Hi, Nope, that's work in progress afaik. On Tuesday, June 7, 2016 at 2:27:06 PM UTC+2, Willem Bos wrote: > > Hi Trond, > > Thanks for the confirmation. So, as it is already planned I take it > there's no need to file a feature request? > > Regards, > Willem. > > On Tuesday, June 7, 2016 at 2:02:58 PM UTC+2, Trond Hindenes wrote: >> >> Hi Willem, this is (for now) by design. >> >> Matt is working on (or at least planning to work on) automatically >> invoking kinit behind the scenes to automatically get a Kerberos ticket if >> needed, but for now, that has to be present. You could probably use a >> local_action to make sure one exists on the control node before executing >> the windows part of your playbook. >> >> On Tuesday, June 7, 2016 at 1:51:25 PM UTC+2, Willem Bos wrote: >>> >>> Hi all, >>> >>> I'm trying to use winrm to execute tasks on a windows server (after >>> following the steps in >>> http://docs.ansible.com/ansible/intro_windows.html). As a test I use >>> the win_ping module. This works only when a Kerberos ticket present >>> beforehand. >>> >>> Is it a requirement to have the Linux server be member of the AD >>> infrastructure? If so, then the only way to make this work from a controle >>> machine - without joining the domain - would be to run a kinit from my >>> playbook first, right? I found several similar cases but none mention if AD >>> membership is a 'hard' requirement. >>> >>> >>> *** INFO *** >>> rpm -qa | grep -E >>> "ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos" >>> >>> | sort >>> ansible-2.0.2.0-1.el7.noarch >>> krb5-devel-1.13.2-12.el7_2.x86_64 >>> krb5-libs-1.13.2-12.el7_2.x86_64 >>> krb5-workstation-1.13.2-12.el7_2.x86_64 >>> python-devel-2.7.5-34.el7.x86_64 >>> python-kerberos-1.1-15.el7.x86_64 >>> >>> pip list | grep winrm >>> pywinrm (0.1.1) >>> >>> >>> *** WORKS *** >>> kinit domain-user@AD-DOMAIN >>> ... >>> >>> klist >>> Ticket cache: KEYRING:persistent:0:0 >>> Default principal: domain-user@AD-DOMAIN >>> >>> Valid starting Expires Service principal >>> 06/07/2016 11:26:20 06/07/2016 21:26:20 krbtgt/AD-DOMAIN@AD-DOMAIN >>> renew until 06/14/2016 11:26:20 >>> >>> ansible -m win_ping windows-server.ad-domain >>> windows-server.ad-domain | SUCCESS => { >>> "changed": false, >>> "ping": "pong" >>> } >>> >>> >>> *** DOESN'T WORK *** >>> kdestroy -A >>> >>> ansible -m win_ping windows-server.ad-domain -vvvvv >>> Using /etc/ansible/ansible.cfg as config file >>> Loaded callback minimal of type stdout, v2.0 >>> <windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER: >>> domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain >>> <windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint= >>> https://windows-server.ad-domain:5986/wsman >>> <windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS >>> failure. Minor code may provide more information', 851968), ('No Kerberos >>> credentials available', -1765328243)) >>> Traceback (most recent call last): >>> File >>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >>> line 134, in _winrm_connect >>> protocol.send_message('') >>> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, >>> in send_message >>> return self.transport.send_message(message) >>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, >>> in send_message >>> krb_ticket = KerberosTicket(self.krb_service) >>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, >>> in __init__ >>> kerberos.authGSSClientStep(krb_context, '') >>> GSSError: (('Unspecified GSS failure. Minor code may provide more >>> information', 851968), ('No Kerberos credentials available', -1765328243)) >>> >>> windows-server.ad-domain | FAILED! => { >>> "failed": true, >>> "msg": "kerberos: (('Unspecified GSS failure. Minor code may >>> provide more information', 851968), ('No Kerberos credentials available', >>> -1765328243))" >>> } >>> >>> Regards, >>> Willem >>> >>
-- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dfccbad2-a837-40c3-8e75-85928af9dfc8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
