yes it does, thank you. does this not seem like a bug?
On Wednesday, August 19, 2015 at 2:40:53 PM UTC+3, J Hawkesworth wrote: > > I think this is because when you logged into the machine, as part of the > login process a kerberos ticket has been cached for the user you logged in > as. > > When ansible runs, the winrm connection plugin determines that you want to > connect via kerberos (there is a bit of guessing going on here, from memory > it is assumed you want to connect using kerberos based on having an @ in > the ansible_ssh_user and having the python kerberos library loaded. > > The actual authorisation is then handled by the kerberos library and since > you have a kerberos ticket (as a result of logging in), I suspect it is > using that. > > If you can I suggest you install krb5-workstation and then log in as > whichever user, then try running klist to see what tickets are cached for > your user. > > if you want to manually create a ticket for the other user, you can do > that like this: > > kinit [email protected] > > (note domain name must be in upper case). > > Does that clarify things at all? > > > > > > On Wednesday, August 19, 2015 at 11:38:26 AM UTC+1, Amir Luzon wrote: >> >> LDAP user is a user in the active directory. >> >> "and ansible is then attempting to use your kerberos credentials to talk >> to your windows machines." - but we configured the "ansible_ssh_user| to a >> specific user and it is not using that user but the user logged in to the >> control machine...why is that? >> >> The control machine is: Linux version 2.6.32-504.16.2.el6.x86_64 ( >> [email protected]) (gcc version 4.4.7 20120313 (Red Hat >> 4.4.7-11) (GCC) ) >> >> On Wednesday, August 19, 2015 at 12:56:53 PM UTC+3, J Hawkesworth wrote: >>> >>> Not hit this- I'm not sure what you mean by 'LDAP (windows) users' but >>> if you are logging in to your ansible controller using a windows domain >>> user, and password then chances are you are using kerberos and ansible is >>> then attempting to use your kerberos credentials to talk to your windows >>> machines. >>> >>> You don't mention which OS you are running your ansible controller on >>> but if you have krb5-workstation (yum package) or apt-get equivalent >>> installed, you can run the command >>> >>> klist >>> >>> which will show any kerberos credentials you have. I suspect ansible is >>> using these. >>> >>> If I'm right then I think your options are >>> >>> a/ use a local user on your windows machines (change >>> ansible_ssh_user=some_local_user not a user@domain) >>> >>> b/ log in to your ansible controller as a domain user with suitable >>> privileges for whatever it is you need to do on your windows machines and >>> change your >>> ansible_ssh_user=domain_user_you_logged_in_to_ansible_as@DOMAIN ) >>> >>> Hope the above helps >>> >>> Jon >>> >>> On Wednesday, August 19, 2015 at 9:19:46 AM UTC+1, Amir Luzon wrote: >>>> >>>> hi guys, >>>> >>>> our control machine is configured so that we can login to the machine >>>> with our LDAP (windows) users. from there we run ansible playbooks. >>>> >>>> here are some of the configurations we use: >>>> >>>> [windows:vars] >>>> ansible_ssh_user=[DeployUser]@[OurDomain] >>>> ansible_ssh_pass=password >>>> ansible_connection=winrm >>>> >>>> the [DeployUser] is not the same as the LDAP user to login to the >>>> ansible control machine. >>>> >>>> yet when running powershell modules on a windows machine we noticed >>>> that Ansible will use the LDAP user used to login to control machine and >>>> not the user configured in the hosts file on ansible_ssh_user. >>>> >>>> from what i understand ansible should use the ansible_ssh_user on >>>> windows machine to do whatever but for us it uses the LDAP user??? >>>> >>>> anyone encounter this issue? please help! >>>> >>>> >>>> thanks in advance >>>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/47cb9d41-4ff2-4016-bdf4-9501574071f9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
