUSURG.COM from FILE:/etc/krb5/user/365090202/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/365090202/client.keytab' not found
[121266] 1667521295.569388: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[121266] 1667521295.569441: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: -1765328243/Matching credential not found
[121266] 1667521295.569479: Retrieving MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: 0/Success
[121266] 1667521295.569487: Starting with TGT for client realm: MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM
[121266] 1667521295.569493: Requesting tickets for WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, referrals on
[121266] 1667521295.569509: Generated subkey for TGS request: aes256-cts/B1CE
[121266] 1667521295.569538: etypes requested in TGS request: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc
[121266] 1667521295.569597: Encoding request body and padata into FAST request
[121266] 1667521295.569655: Sending request (3821 bytes) to CORP.INTUSURG.COM
[121266] 1667521295.569671: Resolving hostname hq-dc1.corp.intusurg.com
[121266] 1667521295.578717: Initiating TCP connection to stream 172.20.250.95:88
[121266] 1667521295.579410: Sending TCP request to stream 172.20.250.95:88
[121266] 1667521295.598005: Received answer (3797 bytes) from stream 172.20.250.95:88
[121266] 1667521295.598020: Terminating TCP connection to stream 172.20.250.95:88
[121266] 1667521295.598057: Response was from master KDC
[121266] 1667521295.598072: Decoding FAST response
[121266] 1667521295.598149: FAST reply key: aes256-cts/1FD0
[121266] 1667521295.598177: TGS reply is for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM with session key aes256-cts/A208
[121266] 1667521295.598197: TGS request result: 0/Success
[121266] 1667521295.598202: Received creds for desired service WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM
[121266] 1667521295.598209: Storing MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM in FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[121266] 1667521295.598569: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 183743689, subkey aes256-cts/1D65, session key aes256-cts/A208
Traceback (most recent call last):
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
    return func(*args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
    self._context_attr = int(self._context.actual_flags)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
    return getattr(self._inquire(**{name: True}), name)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
    return caller(func, *(extras + args), **kw)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
    return func(self, *args, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
    res = rsec_contexts.inquire_context(self, **kwargs)
  File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
    self.open()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
    response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
    res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
    response = self.transport.send(xml)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
    self._send_request(prep_request)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
    response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout))  # type: ignore[union-attr] # This should not happen
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
    r = dispatch_hook('response', hooks, r, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
    _hook_data = hook(hook_data, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
    response = self.handle_401(response, **kwargs)
  File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
    out_token = context.step()
  File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
    raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token

jborean93 commented 1 year ago

The new version of pyspnego just went out (minutes ago). Make sure that you have 0.6.3 installed. If you've upgrade the krb5 libs then you will also need to reinstall the Python gssapi library making sure it uses that newly installed version.

baloncu commented 1 year ago

okay, I went a little overboard and uninstalled couple more modules, rebooted my machine and installed them again. It works now with kerberos 1.20. Thank you very much for all the help.

jborean93 / pyspnego

Kerberos incomplete context error during auth #55