[ansible-project] WINRM issue with domain user - some works and some dont

[Eyal Zarchi]

Hi.

we have a few windows server 2008 R2 that we would like to use the winrm 
module.
we have similar machines that some work and some dont. i compared the build 
of the machine, the build of the powershell and even local security policy. 
the result is still the same.
we use kerberos and winbind on the controller machine and since the winrm 
module work for windows 2012 and some of the 2008 R2 machines with the 
domain username, i am guessing the issue is not on the controller.

i though it was because it uses the ticket with the ldap user i logged into 
the controller machine but i am a member of the administrator group on the 
target machine and it still doesnt work.
if i create a local username and put it in the administrator group, the 
winrm work.

here is a machine that works:

<rnpl-qa1-bes01> WINRM RESULT <Response code 0, out "C:\Users\deploy_rn\A", 
err "">
<rnpl-qa1-bes01> PUT /tmp/tmpe8SQvn TO 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping
<rnpl-qa1-bes01> WINRM PUT /tmp/tmpe8SQvn to 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping.ps1
 
(offset=0 size=2035)
<rnpl-qa1-bes01> WINRM PUT /tmp/tmpe8SQvn to 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping.ps1
 
(offset=2035 size=2035)
<rnpl-qa1-bes01> WINRM PUT /tmp/tmpe8SQvn to 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping.ps1
 
(offset=4070 size=2035)
<rnpl-qa1-bes01> WINRM PUT /tmp/tmpe8SQvn to 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping.ps1
 
(offset=6105 size=602)
<rnpl-qa1-bes01> PUT /tmp/tmpsiY4YG TO 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\arguments
<rnpl-qa1-bes01> WINRM PUT /tmp/tmpsiY4YG to 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\arguments
 
(offset=0 size=2)
<rnpl-qa1-bes01> EXEC PowerShell -NoProfile -NonInteractive 
-ExecutionPolicy Unrestricted -File 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\win_ping.ps1
 
C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\\arguments;
 
Remove-Item 
"C:\Users\deploy_rn\AppData\Local\Temp\ansible-tmp-1441020926.8-178247757458762\"
 
-Force -Recurse;
<rnpl-qa1-bes01> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', 
'-EncodedCommand', 
'UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAGQAZQBwAGwAbwB5AF8AcgBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQANAAxADAAMgAwADkAMgA2AC4AOAAtADEANwA4ADIANAA3ADcANQA3ADQANQA4ADcANgAyAFwAXAB3AGkAbgBfAHAAaQBuAGcALgBwAHMAMQAgAEMAOgBcAFUAcwBlAHIAcwBcAGQAZQBwAGwAbwB5AF8AcgBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQANAAxADAAMgAwADkAMgA2AC4AOAAtADEANwA4ADIANAA3ADcANQA3ADQANQA4ADcANgAyAFwAXABhAHIAZwB1AG0AZQBuAHQAcwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXABkAGUAcABsAG8AeQBfAHIAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADQAMQAwADIAMAA5ADIANgAuADgALQAxADcAOAAyADQANwA3ADUANwA0ADUAOAA3ADYAMgBcACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA==']
<rnpl-qa1-bes01> WINRM RESULT <Response code 0, out "{ "changed": f", err 
"">
rnpl-qa1-bes01 | success >> {
    "changed": false,
    "ping": "pong"
}


here is one that doesnt work:

<rnpl-qa1-sts01> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5986 TO 
rnpl-qa1-sts01
<rnpl-qa1-sts02> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5986 TO 
rnpl-qa1-sts02
<rnpl-qa1-sts01> WINRM CONNECT: transport=kerberos endpoint=
https://rnpl-qa1-sts01:5986/wsman
<rnpl-qa1-sts02> WINRM CONNECT: transport=kerberos endpoint=
https://rnpl-qa1-sts02:5986/wsman
rnpl-qa1-sts01 | FAILED => the username/password specified for this server 
was incorrect
rnpl-qa1-sts02 | FAILED => the username/password specified for this server 
was incorrect


as soon as i remove the @DOMAIN from the host file, and use a local 
username, the winrm works.
i am probably missing a silly thing but i cant find it.
thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5b1ed1a5-613e-4ee2-8223-3bde9a1d0535%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.