Win_Update Install Error: "Attempt to use incomplete security context', 39756039"

[jordanjthomas]

Summary

When I try and use the 'win_update' module to install MS updates on Windows Servers I receive a kerberos.GSSError message.

When i 'search' or 'download' updates with the win_update module it behaves as expected. This behaviour seems to be limited to installing updates. The behaviour is present across multiple updates and multiple devices.

It should be noted that after running the win_update install against a server, running 'Get-Hotfix' on the server itself shows the expected updates are actually installed. Control panel on the server shows that the updates are 'pending install', yet rebooting the server does nothing to change the status.

TLDR: Win_update seems to be actually be installing the updates, but still poses the error.

Issue Type

Bug Report

Component Name

win_updates

Ansible Version

ansible [core 2.15.1rc1]
  config file = None
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Mar  7 2023, 00:00:00) [GCC 11.3.1 20221121 (Red Hat 11.3.1-4)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Configuration

ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CONFIG_FILE() = None
DEFAULT_CALLBACK_PLUGIN_PATH(env: ANSIBLE_CALLBACK_PLUGINS) = ['/usr/local/lib/python3.9/site-packages/ansible_runner/display_callback/callback']
DEFAULT_LOAD_CALLBACK_PLUGINS(env: ANSIBLE_LOAD_CALLBACK_PLUGINS) = True
DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = awx_display
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
INVENTORY_UNPARSED_IS_FAILED(env: ANSIBLE_INVENTORY_UNPARSED_FAILED) = True
RETRY_FILES_ENABLED(env: ANSIBLE_RETRY_FILES_ENABLED) = False
CONNECTION:
==========
paramiko_ssh:
____________
host_key_checking(env: ANSIBLE_HOST_KEY_CHECKING) = False
record_host_keys(env: ANSIBLE_PARAMIKO_RECORD_HOST_KEYS) = False…

OS / Environment

RHEL 8 (EC2 Instance)

Steps to Reproduce

- name: Install available updates
      ansible.windows.win_updates:
        category_names: "{{ win_update_category_names }}"
        reject_list: "{{ win_update_blacklist | default(omit) }}"
        accept_list: "{{ win_update_whitelist | default(omit) }}"
        reboot: true
        reboot_timeout: 2400
        state: installed
      register: installed_updates
      when: available_updates.found_update_count|int >= 1

Expected Results

I expected the playbook to install the available updates on the Windows Server successfully and report as such.

Actual Results

{
  "msg": "Unexpected failure during module execution: (('No context has been established', 524288), ('Attempt to use incomplete security context', 39756039))",
  "exception": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py\", line 165, in run\n    res = self._execute()\n  File \"/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py\", line 673, in _execute\n    self._handler.cleanup()\n  File \"/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py\", line 195, in cleanup\n    self._remove_tmp_path(self._connection._shell.tmpdir)\n  File \"/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py\", line 533, in _remove_tmp_path\n    tmp_rm_res = self._low_level_execute_command(cmd, sudoable=False)\n  File \"/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py\", line 1344, in _low_level_execute_command\n    rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)\n  File \"/usr/local/lib/python3.9/site-packages/ansible/plugins/connection/winrm.py\", line 609, in exec_command\n    result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True, stdin_iterator=stdin_iterator)\n  File \"/usr/local/lib/python3.9/site-packages/ansible/plugins/connection/winrm.py\", line 519, in _winrm_exec\n    command_id = self.protocol.run_command(self.shell_id, to_bytes(command), map(to_bytes, args), console_mode_stdin=(stdin_iterator is None))\n  File \"/usr/local/lib/python3.9/site-packages/winrm/protocol.py\", line 359, in run_command\n    res = self.send_message(xmltodict.unparse(req))\n  File \"/usr/local/lib/python3.9/site-packages/winrm/protocol.py\", line 243, in send_message\n    resp = self.transport.send_message(message)\n  File \"/usr/local/lib/python3.9/site-packages/winrm/transport.py\", line 317, in send_message\n    prepared_request = self.encryption.prepare_encrypted_request(self.session, self.endpoint, message)\n  File \"/usr/local/lib/python3.9/site-packages/winrm/encryption.py\", line 80, in prepare_encrypted_request\n    encrypted_message = self._encrypt_message(message, host)\n  File \"/usr/local/lib/python3.9/site-packages/winrm/encryption.py\", line 109, in _encrypt_message\n    encrypted_stream = self._build_message(message, host)\n  File \"/usr/local/lib/python3.9/site-packages/winrm/encryption.py\", line 192, in _build_kerberos_message\n    sealed_message, signature = self.session.auth.wrap_winrm(host, message)\n  File \"/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py\", line 439, in wrap_winrm\n    return kerberos.authGSSWinRMEncryptMessage(self.context[host], message)\nkerberos.GSSError: (('No context has been established', 524288), ('Attempt to use incomplete security context', 39756039))\n",
  "stdout": "",
  "_ansible_no_log": false
}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[jborean93]

