I think this is because when you logged into the machine, as part of the login process a kerberos ticket has been cached for the user you logged in as.
When ansible runs, the winrm connection plugin determines that you want to connect via kerberos (there is a bit of guessing going on here, from memory it is assumed you want to connect using kerberos based on having an @ in the ansible_ssh_user and having the python kerberos library loaded. The actual authorisation is then handled by the kerberos library and since you have a kerberos ticket (as a result of logging in), I suspect it is using that. If you can I suggest you install krb5-workstation and then log in as whichever user, then try running klist to see what tickets are cached for your user. if you want to manually create a ticket for the other user, you can do that like this: kinit [email protected] (note domain name must be in upper case). Does that clarify things at all? On Wednesday, August 19, 2015 at 11:38:26 AM UTC+1, Amir Luzon wrote: > > LDAP user is a user in the active directory. > > "and ansible is then attempting to use your kerberos credentials to talk > to your windows machines." - but we configured the "ansible_ssh_user| to a > specific user and it is not using that user but the user logged in to the > control machine...why is that? > > The control machine is: Linux version 2.6.32-504.16.2.el6.x86_64 ( > [email protected] <javascript:>) (gcc version 4.4.7 > 20120313 (Red Hat 4.4.7-11) (GCC) ) > > On Wednesday, August 19, 2015 at 12:56:53 PM UTC+3, J Hawkesworth wrote: >> >> Not hit this- I'm not sure what you mean by 'LDAP (windows) users' but if >> you are logging in to your ansible controller using a windows domain user, >> and password then chances are you are using kerberos and ansible is then >> attempting to use your kerberos credentials to talk to your windows >> machines. >> >> You don't mention which OS you are running your ansible controller on but >> if you have krb5-workstation (yum package) or apt-get equivalent installed, >> you can run the command >> >> klist >> >> which will show any kerberos credentials you have. I suspect ansible is >> using these. >> >> If I'm right then I think your options are >> >> a/ use a local user on your windows machines (change >> ansible_ssh_user=some_local_user not a user@domain) >> >> b/ log in to your ansible controller as a domain user with suitable >> privileges for whatever it is you need to do on your windows machines and >> change your >> ansible_ssh_user=domain_user_you_logged_in_to_ansible_as@DOMAIN ) >> >> Hope the above helps >> >> Jon >> >> On Wednesday, August 19, 2015 at 9:19:46 AM UTC+1, Amir Luzon wrote: >>> >>> hi guys, >>> >>> our control machine is configured so that we can login to the machine >>> with our LDAP (windows) users. from there we run ansible playbooks. >>> >>> here are some of the configurations we use: >>> >>> [windows:vars] >>> ansible_ssh_user=[DeployUser]@[OurDomain] >>> ansible_ssh_pass=password >>> ansible_connection=winrm >>> >>> the [DeployUser] is not the same as the LDAP user to login to the >>> ansible control machine. >>> >>> yet when running powershell modules on a windows machine we noticed that >>> Ansible will use the LDAP user used to login to control machine and not the >>> user configured in the hosts file on ansible_ssh_user. >>> >>> from what i understand ansible should use the ansible_ssh_user on >>> windows machine to do whatever but for us it uses the LDAP user??? >>> >>> anyone encounter this issue? please help! >>> >>> >>> thanks in advance >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/282673ef-5bab-4f0c-9adb-91615ab41570%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
