Closed baloncu closed 1 year ago
I assumed shell Id would be randomly assigned and not something user has to provide.
It does, you just need to open the shell first before you run a command.
wsman=WSMan("<hostname>", auth="kerberos", username="MOzsoy", ssl=False)
winrs_shell = WinRS(wsman)
winrs_shell.open() # This sends the request to open the shell and get the ID
proc = Process(winrs_shell, "dir")
proc.invoke()
If writing a script it's best to use the with
context to ensure it's cleaned up afterwards:
with WinRS(wsman) as winrs_shell:
proc = Process(winrs_shell, "dir")
proc.invoke()
The __enter__
method of WinRS
calls open()
for you as per https://github.com/jborean93/pypsrp/blob/c4c64817a64ff453bdd4675cf4e3d40194fc2923/src/pypsrp/shell.py#L95-L97
same code snippet on linux side gives me an error "No context has been established".
This occurred because you didn't provide a password
and there was no GSSAPI credential available. Either call kinit username@REALM.COM
to get the Kerb ticket for use in the library or provide it with password
on the WSMan object.
Finally I wanted to test psrp only but that module is not found.
The psrp
namespace is still in pre-release at 1.0.0b1
. To use this you need to do pip
install pypsrp --pre. Keep in mind the
psrpnamespace is still in beta and is focused more on the PSRemoting side rather than the WinRS stuff that you are using on the
pypsrpside. If you want to see the old docs for
pypsrp` then go to the readme for the last release https://github.com/jborean93/pypsrp/tree/v0.8.1.
If writing a script it's best to use the with context to ensure it's cleaned up afterwards:
this worked. I was able to run the remote command.
This occurred because you didn't provide a password and there was no GSSAPI credential available. Either call kinit username@REALM.COM to get the Kerb ticket for use in the library or provide it with password on the WSMan object.
However, this didn't work. I have tried to give a password. And also tried the kinit.
For kinit,
I first did a purge of all tickets and executed the code snippet. I got spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Can't find client principal MOzsoy@CORP.INTUSURG.COM in cache collection, Context: Getting GSSAPI credential
error. Which makes sense.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy')
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
Then I did kinit as follows and again received the No context has been established
error.
(host) mozsoy@mozsoy-ud1:~$ kinit -f -V MOzsoy@<domain_name>
Using default cache: /tmp/krb5cc_cdc365090202_Z7xTcY
Using principal: MOzsoy@<domain_name>
Password for MOzsoy@<domain_name>:
Authenticated to Kerberos v5
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy')
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
...
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
return func(*args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
self._context_attr = int(self._context.actual_flags)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
self.open()
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
response = self.transport.send(xml)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
self._send_request(prep_request)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This should not happen
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
response = self.handle_401(response, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
out_token = context.step()
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token
When you specify the user, try to make sure it's in the UPN format, so username='M0zsoy@REALM.COM'
. Omitting the realm will have the GSSAPI library try to lookup the user using it's own mapping rules which may or may not work. By being explicitly you bypass these rules and it will lookup the principal as it is. You can also omit the user entirely and it will attempt to use whatever is in the credential cache.
Okay, I tried that.
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='MOzsoy@REALM.COM')
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
...
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
return func(*args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
self._context_attr = int(self._context.actual_flags)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
self.open()
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
response = self.transport.send(xml)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
self._send_request(prep_request)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This should not happen
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
response = self.handle_401(response, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
out_token = context.step()
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token
Then I did purge the ticket list again, and used only kinit
omitted the user altogether. It now had a ticket setup for mozsoy instead of MOzsoy. And when tried the wsman = WSMan('<hostname>', ssl=False, auth='kerberos', username='mozsoy')
I get the same error.
Btw, even if I purge the klist in windows, the code works okay without errors, no need to kinit
.
Make sure the REALM.COM
is your actual domain, for example on my test lap I do kinit vagrant-domain@DOMAIN.TEST
so my username kwarg is username='vagrant-domain@DOMAIN.TEST'
.