The raw traceback formatted in an easier way shows

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py", line 165, in run
    res = self._execute()
  File "/usr/local/lib/python3.9/site-packages/ansible/executor/task_executor.py", line 673, in _execute
    self._handler.cleanup()
  File "/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py", line 195, in cleanup
    self._remove_tmp_path(self._connection._shell.tmpdir)
  File "/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py", line 533, in _remove_tmp_path
    tmp_rm_res = self._low_level_execute_command(cmd, sudoable=False)
  File "/usr/local/lib/python3.9/site-packages/ansible/plugins/action/__init__.py", line 1344, in _low_level_execute_command
    rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)
  File "/usr/local/lib/python3.9/site-packages/ansible/plugins/connection/winrm.py", line 609, in exec_command
    result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True, stdin_iterator=stdin_iterator)
  File "/usr/local/lib/python3.9/site-packages/ansible/plugins/connection/winrm.py", line 519, in _winrm_exec
    command_id = self.protocol.run_command(self.shell_id, to_bytes(command), map(to_bytes, args), console_mode_stdin=(stdin_iterator is None))
  File "/usr/local/lib/python3.9/site-packages/winrm/protocol.py", line 359, in run_command
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python3.9/site-packages/winrm/protocol.py", line 243, in send_message
    resp = self.transport.send_message(message)
  File "/usr/local/lib/python3.9/site-packages/winrm/transport.py", line 317, in send_message
    prepared_request = self.encryption.prepare_encrypted_request(self.session, self.endpoint, message)
  File "/usr/local/lib/python3.9/site-packages/winrm/encryption.py", line 80, in prepare_encrypted_request
    encrypted_message = self._encrypt_message(message, host)
  File "/usr/local/lib/python3.9/site-packages/winrm/encryption.py", line 109, in _encrypt_message
    encrypted_stream = self._build_message(message, host)
  File "/usr/local/lib/python3.9/site-packages/winrm/encryption.py", line 192, in _build_kerberos_message
    sealed_message, signature = self.session.auth.wrap_winrm(host, message)
  File "/usr/local/lib/python3.9/site-packages/winrm/vendor/requests_kerberos/kerberos_.py", line 439, in wrap_winrm
    return kerberos.authGSSWinRMEncryptMessage(self.context[host], message)
kerberos.GSSError: (('No context has been established', 524288), ('Attempt to use incomplete security context', 39756039))

This would indicate that the failure happens during the cleanup phase. It sounds like the host went down during a step which caused a failure in the action code and when Ansible went to clean itself up it tried to use the now stale security context.

There's a few outstanding issues with win_updates which all seem somewhat related to this problem. I'll have to spend some more time trying to clean some of these cases up and fix these problems. Thanks for the bug report.

[jborean93]

I missed this issue when doing #536. That PR removes the temp path handling that would be run during a failed connection causing this error. While the underlying problem might still exist the PR will ensure it actually be shown and not hidden by this problem.