I just got this working a couple of days ago.
The only differences I can see between your set up and mine are

I set up win connection vars in group vars, rather than host vars (mixed 
environment - not all my hosts are windows).  Might be worth trying to 
switch to group_vars as at some point I think there was some difference in 
how host vars and group vars were loaded, although I think that has been 
resolved now.
I am using 2.0.0.2  / 2.1.1
my ansible controllers are Centos

So I suggest trying to configure with group_vars instead of host vars.

I tested a very similar one line powershell script to do the same as you 
(access files on a network share), so I'm sure this can be made to work.

Hope this helps,

Jon



On Wednesday, September 14, 2016 at 6:52:13 PM UTC+1, Surred wrote:
>
> Hello,
>
> I'm having issues getting the double hop scenario working. To test 
> kerberos delegation I have a simple PowerShell script that does a 
> Get-ChildItem on a UNC path. When running the command manually on the host 
> it works, but when executing as playbook with Ansible I get "Access 
> Denied." Below is my configuration and the verbose output I receive. Any 
> help or suggestions would be greatly appreciated.
>
>
> Environment:
> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm
> pywinrm (0.2.0)
>
> user@ansible:~/ansible> ansible --version
> ansible 2.1.0.0
>   config file = /home/user/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>
> user@ansible:~/ansible> cat /etc/*-release
> NAME="SLES"
> VERSION="11.4"
> VERSION_ID="11.4"
> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"
> ID="sles"
> ANSI_COLOR="0;32"
> CPE_NAME="cpe:/o:suse:sles:11:4"
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 4
>
>
> Inventory excerpt:
> [all:vars]
> ansible_ssh_port=5986
> ansible_connection=winrm
> ansible_winrm_transport=kerberos
> ansible_winrm_kerberos_delegation=yes
> ansible_ssh_user=ansib...@domain.com <javascript:>
> ansible_winrm_server_cert_validation=ignore
>
> Playbook output:
> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
> -vvvvv
> Using /home/user/ansible/ansible.cfg as config file
> Loaded callback default of type stdout, v2.0
>
> PLAYBOOK: test.yml 
> *************************************************************
> 1 plays in test.yml
>
> PLAY [list unc] 
> ****************************************************************
>
> TASK [list unc] 
> ****************************************************************
> task path: /home/user/ansible/test.yml:6
> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: ansib...@domain.com 
> <javascript:> on PORT 5986 TO dc1.domain.com
> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
> https://dc1.domain.com:5986/wsman
> <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
> (New-Item -Type Directory -Path $env:temp -Name 
> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host 
> -Separator '';
> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=']
> <dc1.domain.com> WINRM RESULT u'<Response code 0, out 
> "C:\\Users\\ansible_svc", err "">'
> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>  
> (offset=46 size=46)
> <dc1.domain.com> EXEC & 
>  
> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1'
> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA==']
> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< 
> CLIXML\r\n<Objs Ver">'
> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
> Remove-Item 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702"
>  
> -Force -Recurse;
> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA==']
> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
> <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
> changed: [dc1.domain.com] => {"changed": true, "invocation": 
> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, 
> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is 
> denied\r\nAt 
> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>  
> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) 
> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : 
> ItemExistsUnauthorizedAccessError,Microsoft.Powe 
> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find 
> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt 
> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>  
> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], 
> ItemNotFoundException\r\n+ FullyQualifiedErrorId : 
> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", 
> "stdout": "", "stdout_lines": []}
>
> PLAY RECAP 
> *********************************************************************
> dc1.domain.com : ok=1    changed=1    unreachable=0    failed=0
>
> user@ansible:~/ansible>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/dd3defb3-edbf-451b-ae59-241a35cc7603%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to