(ansible-311) jborean:~$ kinit vagrant-domain@DOMAIN.TEST
Password for vagrant-domain@DOMAIN.TEST:
(ansible-311) jborean:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: vagrant-domain@DOMAIN.TEST
Valid starting Expires Service principal
04/11/22 01:12:12 04/11/22 11:12:12 krbtgt/DOMAIN.TEST@DOMAIN.TEST
renew until 05/11/22 01:12:10
(ansible-311) jborean:~$ python
Python 3.11.0 (main, Oct 31 2022, 10:45:54) [GCC 12.2.1 20220819 (Red Hat 12.2.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>>
>>> wsman = WSMan('server2022.domain.test', ssl=False, auth='kerberos', username='vagrant-domain@DOMAIN.TEST')
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
...
>>> print(process.stdout.decode())
Volume in drive C is Windows 2022
Volume Serial Number is 5C6E-7B10
Directory of C:\Users\vagrant-domain
11/03/2022 12:59 PM <DIR> .
10/31/2022 09:30 PM <DIR> ..
11/03/2022 12:59 PM <DIR> .dotnet
10/31/2022 10:43 PM 246 .gitconfig
11/03/2022 12:59 PM <DIR> .nuget
11/02/2022 02:07 PM <DIR> .omnisharp
...
Btw, even if I purge the klist in windows, the code works okay without errors, no need to kinit.
That's because Windows handles all the session tickets for you. It will always have your users ticket ready for use. Unlike on Linux where you effectively need to call kinit
yourself or have some other service do that for you.
I am not writing MOzsoy@REALM.COM
I am using the actual realm, I just didn't want to print it to public space.
But here actually how it looks like
(host) mozsoy@mozsoy-ud1:~$ kdestroy
(host) mozsoy@mozsoy-ud1:~$ kinit -f -V MOzsoy@CORP.INTUSURG.COM
Using default cache: /tmp/krb5cc_cdc365090202_Z7xTcY
Using principal: MOzsoy@CORP.INTUSURG.COM
Password for MOzsoy@CORP.INTUSURG.COM:
Authenticated to Kerberos v5
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('2nnrcs2.corp.intusurg.com', ssl=False, auth='kerberos', username='MOzsoy@CORP.INTUSURG.COM')
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
...
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
return func(*args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
self._context_attr = int(self._context.actual_flags)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
self.open()
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
response = self.transport.send(xml)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
self._send_request(prep_request)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This shoul
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
response = self.handle_401(response, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
out_token = context.step()
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incext: Processing security token
Hmm I can actually replicate this now. It seems to be a bug with straight Kerberos auth when Kerberos only is allowed. I'll have to step through the code to see what is different and why it might be doing this for the Kerberos only branch.
Scratch that, was another environment issue. Things work just fine.
Does it work with both the username
and password
set? Can you run with KRB5_TRACE=/dev/stdout
(or some other path to log the data) and see if there is anything highlighting why it's failing to find the credential.
Can you also try running this after using kinit
to get the ticket
import gssapi
username = "username@REALM.COM"
spn = "host@target-host.realm.com"
kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos])
c = gssapi.SecurityContext(
name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service),
creds=cred,
mech=kerberos,
usage="initiate",
)
c.step()
print(c.complete)
print(c.actual_flags)
This replicates the same steps pypsrp does to get the first Kerberos token for authentication.
Okay, this is what I see when I direct krb_trace to stdout.
(host) mozsoy@mozsoy-ud1:~$ export KRB5_TRACE=/dev/stdout
(host) mozsoy@mozsoy-ud1:~$ echo $KRB5_TRACE
/dev/stdout
(host) mozsoy@mozsoy-ud1:~$ python3
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman = WSMan('2nnrcs2.corp.intusurg.com', ssl=False, auth='kerberos', username='MOzsoy@CORP.INTUSURG.COM', password="***")
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell, 'dir')
... process.invoke()
...
