Hello, I'm having issues getting the double hop scenario working. To test kerberos delegation I have a simple PowerShell script that does a Get-ChildItem on a UNC path. When running the command manually on the host it works, but when executing as playbook with Ansible I get "Access Denied." Below is my configuration and the verbose output I receive. Any help or suggestions would be greatly appreciated.
Environment: user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm pywinrm (0.2.0) user@ansible:~/ansible> ansible --version ansible 2.1.0.0 config file = /home/user/ansible/ansible.cfg configured module search path = Default w/o overrides user@ansible:~/ansible> cat /etc/*-release NAME="SLES" VERSION="11.4" VERSION_ID="11.4" PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4" ID="sles" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:11:4" SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4 Inventory excerpt: [all:vars] ansible_ssh_port=5986 ansible_connection=winrm ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes [email protected] ansible_winrm_server_cert_validation=ignore Playbook output: user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain -vvvvv Using /home/user/ansible/ansible.cfg as config file Loaded callback default of type stdout, v2.0 PLAYBOOK: test.yml ************************************************************* 1 plays in test.yml PLAY [list unc] **************************************************************** TASK [list unc] **************************************************************** task path: /home/user/ansible/test.yml:6 <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO dc1.domain.com <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=https://dc1.domain.com:5986/wsman <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 <dc1.domain.com> EXEC Set-StrictMode -Version Latest (New-Item -Type Directory -Path $env:temp -Name "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host -Separator ''; <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', u'-EncodedCommand', u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA='] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "C:\\Users\\ansible_svc", err "">' <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" (offset=46 size=46) <dc1.domain.com> EXEC & 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1' <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA=='] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< CLIXML\r\n<Objs Ver">' <dc1.domain.com> EXEC Set-StrictMode -Version Latest Remove-Item "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702" -Force -Recurse; <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', u'-EncodedCommand', u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA=='] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 changed: [dc1.domain.com] => {"changed": true, "invocation": {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is denied\r\nAt C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.Powe \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], ItemNotFoundException\r\n+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", "stdout": "", "stdout_lines": []} PLAY RECAP ********************************************************************* dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0 user@ansible:~/ansible> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a0d1f2e9-5721-4843-b5de-d6364ab28a01%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
