Hi,
I had a similar issue and you guys were spot on.
Removing these lines solved my problem:
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
Thanks.
Leo
On Saturday, 3 March 2018 06:31:47 UTC+11, matt...@redhat.com
Yep, the non-default encryption setting is almost certainly the issue. Can
you file a bug on https://github.com/02strich/pykerberos? No promises that
we'll get to it, but I have a couple ideas as to what might be causing it.
I *think* the fix could be pretty simple (there's a code path in there
Without testing it I believe there may be an issue with the RC4 encryption that
is being used. Will have to try it out but that is a pretty old protocol and
believed to be broken. While we should still look at fixing it, you should look
at adding in one of the AES types on your krb5.conf file
I hope I got all:
(venv_ansible)[userid@ansiblehost ~/ansible_test]$ pip list
ansible (2.4.3.0)
asn1crypto (0.24.0)
bcrypt (3.1.4)
certifi (2018.1.18)
cffi (1.11.5)
chardet (3.0.4)
cryptography (2.1.4)
enum34 (1.1.6)
idna (2.6)
ipaddress (1.0.19)
Jinja2 (2.10)
MarkupSafe (1.0)
ntlm-auth (1.0.6)
Yes, this means the message encryption done with Kerberos is failing for
whatever reason and producing a malformed message. This encryption support
was added in pywinrm 0.3.0 and it would be great to find out what may been
happening to cause it to fail as it is quite important to use it when
It isn't a transient error, it occurs always in this setup with the
mentioned module versions. Tested with different windows versions.
Everything is working find with your suggestions:
ansible_port=5986
and also with
ansible_winrm_message_encryption=never
So problem solved for me, thank you
On a related note: maybe try just tweaking the existing setup to use
`ansible_winrm_message_encryption=never` on your Windows host(s) in the
inventory or via `-e` to prove if it's related to the new message
encryption support. You've clearly been running unencrypted in the past-
we'll leave
Just wondering if this is a transient error? I have occasionally had problems
when the windows host is applying windows updates or running ngen to recompile
dotnet code following installation of an upgrade to dotnet framework.
Jon
--
You received this message because you are subscribed to
Are you able to try port 5986 and see if that works. Potentially port 5985
is failing because the encryption process is creating a bad request causing
the 400 but it would be good to know if your setup works with HTTPS where
WinRM encryption isn't happening.
Thanks
Jordan
--
You received