Very timely! Folks, if you could comment on the ticket with any thoughts/comments, that would be welcome.
I'm not sure if the user change above would require any changes in Ansible, seems like no? On Wed, Jul 30, 2014 at 1:22 PM, benno joy <[email protected]> wrote: > Hi Ian, > > I just submitted a PR for this functionality " > https://github.com/ansible/ansible/pull/8345"; , maybe you can have a look > and provide some feedbacks. or maybe you have a better way of > implementation if so please feel free to replace it. > > Thanks, > Benno > > > > > > On Wed, Jul 30, 2014 at 10:30 PM, Ian Clegg <[email protected]> > wrote: > >> Michael, >> >> We have tested kerberos authentication over SSL with pywinrm. The domain >> controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, >> at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine >> with the latest MIT krb5 and python kerberos and pywinrm modules. >> >> It's something we are starting to spike at the moment, but wanted to see >> if the feature is already being worked on/planned - don't want to mess with >> the product strategy >> >> At the moment the user passes in a Windows username through >> 'ansible_ssh_user'. It would be possible to determine whether to use basic >> or kerberos by checking if this value is a UPN. This approach is used by >> the Win32 API's, see LogonUser ( >> http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx >> ) >> >> As an example: >> >> ansible_ssh_user: iclegg << implicitly uses basic auth since no kerberos >> realm is specified >> ansible_ssh_pass: password123 >> ansible_ssh_port: 5986 >> ansible_connection: winrm >> >> ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not >> a valid Windows username, but is a valid UPN ( '@' is reserved) >> ansible_ssh_pass: password123 >> ansible_ssh_port: 5986 >> ansible_connection: winrm >> >> I have not looked into how kerb is done with SSH, so this suggestion may >> not be consistent with it >> >> Ian >> >> >> On Wednesday, 30 July 2014 17:21:11 UTC+1, Michael DeHaan wrote: >> >>> Hi Ian, >>> >>> Yeah it was recently mentioned I think that Domain auth wasn't >>> functional - and maybe pywinrm maybe needed tweaks to enable Kerb (not >>> true?). >>> >>> I'm VERY interested. >>> >>> Is this something you might be interested in working on? >>> >>> >>> >>> On Wed, Jul 30, 2014 at 11:53 AM, Ian Clegg <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> I think its great ansible is leveraging powershell and avoids >>>> unnecessary agents, but using basic authentication which forces local admin >>>> accounts on Windows wont cut it. Local Admin accounts are generally viewed >>>> as a security risk and a nightmare to manage. We've got 50K+ hosts >>>> deployed. As we know, Microsoft's WS-Man implementation, WinRM only >>>> supports domain credentials when using Negotiate, CredSSP and Kerberos. >>>> CredSSP enables 'double hop', but it will probably be the most work - >>>> pywinrm (already used by ansible) has working support for Kerberos (we've >>>> tested it) >>>> >>>> Is anyone looking into plugging kerberos support into ansible for >>>> authenticating to Windows hosts? >>>> >>>> Ian >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> >>>> To view this discussion on the web visit https://groups.google.com/d/ >>>> msgid/ansible-project/df22cd58-359c-4342-8e21- >>>> fc278a65b954%40googlegroups.com >>>> <https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzFS1ETxwbye_X7z2%3DSJDCZucku5aYMS-_PMG3Q1GrwpQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
