I have a setup where I can winrs to the remote machine successfully without issues. However when I use pywinrm, I get an error about credentials.
Here is the authentication details of the remote windows the machine. How one would go debugging this issue?
winrm get winrm/config/service/auth
Auth
Basic = false [Source="GPO"]
Kerberos = true [Source="GPO"]
Negotiate = false [Source="GPO"]
Certificate = false
CredSSP = false [Source="GPO"]
CbtHardeningLevel = Strict [Source="GPO"]
I tried this both from windows and linux and I get the same result. From the windows machine I can do winrs without issues.
Windows output:
import winrm
sess = winrm.Session('<hostname>', auth=('MOzsoy', '***'), transport='kerberos')
sess.run_cmd('hostname')
Traceback (most recent call last):
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\transport.py", line 328, in _send_message_request
response.raise_for_status()
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\requests\models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: for url: http://<hostname>:5985/wsman
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\__init__.py", line 40, in run_cmd
shell_id = self.protocol.open_shell()
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\protocol.py", line 166, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\protocol.py", line 243, in send_message
resp = self.transport.send_message(message)
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\transport.py", line 322, in send_message
response = self._send_message_request(prepared_request, message)
File "C:\Users\mozsoy\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\winrm\transport.py", line 332, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
Linux output:
import winrm
sess = winrm.Session('<hostname>', auth=('MOzsoy', '***'), transport='kerberos')
sess.run_cmd("hostname")
/home/mozsoy/.local/lib/python3.7/site-packages/winrm/vendor/requests_kerberos/kerberos_.py:176: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT
NoCertificateRetrievedWarning)
Traceback (most recent call last):
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/transport.py", line 328, in _send_message_request
response.raise_for_status()
File "/usr/lib/python3/dist-packages/requests/models.py", line 840, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: for url: http://<hostname>:5985/wsman
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/__init__.py", line 40, in run_cmd
shell_id = self.protocol.open_shell()
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/protocol.py", line 166, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/protocol.py", line 243, in send_message
resp = self.transport.send_message(message)
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/transport.py", line 309, in send_message
self.build_session()
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/transport.py", line 292, in build_session
self.setup_encryption()
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/transport.py", line 298, in setup_encryption
self._send_message_request(prepared_request, '')
File "/home/mozsoy/.local/lib/python3.7/site-packages/winrm/transport.py", line 332, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
It seems that pywinrm doesn't like this setting: CbtHardeningLevel = Strict [Source="GPO"]
As it is configured through GPO, you probably need to contact your admin about this.
From what I found so far, pywinrm can't handle "Strict", but you need to use "Relaxed"
I encounterd this for Ansible, but I guess it's due to pywinrm.
https://github.com/diyan/pywinrm/issues/109
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#http-401-credentials-rejected