Depending on what you're doing, NTLM might be a better fit for you (install
pywinrm>=0.2.0, set ansible_winrm_transport=ntlm and specify
ansible_user/ansible_password).
Automatic ticket management in pywinrm/our connection plugin is definitely
on my list of "things I wish we could do", but it's tentatively slated for
2.3 (2 releases out).
Docs are forthcoming for all that stuff- I wanted to wait until the new
pywinrm bits were actually released before publishing doc updates on NTLM;
they released a couple days ago.
On Tuesday, June 7, 2016 at 8:59:49 AM UTC-7, Willem Bos wrote:
>
> For people running into the same problem, this is (more or less) the
> playbook I use :
>
> - hosts: all
>
> tasks:
>
> - name: Install prerequisite software (using yum)
> yum:
> enablerepo: epel
> update_cache: yes
> name: "{{ item }}"
> state: present
> with_items:
> - python-pip
> - python-ptyprocess
> delegate_to: localhost
>
> - name: Uninstall old pexpect package (using yum)
> yum:
> name: pexpect
> state: absent
> delegate_to: localhost
>
> - name: Install prerequisite software (using pip)
> pip:
> name: pexpect
> version: 3.3
> state: present
> delegate_to: localhost
>
> - name: Check for precense of Kerberos ticket
> command: /usr/bin/klist
> register: klist_result
> changed_when: no
> ignore_errors: yes
> delegate_to: localhost
>
> - name: Request Kerberos ticket if none present
> expect:
> command: /usr/bin/kinit domain-user@AD-DOMAIN
> responses:
> '(?i)password': domain-user-password
> changed_when: no
> when: klist_result.rc != 0
> delegate_to: localhost
>
>
> The first task installs prerequisite software for the expect module using
> rpm's from EPEL <https://fedoraproject.org/wiki/EPEL>. The version of
> pexpect (another prerequisite) that the Red Hat and CentOS rpm's provide is
> too old for Ansible, so we uninstall this in the second task. The third
> task installs the required version of pexpect using pip. The third and
> fourth tasks actually deal with requesting a Kerberos ticket granting
> ticket when it is not present.
>
> Regards,
> Willem.
>
>
>
> On Tuesday, June 7, 2016 at 1:51:25 PM UTC+2, Willem Bos wrote:
>>
>> Hi all,
>>
>> I'm trying to use winrm to execute tasks on a windows server (after
>> following the steps in http://docs.ansible.com/ansible/intro_windows.html).
>> As a test I use the win_ping module. This works only when a Kerberos ticket
>> present beforehand.
>>
>> Is it a requirement to have the Linux server be member of the AD
>> infrastructure? If so, then the only way to make this work from a controle
>> machine - without joining the domain - would be to run a kinit from my
>> playbook first, right? I found several similar cases but none mention if AD
>> membership is a 'hard' requirement.
>>
>>
>> *** INFO ***
>> rpm -qa | grep -E
>> "ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos"
>> | sort
>> ansible-2.0.2.0-1.el7.noarch
>> krb5-devel-1.13.2-12.el7_2.x86_64
>> krb5-libs-1.13.2-12.el7_2.x86_64
>> krb5-workstation-1.13.2-12.el7_2.x86_64
>> python-devel-2.7.5-34.el7.x86_64
>> python-kerberos-1.1-15.el7.x86_64
>>
>> pip list | grep winrm
>> pywinrm (0.1.1)
>>
>>
>> *** WORKS ***
>> kinit domain-user@AD-DOMAIN
>> ...
>>
>> klist
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: domain-user@AD-DOMAIN
>>
>> Valid starting Expires Service principal
>> 06/07/2016 11:26:20 06/07/2016 21:26:20 krbtgt/AD-DOMAIN@AD-DOMAIN
>> renew until 06/14/2016 11:26:20
>>
>> ansible -m win_ping windows-server.ad-domain
>> windows-server.ad-domain | SUCCESS => {
>> "changed": false,
>> "ping": "pong"
>> }
>>
>>
>> *** DOESN'T WORK ***
>> kdestroy -A
>>
>> ansible -m win_ping windows-server.ad-domain -vvvvv
>> Using /etc/ansible/ansible.cfg as config file
>> Loaded callback minimal of type stdout, v2.0
>> <windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER:
>> domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain
>> <windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint=
>> https://windows-server.ad-domain:5986/wsman
>> <windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS
>> failure. Minor code may provide more information', 851968), ('No Kerberos
>> credentials available', -1765328243))
>> Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
>> line 134, in _winrm_connect
>> protocol.send_message('')
>> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in
>> send_message
>> return self.transport.send_message(message)
>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269,
>> in send_message
>> krb_ticket = KerberosTicket(self.krb_service)
>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205,
>> in __init__
>> kerberos.authGSSClientStep(krb_context, '')
>> GSSError: (('Unspecified GSS failure. Minor code may provide more
>> information', 851968), ('No Kerberos credentials available', -1765328243))
>>
>> windows-server.ad-domain | FAILED! => {
>> "failed": true,
>> "msg": "kerberos: (('Unspecified GSS failure. Minor code may provide
>> more information', 851968), ('No Kerberos credentials available',
>> -1765328243))"
>> }
>>
>> Regards,
>> Willem
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c43944b-5b94-4043-937c-e2e2fd946185%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
