Michael, We have tested kerberos authentication over SSL with pywinrm. The domain controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine with the latest MIT krb5 and python kerberos and pywinrm modules.
It's something we are starting to spike at the moment, but wanted to see if the feature is already being worked on/planned - don't want to mess with the product strategy At the moment the user passes in a Windows username through 'ansible_ssh_user'. It would be possible to determine whether to use basic or kerberos by checking if this value is a UPN. This approach is used by the Win32 API's, see LogonUser (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx) As an example: ansible_ssh_user: iclegg << implicitly uses basic auth since no kerberos realm is specified ansible_ssh_pass: password123 ansible_ssh_port: 5986 ansible_connection: winrm ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not a valid Windows username, but is a valid UPN ( '@' is reserved) ansible_ssh_pass: password123 ansible_ssh_port: 5986 ansible_connection: winrm I have not looked into how kerb is done with SSH, so this suggestion may not be consistent with it Ian On Wednesday, 30 July 2014 17:21:11 UTC+1, Michael DeHaan wrote: > > Hi Ian, > > Yeah it was recently mentioned I think that Domain auth wasn't functional > - and maybe pywinrm maybe needed tweaks to enable Kerb (not true?). > > I'm VERY interested. > > Is this something you might be interested in working on? > > > > On Wed, Jul 30, 2014 at 11:53 AM, Ian Clegg <[email protected] > <javascript:>> wrote: > >> Hi All, >> >> I think its great ansible is leveraging powershell and avoids unnecessary >> agents, but using basic authentication which forces local admin accounts on >> Windows wont cut it. Local Admin accounts are generally viewed as a >> security risk and a nightmare to manage. We've got 50K+ hosts deployed. As >> we know, Microsoft's WS-Man implementation, WinRM only supports domain >> credentials when using Negotiate, CredSSP and Kerberos. CredSSP enables >> 'double hop', but it will probably be the most work - pywinrm (already used >> by ansible) has working support for Kerberos (we've tested it) >> >> Is anyone looking into plugging kerberos support into ansible for >> authenticating to Windows hosts? >> >> Ian >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
