I'm using pywinrm module from RHEL successfully with Kerberos and WinRM HTTP listeners (TCP 5985) on target Windows machines.
Now I'd like to get a rid of all HTTP (5985) listeners, keeping only HTTPs listener (5986) on all Windows hosts.
The issue is that pywinrm module seems to automatically choose the remote WinRM port for WinRM based on the transport (5986 for "ssl" transport, 5985 for all other transport methods).
Error with "kerberos" transport
(ConnectTimeout, (MaxRetryError("HTTPConnectionPool(host='foo.tld', port=5985): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError
I can't find a way to pass the port number as an argument when creating the winrm session.
Code example
import kerberos
import winrm
# Automatically picks 5985 for WinRM remote port
session = winrm.Session("foo.tld", auth=("[email protected]", ''), transport='kerberos', server_cert_validation='ignore')
# Automatically picks 5985 for WinRM remote port
session = winrm.Session("foo.tld", auth=("[email protected]", 'Xxxxxxx'), transport='ssl', server_cert_validation='ignore')
cmd = """
get-aduser -filter "samaccountname -eq 'john'"
"""
try:
session.run_ps(cmd)
if run_ps.status_code == 0:
print(run_ps.std_out)
else:
print(run_ps.std_err)
except Exception as e:
print("WinRM Error: {}".format(e))
I'm confused because Ansible, that rely on this same pywinrm Python module has two settings for the same and it seems that HTTPs listener + Kerberos authentication might be supported:
- ansible_winrm_scheme (http or https)
- ansible_winrm_transport (authentication method)
Is there a way to "force" pywinrm "kerberos" method with 5986 port (HTTPs listener) instead of 5985 or is 5985 port (HTTP listener) only available by design for "kerberos" transport?
