There are two things that come into play here: 1. Kerberos. By default, you're not able to perform double-hop using Kerberos. So, if you have setup Ansible using kinit and the kerberos changes that are in a PR, you're basically connecting from the control node to the managed windows node using Kerberos. You will not be able to use those same credentials to authenticate against a file server to pick up a file (this would be double-hop). There are ways around this: You can set the managed node to be trusted for delegation (which is set on the computer object in AD).
2. The actual Windows Account you've setup Ansible with: If this is a local account, that account only has the local windows computer (managed node) as its realm, and is not able to authenticate against a file server. If you're using a domain account but *not* Kerberos in Ansible, and that account actually has access to the file, then it should work (given that win_Get_url actually supports file servers, I'm as confused as Michael on that). What we need to build, is a module for copying files and folders from file servers onto the managed node, and have that module take arguments for forming a credential (these could be stored as encrypted variables in Ansible). My "upcoming" win_package has support for file servers, I just haven't "activated" the credentials support yet. Maybe I should do that before I PR it. I hope that sheds some light on it. I'll do some testing on this on my own and report back. I wouldnt start mucking with the WinRM group. Administrators already have the required winrm access, and most of what you would do thru Ansible requires Administrative access anyways, since we're deploying/configuring/installing stuff on the systems. The user Ansible uses to connect to the managed windows node needs to be member of the "Administrators" local group on the target computer (either directly or indirectly), its as simple as that. -Trond On Friday, August 29, 2014 1:11:17 PM UTC+2, J Hawkesworth wrote: > Hi, > > I think you may have hit this issue: > https://github.com/ansible/ansible/issues/8588 > > The name of the group I mentioned in previous post is WinRMRemoteWMIUsers__ > > on the windows host you want to manage, you need to run the following: > net localgroup WinRMRemoteWMIUsers__ /add DOMAINNAME\domainusername > (where DOMAINNAME is the name of your domain and domainusername is the > domain user you want to be able to use WinRM) > > Hope this helps, > > Jon > > > On Monday, August 11, 2014 4:35:06 PM UTC+1, Gopinath Suryadevara wrote: >> >> Hi, >> >> I was able to connect to a windows 7 box from a RHEL 5, ping it and also >> changed the authentication to kerberos. Thank you, @Trond for the wonderful >> script. Both the machines are on the same domain. When I use the >> win_get_url module to copy a file from a network share, it fails. I turned >> on the traces, got hold of the scripts on the remote win machine using >> ANSIBLE_KEEP_FILES=1. When i execute the script on remote win machine using >> the arguments file created by ansible, it executes successfully and copies >> the file from a network share. But the script fails when run via ansible. >> Even when i map the network share and try to use the assigned drive letter, >> the script fails when executed from the ansible linux controller. >> >> Any help on this is appreciated!! >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0ce7569d-b30e-4861-9e60-94fa3a580cb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
