Hi Ian, I just submitted a PR for this functionality " https://github.com/ansible/ansible/pull/8345"; , maybe you can have a look and provide some feedbacks. or maybe you have a better way of implementation if so please feel free to replace it.
Thanks, Benno On Wed, Jul 30, 2014 at 10:30 PM, Ian Clegg <[email protected]> wrote: > Michael, > > We have tested kerberos authentication over SSL with pywinrm. The domain > controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, > at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine > with the latest MIT krb5 and python kerberos and pywinrm modules. > > It's something we are starting to spike at the moment, but wanted to see > if the feature is already being worked on/planned - don't want to mess with > the product strategy > > At the moment the user passes in a Windows username through > 'ansible_ssh_user'. It would be possible to determine whether to use basic > or kerberos by checking if this value is a UPN. This approach is used by > the Win32 API's, see LogonUser ( > http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx > ) > > As an example: > > ansible_ssh_user: iclegg << implicitly uses basic auth since no kerberos > realm is specified > ansible_ssh_pass: password123 > ansible_ssh_port: 5986 > ansible_connection: winrm > > ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not > a valid Windows username, but is a valid UPN ( '@' is reserved) > ansible_ssh_pass: password123 > ansible_ssh_port: 5986 > ansible_connection: winrm > > I have not looked into how kerb is done with SSH, so this suggestion may > not be consistent with it > > Ian > > > On Wednesday, 30 July 2014 17:21:11 UTC+1, Michael DeHaan wrote: > >> Hi Ian, >> >> Yeah it was recently mentioned I think that Domain auth wasn't functional >> - and maybe pywinrm maybe needed tweaks to enable Kerb (not true?). >> >> I'm VERY interested. >> >> Is this something you might be interested in working on? >> >> >> >> On Wed, Jul 30, 2014 at 11:53 AM, Ian Clegg <[email protected]> >> wrote: >> >>> Hi All, >>> >>> I think its great ansible is leveraging powershell and avoids >>> unnecessary agents, but using basic authentication which forces local admin >>> accounts on Windows wont cut it. Local Admin accounts are generally viewed >>> as a security risk and a nightmare to manage. We've got 50K+ hosts >>> deployed. As we know, Microsoft's WS-Man implementation, WinRM only >>> supports domain credentials when using Negotiate, CredSSP and Kerberos. >>> CredSSP enables 'double hop', but it will probably be the most work - >>> pywinrm (already used by ansible) has working support for Kerberos (we've >>> tested it) >>> >>> Is anyone looking into plugging kerberos support into ansible for >>> authenticating to Windows hosts? >>> >>> Ian >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> >>> To view this discussion on the web visit https://groups.google.com/d/ >>> msgid/ansible-project/df22cd58-359c-4342-8e21- >>> fc278a65b954%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