[120850] 1667455254.729380: Getting initial credentials for MOzsoy@CORP.INTUSURG.COM
[120850] 1667455254.729444: Sending request (175 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.729459: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.739068: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.739730: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.744059: Received answer (207 bytes) from stream 172.20.250.95:88
[120850] 1667455254.744066: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.744093: Response was from master KDC
[120850] 1667455254.744106: Received error from KDC: -1765328359/Additional pre-authentication required
[120850] 1667455254.744125: Processing preauth types: 16, 15, 19, 2
[120850] 1667455254.744133: Selected etype info: etype aes256-cts, salt "CORP.INTUSURG.COMMeltem.Ozsoy", params ""
[120850] 1667455254.751992: AS key obtained for encrypted timestamp: aes256-cts/8ACD
[120850] 1667455254.752024: Encrypted timestamp (for 1667455254.751996): plain 301AA011180F32303232313130333036303035345AA10502030B797C, encrypted EA012F24AC
[120850] 1667455254.752034: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[120850] 1667455254.752038: Produced preauth for next request: 2
[120850] 1667455254.752049: Sending request (253 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.752056: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.760840: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.761512: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.766620: Received answer (3670 bytes) from stream 172.20.250.95:88
[120850] 1667455254.766626: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.766651: Response was from master KDC
[120850] 1667455254.766666: Processing preauth types: 19
[120850] 1667455254.766673: Selected etype info: etype aes256-cts, salt "CORP.INTUSURG.COMMeltem.Ozsoy", params ""
[120850] 1667455254.766679: Produced preauth for next request: (empty)
[120850] 1667455254.766685: AS key determined by preauth: aes256-cts/8ACD
[120850] 1667455254.766718: Decrypted AS reply; session key is: aes256-cts/9E90
[120850] 1667455254.766729: FAST negotiation: unavailable
[120850] 1667455254.766768: Resolving unique ccache of type MEMORY
[120850] 1667455254.766779: Initializing MEMORY:0EbdsVZ with default princ MOzsoy@CORP.INTUSURG.COM
[120850] 1667455254.766790: Storing MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM in MEMORY:0EbdsVZ
[120850] 1667455254.784492: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache MEMORY:0EbdsVZ
[120850] 1667455254.784521: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from MEMORY:0EbdsVZ with result: -1765328243/Matching credential not found
[120850] 1667455254.784534: Retrieving MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM from MEMORY:0EbdsVZ with result: 0/Success
[120850] 1667455254.784551: Starting with TGT for client realm: MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM
[120850] 1667455254.784558: Requesting tickets for WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, referrals on
[120850] 1667455254.784575: Generated subkey for TGS request: aes256-cts/1C37
[120850] 1667455254.784602: etypes requested in TGS request: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc
[120850] 1667455254.784655: Encoding request body and padata into FAST request
[120850] 1667455254.784712: Sending request (3813 bytes) to CORP.INTUSURG.COM
[120850] 1667455254.784727: Resolving hostname hq-dc1.corp.intusurg.com
[120850] 1667455254.793970: Initiating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.794623: Sending TCP request to stream 172.20.250.95:88
[120850] 1667455254.811948: Received answer (3797 bytes) from stream 172.20.250.95:88
[120850] 1667455254.811959: Terminating TCP connection to stream 172.20.250.95:88
[120850] 1667455254.811994: Response was from master KDC
[120850] 1667455254.812012: Decoding FAST response
[120850] 1667455254.812089: FAST reply key: aes256-cts/7584
[120850] 1667455254.812118: TGS reply is for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM with session key aes256-cts/AA72
[120850] 1667455254.812141: TGS request result: 0/Success
[120850] 1667455254.812147: Received creds for desired service WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM
[120850] 1667455254.812157: Storing MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM in MEMORY:0EbdsVZ
[120850] 1667455254.812195: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 652471840, subkey aes256-cts/DDD0, session key aes256-cts/AA72
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
return func(*args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
self._context_attr = int(self._context.actual_flags)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
self.open()
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
response = self.transport.send(xml)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
self._send_request(prep_request)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This should not happen
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
response = self.handle_401(response, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
out_token = context.step()
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token
for the code snippet you have, I do not know exactly what spn = "host@target-host.realm.com"
refers to
The code couldn't make it to use the spn. It failed on cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos])
line. However, if this is exact same code in pypsrp
, then shouldn't I see this error instead of the context related one?
