0

I was trying to connect to remote machine via WinRM in Python (pywinrm) using domain account, following the instruction in

How to connect to remote machine via WinRM in Python (pywinrm) using domain account?

using

session = winrm.Session(server, auth=('user@DOMAIN', 'doesNotMatterBecauseYouAreUsingAKerbTicket'), transport='kerberos')

but I got this:

NotImplementedError("Can't use 'principal' argument with kerberos-sspi.")

I googled "principal argument" and I got its meaning in mathematics,which is in complex_analysis (https://en.m.wikipedia.org/wiki/Argument_(complex_analysis)) and definitely not the right meaning. I'm not a native English speaker and I got stuck here.

The original code is here: https://github.com/requests/requests-kerberos/blob/master/requests_kerberos/kerberos_.py

def generate_request_header(self, response, host, is_preemptive=False):

"""

Generates the GSSAPI authentication token with kerberos.

If any GSSAPI step fails, raise KerberosExchangeError

with failure detail.

"""


        # Flags used by kerberos module.

        gssflags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG

        if self.delegate:

            gssflags |= kerberos.GSS_C_DELEG_FLAG


        try:

            kerb_stage = "authGSSClientInit()"

            # contexts still need to be stored by host, but hostname_override

            # allows use of an arbitrary hostname for the kerberos exchange

            # (eg, in cases of aliased hosts, internal vs external, CNAMEs

            # w/ name-based HTTP hosting)

            kerb_host = self.hostname_override if self.hostname_override is not None else host

            kerb_spn = "{0}@{1}".format(self.service, kerb_host)

            

            kwargs = {}

            # kerberos-sspi: Never pass principal. Raise if user tries to specify one.

            if not self._using_kerberos_sspi:

                kwargs['principal'] = self.principal

            elif self.principal:

                raise NotImplementedError("Can't use 'principal' argument with kerberos-sspi.")

Any help will be greatly appreciated.

Community
  • 1
  • 1
kaleido scope
  • 11
  • 3
  • Why have you tried to type out the error messages yourself, given that they're in the code you also cut-and-pasted? And have you read [the documentation of the package you're using](https://github.com/requests/requests-kerberos#explicit-principal)? – jonrsharpe Jun 12 '16 at 16:49
  • You definitely found the wrong link to what a principal means. Try this http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html – OneCricketeer Jun 12 '16 at 16:51
  • @jonrsharpe 1.For highlights, as a habit when I speak Chinese. 2.Thanks for reminding, I did miss the sentence “Explicit Principal is currently not supported when using kerberos-sspi. Providing a value for principal in this scenario will raise NotImplementedError.” and I was using Windows Server 2012, for I can only read these document on mobile phone when working. But then how can I use kerberos in pywinrm to support domain users if providing a value for principal is not supported in Windows? – kaleido scope Jun 12 '16 at 17:22
  • No, I mean rather than copying them; you've spelled several things wrong (see also the title). – jonrsharpe Jun 12 '16 at 17:23
  • @cricket_007 so simply saying, it is fairly equal to domain username in this case? – kaleido scope Jun 12 '16 at 17:27
  • I don't know Kerberos too well, but in an sense, yes. I believe it's more involved than a simple username, though – OneCricketeer Jun 12 '16 at 17:30
  • @jonrsharpe sorry and I edited it. How about my 2nd question in reply:"How can I use kerberos in pywinrm to support domain users if providing a value for principal is not supported in Windows?" – kaleido scope Jun 12 '16 at 17:40

0 Answers0