You are right Michael, a change to ansible would only be required if we could not address the underlying issue in pywinrm. We will discuss on the PR
Cheers! On Wednesday, 30 July 2014 20:55:58 UTC+1, Michael DeHaan wrote: > > Very timely! > > Folks, if you could comment on the ticket with any thoughts/comments, that > would be welcome. > > I'm not sure if the user change above would require any changes in > Ansible, seems like no? > > > > > On Wed, Jul 30, 2014 at 1:22 PM, benno joy <[email protected] > <javascript:>> wrote: > >> Hi Ian, >> >> I just submitted a PR for this functionality " >> https://github.com/ansible/ansible/pull/8345"; , maybe you can have a >> look and provide some feedbacks. or maybe you have a better way of >> implementation if so please feel free to replace it. >> >> Thanks, >> Benno >> >> >> >> >> >> On Wed, Jul 30, 2014 at 10:30 PM, Ian Clegg <[email protected] >> <javascript:>> wrote: >> >>> Michael, >>> >>> We have tested kerberos authentication over SSL with pywinrm. The domain >>> controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, >>> at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine >>> with the latest MIT krb5 and python kerberos and pywinrm modules. >>> >>> It's something we are starting to spike at the moment, but wanted to see >>> if the feature is already being worked on/planned - don't want to mess with >>> the product strategy >>> >>> At the moment the user passes in a Windows username through >>> 'ansible_ssh_user'. It would be possible to determine whether to use basic >>> or kerberos by checking if this value is a UPN. This approach is used by >>> the Win32 API's, see LogonUser ( >>> http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx >>> ) >>> >>> As an example: >>> >>> ansible_ssh_user: iclegg << implicitly uses basic auth since no >>> kerberos realm is specified >>> ansible_ssh_pass: password123 >>> ansible_ssh_port: 5986 >>> ansible_connection: winrm >>> >>> ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not >>> a valid Windows username, but is a valid UPN ( '@' is reserved) >>> ansible_ssh_pass: password123 >>> ansible_ssh_port: 5986 >>> ansible_connection: winrm >>> >>> I have not looked into how kerb is done with SSH, so this suggestion may >>> not be consistent with it >>> >>> Ian >>> >>> >>> On Wednesday, 30 July 2014 17:21:11 UTC+1, Michael DeHaan wrote: >>> >>>> Hi Ian, >>>> >>>> Yeah it was recently mentioned I think that Domain auth wasn't >>>> functional - and maybe pywinrm maybe needed tweaks to enable Kerb (not >>>> true?). >>>> >>>> I'm VERY interested. >>>> >>>> Is this something you might be interested in working on? >>>> >>>> >>>> >>>> On Wed, Jul 30, 2014 at 11:53 AM, Ian Clegg <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I think its great ansible is leveraging powershell and avoids >>>>> unnecessary agents, but using basic authentication which forces local >>>>> admin >>>>> accounts on Windows wont cut it. Local Admin accounts are generally >>>>> viewed >>>>> as a security risk and a nightmare to manage. We've got 50K+ hosts >>>>> deployed. As we know, Microsoft's WS-Man implementation, WinRM only >>>>> supports domain credentials when using Negotiate, CredSSP and Kerberos. >>>>> CredSSP enables 'double hop', but it will probably be the most work - >>>>> pywinrm (already used by ansible) has working support for Kerberos (we've >>>>> tested it) >>>>> >>>>> Is anyone looking into plugging kerberos support into ansible for >>>>> authenticating to Windows hosts? >>>>> >>>>> Ian >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> >>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>> msgid/ansible-project/df22cd58-359c-4342-8e21- >>>>> fc278a65b954%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-project/df22cd58-359c-4342-8e21-fc278a65b954%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/cd39b936-03a6-499f-a930-5c39d632781e%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CAFUV_d4L%3DaRKWUqrk1bkymu5GNB%2BgtP32q2HnfKWBwQXzFbH7Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3b2490ec-22f0-44e1-82e1-469f9a236c9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