(host) mozsoy@mozsoy-ud1:~$ python3
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gssapi
>>> username= "MOzsoy@CORP.INTUSURG.COM"
>>> kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
>>> user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
>>> cred = gssapi.Credentials(name=user_princ, usage="initiate", mechs=[kerberos])
[122139] 1667457049.776915: Retrieving MOzsoy@CORP.INTUSURG.COM from FILE:/etc/krb5/user/365090202/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/365090202/client.keytab' not found
for the code snippet you have, I do not know exactly what spn = "host@target-host.realm.com" refers to
It's the service principal name, essentially what Kerberos will request a key for. You need to change target-host.realm.com
to the fully qualified name of the host you are connecting to. Essentially the value of "<server>"
in your pypsrp code.
However, if this is exact same code in pypsrp, then shouldn't I see this error instead of the context related one?
You should but it is interesting that it's saying it can't find your client keytab. Do you have any of these env vars defined?
KRB5_CLIENT_KTNAME
or default_client_keytab_name
in krb5.conf - defines the default keytab path to use for authKRB5CCNAME
or default_ccache_name
in krb5.conf - defines the ccache location to store creds inYou can use the following to authenticate with a password and replicate kinit
inside the Python process
import gssapi
username = "username@REALM.COM"
password = b"password"
spn = "host@target-host.realm.com"
kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
cred = gssapi.raw.acquire_cred_with_password(user_princ, password', usage='initiate', mechs=[kerberos]).creds
c = gssapi.SecurityContext(
name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service),
creds=cred,
mech=kerberos,
usage="initiate",
)
c.step()
print(c.complete)
print(c.actual_flags)
Lastly, what's the output or krb5-config --version
on your host?
KRB5_CLIENT_KTNAME
ordefault_client_keytab_name
in krb5.conf - defines the default keytab path to use for auth
I do not have neither of these setup
KRB5CCNAME
ordefault_ccache_name
in krb5.conf - defines the ccache location to store creds in
I have the environment variable setup but not the one in config.
Lastly, what's the output or
krb5-config --version
on your host?(host) mozsoy@mozsoy-ud1:~$ krb5-config --version Kerberos 5 release 1.13.2
I am seeing the error for the context not being established when I run the code for replicating kinit in python.
Should have used something else for spn
btw? I tried to use spn = "MOzsoy@2NNRCS2.CORP.INTUSURG.COM"
but that gave me the following error File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database
(host) mozsoy@mozsoy-ud1:~$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gssapi
>>> username= "MOzsoy@CORP.INTUSURG.COM"
>>> password= b"***"
>>> spn = "WSMAN@2NNRCS2.CORP.INTUSURG.COM"
>>> kerberos = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
>>> user_princ = gssapi.Name(username, name_type=gssapi.NameType.user)
>>> cred = gssapi.raw.acquire_cred_with_password(user_princ, password, usage='initiate', mechs=[kerberos]).creds
>>> c = gssapi.SecurityContext(name=gssapi.Name(spn, name_type=gssapi.NameType.hostbased_service), creds=cred, mech=kerberos, usage="initiate")
>>> large_output = c.step()
[62727] 1667496810.417540: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[62727] 1667496810.417609: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: 0/Success
[62727] 1667496810.417658: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 596339957, subkey aes256-cts/5849, session key aes256-cts/6F3B
>>> print(c.complete)
False
>>> print(c.actual_flags)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context
Cool so that's the same problem we see in pypsrp. I'll try to install your version and see if I can replicate. In any case I think we can work around this behaviour but it's best to see if I can replicate the problem first to make sure nothing else happens.
what would be the workaround to this? I haven't had any code that passed this point yet. :(
I would need to update pyspnego to try/except that particular call and potentially ignore a failure. The trouble is I don't know if that will have any side effects going forward which is why I really want to try and replicate the problem.
