Just to say my stuff mentioned above only lets you point at multiple domains from one ansible controller, it doesn't let you hit > 1 windows domain from a single playbook run. It would probably be possible to modify it but right now once it has cached a kerberos ticket for a windows host it returns control to ansible.
So it sounds like your time would be best spent trying out Matt's suggestion. Jon (jhawkesworth) On Thursday, May 19, 2016 at 12:06:03 AM UTC+1, Matt Davis wrote: > > The new pywinrm stuff I've been working on (0.2.0rc3) supports on-the-fly > kerberos principal switching across N domains if you have valid tickets for > them all on a system that defaults to collection-typed credential caching > (I've only tested on OSX so far- not sure what the default ccache type is > on Cent7). Unfortunately, there's a one-line bug in pykerberos that > prevents it from working "out of the box", but if you uncomment > https://github.com/02strich/pykerberos/blob/master/src/kerberosgss.c#L234 > and rebuild pykerberos, it should work if your system is configured for > collection-typed kerberos ccaches. > > Once all the relevant bits are shipped, I'm planning to do a full doc > writeup on if/how this works for various OSs. > > Meantime, jhawkesworth has another way to do this that you might be > interested in: https://github.com/ansible/ansible/pull/14972/files > > On Wednesday, May 18, 2016 at 1:59:48 PM UTC-7, Mike Fennemore wrote: >> >> Ansible: 2.0.0.2 >> OS: CentOS 7.2 >> >> Is it possible to use a single Ansible controller for multiple Windows >> domains? The scenario requires the use of domain accounts for >> authentication on 3 separate domains. >> I have configured the krb5.conf accordingly but as yet cannot get the >> Ansible controller to authenticate with all Windows servers (Server 2012 >> R2). I receive the following error messages: >> >> "msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may >> provide more information', 851968), ('Server not found in Kerberos >> database', -1765328377)), ssl: 401 Unauthorized. basic auth failed" >> >> "msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may >> provide more information', 851968), ('Server not found in Kerberos >> database', -1765328377)), ssl: 500 WinRMTransport. [Errno 113] No route to >> host" >> >> I have run the ConfigureRemotingForAnsible.ps1 and can successfully get >> Kerberos tickets using kinit [email protected] <javascript:> across all >> the domains. >> >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3274ce59-1fba-45ba-86cc-403a1e2bb33d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
