Just tried pywinrm 0.2rc6. Both ansible_winrm_transport=ntlm
and ansible_winrm_transport=kerberos work fine. Thanks!
On Tuesday, June 7, 2016 at 7:31:23 PM UTC+2, Matt Davis wrote:
>
> Depending on what you're doing, NTLM might be a better fit for you
> (install pywinrm>=0.2.0, set ansible_winrm_transport=ntlm and specify
> ansible_user/ansible_password).
>
> Automatic ticket management in pywinrm/our connection plugin is definitely
> on my list of "things I wish we could do", but it's tentatively slated for
> 2.3 (2 releases out).
>
> Docs are forthcoming for all that stuff- I wanted to wait until the new
> pywinrm bits were actually released before publishing doc updates on NTLM;
> they released a couple days ago.
>
> On Tuesday, June 7, 2016 at 8:59:49 AM UTC-7, Willem Bos wrote:
>>
>> For people running into the same problem, this is (more or less) the
>> playbook I use :
>>
>> - hosts: all
>>
>> tasks:
>>
>> - name: Install prerequisite software (using yum)
>> yum:
>> enablerepo: epel
>> update_cache: yes
>> name: "{{ item }}"
>> state: present
>> with_items:
>> - python-pip
>> - python-ptyprocess
>> delegate_to: localhost
>>
>> - name: Uninstall old pexpect package (using yum)
>> yum:
>> name: pexpect
>> state: absent
>> delegate_to: localhost
>>
>> - name: Install prerequisite software (using pip)
>> pip:
>> name: pexpect
>> version: 3.3
>> state: present
>> delegate_to: localhost
>>
>> - name: Check for precense of Kerberos ticket
>> command: /usr/bin/klist
>> register: klist_result
>> changed_when: no
>> ignore_errors: yes
>> delegate_to: localhost
>>
>> - name: Request Kerberos ticket if none present
>> expect:
>> command: /usr/bin/kinit domain-user@AD-DOMAIN
>> responses:
>> '(?i)password': domain-user-password
>> changed_when: no
>> when: klist_result.rc != 0
>> delegate_to: localhost
>>
>>
>> The first task installs prerequisite software for the expect module using
>> rpm's from EPEL <https://fedoraproject.org/wiki/EPEL>. The version of
>> pexpect (another prerequisite) that the Red Hat and CentOS rpm's provide is
>> too old for Ansible, so we uninstall this in the second task. The third
>> task installs the required version of pexpect using pip. The third and
>> fourth tasks actually deal with requesting a Kerberos ticket granting
>> ticket when it is not present.
>>
>> Regards,
>> Willem.
>>
>>
>>
>> On Tuesday, June 7, 2016 at 1:51:25 PM UTC+2, Willem Bos wrote:
>>>
>>> Hi all,
>>>
>>> I'm trying to use winrm to execute tasks on a windows server (after
>>> following the steps in
>>> http://docs.ansible.com/ansible/intro_windows.html). As a test I use
>>> the win_ping module. This works only when a Kerberos ticket present
>>> beforehand.
>>>
>>> Is it a requirement to have the Linux server be member of the AD
>>> infrastructure? If so, then the only way to make this work from a controle
>>> machine - without joining the domain - would be to run a kinit from my
>>> playbook first, right? I found several similar cases but none mention if AD
>>> membership is a 'hard' requirement.
>>>
>>>
>>> *** INFO ***
>>> rpm -qa | grep -E
>>> "ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos"
>>>
>>> | sort
>>> ansible-2.0.2.0-1.el7.noarch
>>> krb5-devel-1.13.2-12.el7_2.x86_64
>>> krb5-libs-1.13.2-12.el7_2.x86_64
>>> krb5-workstation-1.13.2-12.el7_2.x86_64
>>> python-devel-2.7.5-34.el7.x86_64
>>> python-kerberos-1.1-15.el7.x86_64
>>>
>>> pip list | grep winrm
>>> pywinrm (0.1.1)
>>>
>>>
>>> *** WORKS ***
>>> kinit domain-user@AD-DOMAIN
>>> ...
>>>
>>> klist
>>> Ticket cache: KEYRING:persistent:0:0
>>> Default principal: domain-user@AD-DOMAIN
>>>
>>> Valid starting Expires Service principal
>>> 06/07/2016 11:26:20 06/07/2016 21:26:20 krbtgt/AD-DOMAIN@AD-DOMAIN
>>> renew until 06/14/2016 11:26:20
>>>
>>> ansible -m win_ping windows-server.ad-domain
>>> windows-server.ad-domain | SUCCESS => {
>>> "changed": false,
>>> "ping": "pong"
>>> }
>>>
>>>
>>> *** DOESN'T WORK ***
>>> kdestroy -A
>>>
>>> ansible -m win_ping windows-server.ad-domain -vvvvv
>>> Using /etc/ansible/ansible.cfg as config file
>>> Loaded callback minimal of type stdout, v2.0
>>> <windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER:
>>> domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain
>>> <windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint=
>>> https://windows-server.ad-domain:5986/wsman
>>> <windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS
>>> failure. Minor code may provide more information', 851968), ('No Kerberos
>>> credentials available', -1765328243))
>>> Traceback (most recent call last):
>>> File
>>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
>>> line 134, in _winrm_connect
>>> protocol.send_message('')
>>> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193,
>>> in send_message
>>> return self.transport.send_message(message)
>>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269,
>>> in send_message
>>> krb_ticket = KerberosTicket(self.krb_service)
>>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205,
>>> in __init__
>>> kerberos.authGSSClientStep(krb_context, '')
>>> GSSError: (('Unspecified GSS failure. Minor code may provide more
>>> information', 851968), ('No Kerberos credentials available', -1765328243))
>>>
>>> windows-server.ad-domain | FAILED! => {
>>> "failed": true,
>>> "msg": "kerberos: (('Unspecified GSS failure. Minor code may
>>> provide more information', 851968), ('No Kerberos credentials available',
>>> -1765328243))"
>>> }
>>>
>>> Regards,
>>> Willem
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/87987b9d-bee2-4fa5-a3da-b94ab26e7918%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