Another workaround is to update the krb5 libs on your host as 1.13.2 is from 2015 https://web.mit.edu/kerberos/krb5-1.13/krb5-1.13.2.html. Unfortunately that's easier said than done and usually means either compiling it yourself (not easy) or updating the base host. For example CentOS 8 Stream comes with 1.18.2, even CentOS 7 which is one of the oldest still supported OSs out there is on 1.15.1
I had another system with ubuntu 20.04 and it had newer version of kerberos.
$ krb5-config --version
Kerberos 5 release 1.17
and it did work as you expected, once I have done kinit
and installed required libraries, the command went through. :)
It would be great to have it working with 1.13.2 as well though.
The PR https://github.com/jborean93/pyspnego/pull/54 should fix this problem for the older MIT krb5 versions https://github.com/jborean93/pyspnego/pull/54. I haven't found the PR that actually fixed the issue but when testing locally it goes away with MIT krb5 1.14.x and newer. There's nothing in the changelog for 1.14 that would indicate it fixed the problem but it definitely doesn't happen anymore since then https://web.mit.edu/kerberos/krb5-1.14/.
So while the changes in pyspnego will help you, I highly recommend you find a way to move off this host as this version of krb5 is really old. There are many improvements and bugfixes since 1.13 and while I can workaround this problem I can't guarantee that if you come across another that I can do the same.
Thanks for merging the fix, I will test and report. In the meantime, I tried to move my kerberos version to 1.20. It seemed like a successful upgrade but now I get a connection error. Maybe some settings got messed up.
requests.exceptions.ConnectionError: HTTPConnectionPool(host='2nnrcs2.corp.intusurg.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7fa26bcd8d90>: Failed to establish a new connection: [Errno -2] Name or service not known'))
That's a DNS problem, the host is unable to resolve 2nnrcs2.corp.intusurg.com
.
The previous one seems like a DNS issue, you are right. I just retried it. I still get the security context related error. Even though seems like my kerberos version is 1.20
(host) mozsoy@mozsoy-ud1:~/orion2/run$ klist -V
Kerberos 5 version 1.20
(host) mozsoy@mozsoy-ud1:~/orion2/run$ python3.7
Python 3.7.10 (default, Feb 20 2021, 21:21:24)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pypsrp.shell import Process, WinRS
>>> from pypsrp.wsman import WSMan
>>> wsman=WSMan("2nnrcs2.corp.intusurg.com", auth="kerberos", username="MOzsoy", ssl=False)
>>> with wsman, WinRS(wsman) as shell:
... process = Process(shell,"dir")
... process.invoke()
...
