The new pywinrm stuff I've been working on (0.2.0rc3) supports on-the-fly kerberos principal switching across N domains if you have valid tickets for them all on a system that defaults to collection-typed credential caching (I've only tested on OSX so far- not sure what the default ccache type is on Cent7). Unfortunately, there's a one-line bug in pykerberos that prevents it from working "out of the box", but if you uncomment https://github.com/02strich/pykerberos/blob/master/src/kerberosgss.c#L234 and rebuild pykerberos, it should work if your system is configured for collection-typed kerberos ccaches.
Once all the relevant bits are shipped, I'm planning to do a full doc writeup on if/how this works for various OSs. Meantime, jhawkesworth has another way to do this that you might be interested in: https://github.com/ansible/ansible/pull/14972/files On Wednesday, May 18, 2016 at 1:59:48 PM UTC-7, Mike Fennemore wrote: > > Ansible: 2.0.0.2 > OS: CentOS 7.2 > > Is it possible to use a single Ansible controller for multiple Windows > domains? The scenario requires the use of domain accounts for > authentication on 3 separate domains. > I have configured the krb5.conf accordingly but as yet cannot get the > Ansible controller to authenticate with all Windows servers (Server 2012 > R2). I receive the following error messages: > > "msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may > provide more information', 851968), ('Server not found in Kerberos > database', -1765328377)), ssl: 401 Unauthorized. basic auth failed" > > "msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may > provide more information', 851968), ('Server not found in Kerberos > database', -1765328377)), ssl: 500 WinRMTransport. [Errno 113] No route to > host" > > I have run the ConfigureRemotingForAnsible.ps1 and can successfully get > Kerberos tickets using kinit [email protected] across all the domains. > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7da06ad9-17d1-40bb-9176-e2f162393697%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