[121266] 1667521295.549561: Retrieving MOzsoy@CORP.INTUSURG.COM from FILE:/etc/krb5/user/365090202/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/365090202/client.keytab' not found
[121266] 1667521295.569388: Getting credentials MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM using ccache FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[121266] 1667521295.569441: Retrieving MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: -1765328243/Matching credential not found
[121266] 1667521295.569479: Retrieving MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM from FILE:/tmp/krb5cc_cdc365090202_Z7xTcY with result: 0/Success
[121266] 1667521295.569487: Starting with TGT for client realm: MOzsoy@CORP.INTUSURG.COM -> krbtgt/CORP.INTUSURG.COM@CORP.INTUSURG.COM
[121266] 1667521295.569493: Requesting tickets for WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, referrals on
[121266] 1667521295.569509: Generated subkey for TGS request: aes256-cts/B1CE
[121266] 1667521295.569538: etypes requested in TGS request: aes256-cts, aes128-cts, rc4-hmac, des, des-cbc-crc
[121266] 1667521295.569597: Encoding request body and padata into FAST request
[121266] 1667521295.569655: Sending request (3821 bytes) to CORP.INTUSURG.COM
[121266] 1667521295.569671: Resolving hostname hq-dc1.corp.intusurg.com
[121266] 1667521295.578717: Initiating TCP connection to stream 172.20.250.95:88
[121266] 1667521295.579410: Sending TCP request to stream 172.20.250.95:88
[121266] 1667521295.598005: Received answer (3797 bytes) from stream 172.20.250.95:88
[121266] 1667521295.598020: Terminating TCP connection to stream 172.20.250.95:88
[121266] 1667521295.598057: Response was from master KDC
[121266] 1667521295.598072: Decoding FAST response
[121266] 1667521295.598149: FAST reply key: aes256-cts/1FD0
[121266] 1667521295.598177: TGS reply is for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM with session key aes256-cts/A208
[121266] 1667521295.598197: TGS request result: 0/Success
[121266] 1667521295.598202: Received creds for desired service WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM
[121266] 1667521295.598209: Storing MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM in FILE:/tmp/krb5cc_cdc365090202_Z7xTcY
[121266] 1667521295.598569: Creating authenticator for MOzsoy@CORP.INTUSURG.COM -> WSMAN/2nnrcs2.corp.intusurg.com@CORP.INTUSURG.COM, seqnum 183743689, subkey aes256-cts/1D65, session key aes256-cts/A208
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 67, in wrapper
return func(*args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_gss.py", line 552, in step
self._context_attr = int(self._context.actual_flags)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 61, in inquire_property
return getattr(self._inquire(**{name: True}), name)
File "/home/mozsoy/.local/lib/python3.7/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 455, in _inquire
res = rsec_contexts.inquire_context(self, **kwargs)
File "gssapi/raw/sec_contexts.pyx", line 363, in gssapi.raw.sec_contexts.inquire_context
gssapi.raw.exceptions.MissingContextError: Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 96, in __enter__
self.open()
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/shell.py", line 205, in open
response = self.wsman.create(self.resource_uri, shell, option_set=options if len(options.values) else None)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 290, in create
res = self.invoke(WSManAction.CREATE, resource_uri, resource, option_set, selector_set, timeout)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 470, in invoke
response = self.transport.send(xml)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 803, in send
self._send_request(prep_request)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/wsman.py", line 840, in _send_request
response = self.session.send(request, timeout=(self.connection_timeout, self.read_timeout)) # type: ignore[union-attr] # This should not happen
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 594, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "/usr/lib/python3/dist-packages/requests/hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 96, in response_hook
response = self.handle_401(response, **kwargs)
File "/home/mozsoy/.local/lib/python3.7/site-packages/pypsrp/negotiate.py", line 141, in handle_401
out_token = context.step()
File "/home/mozsoy/.local/lib/python3.7/site-packages/spnego/_context.py", line 70, in wrapper
raise SpnegoError(base_error=native_err, context_msg=context) from native_err
spnego.exceptions.NoContextError: SpnegoError (8): Major (524288): No context has been established, Minor (39756039): Attempt to use incomplete security context, Context: Processing security token
The new version of pyspnego just went out (minutes ago). Make sure that you have 0.6.3 installed. If you've upgrade the krb5 libs then you will also need to reinstall the Python gssapi library making sure it uses that newly installed version.
okay, I went a little overboard and uninstalled couple more modules, rebooted my machine and installed them again. It works now with kerberos 1.20. Thank you very much for all the help.
I am trying to use pypsrp to send remote commands to my windows machine which only accepts kerberos authentication. When I try the following code snippet, it complains about the shellID. I assumed shell Id would be randomly assigned and not something user has to provide. Just to note that I can do winrs using powershell from another windows machine to this target (windows machine), and it works okay.
same code snippet on linux side gives me an error "No context has been established".
Finally I wanted to test
psrp
only but that module is not found.