JH,

Do you know of any other tests/logging I could try/review to determine why 
the kerberos delegation is not working in my environment?

On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote:
>
> Sorry, I should have been clearer.  2.0.0.2 and 2.1.1 are ansible versions.
>
>
>
> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>>
>> Thanks for the response JH. I've moved the winrm connection details to 
>> group_vars as you suggested, but am still not able to list the files of a 
>> network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
>> clarify those version numbers and what they are associated with?
>>
>> host file:
>> user@ansible:~/ansible> cat inventories/domain
>> [test]
>> dc1.domain.com
>>
>>
>> group_vars:
>> user@ansible:~/ansible> cat inventories/group_vars/test.yml
>> ---
>>
>> ansible_ssh_port: 5986
>> ansible_connection: winrm
>> ansible_winrm_transport: kerberos
>> ansible_winrm_kerberos_delegation: yes
>> ansible_ssh_user: ansib...@domain.com
>> ansible_winrm_server_cert_validation: ignore
>>
>>
>> output of playbook (i've added a debug task to dump the variables):
>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>> -vvvvv
>> Using /home/user/ansible/ansible.cfg as config file
>> Loaded callback default of type stdout, v2.0
>>
>> PLAYBOOK: test.yml 
>> *************************************************************
>> 1 plays in test.yml
>>
>> PLAY [list unc] 
>> ****************************************************************
>>
>> TASK [display variables] 
>> *******************************************************
>> task path: /home/user/ansible/test.yml:6
>> ok: [dc1.domain.com] => {
>>     "hostvars[inventory_hostname]": {
>>         "ansible_check_mode": false,
>>         "ansible_connection": "winrm",
>>         "ansible_ssh_port": 5986,
>>         "ansible_ssh_user": "ansib...@domain.com",
>>         "ansible_version": {
>>             "full": "2.1.0.0",
>>             "major": 2,
>>             "minor": 1,
>>             "revision": 0,
>>             "string": "2.1.0.0"
>>         },
>>         "ansible_winrm_kerberos_delegation": true,
>>         "ansible_winrm_server_cert_validation": "ignore",
>>         "ansible_winrm_transport": "kerberos",
>>         "group_names": [
>>             "test"
>>         ],
>>         "groups": {
>>             "all": [
>>                 "dc1.domain.com"
>>             ],
>>             "test": [
>>                 "dc1.domain.com"
>>             ],
>>             "ungrouped": []
>>         },
>>         "inventory_dir": "/home/user/ansible/inventories",
>>         "inventory_file": "inventories/domain",
>>         "inventory_hostname": "dc1.domain.com",
>>         "inventory_hostname_short": "dc1",
>>         "omit": 
>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
>>         "playbook_dir": "/home/user/ansible"
>>     }
>> }
>>
>> TASK [list unc] 
>> ****************************************************************
>> task path: /home/user/ansible/test.yml:9
>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: ansib...@domain.com 
>> on PORT 5986 TO dc1.domain.com
>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>> https://dc1.domain.com:5986/wsman
>> <dc1.domain.com> WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>> (New-Item -Type Directory -Path $env:temp -Name 
>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
>> '';
>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>> u'-EncodedCommand', 
>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out 
>> "C:\\Users\\ansible_svc", err "">'
>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO 
>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to 
>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>  
>> (offset=46 size=46)
>> <dc1.domain.com> EXEC & 
>>  
>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', 
>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< 
>> CLIXML\r\n<Objs Ver">'
>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>> Remove-Item 
>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733"
>>  
>> -Force -Recurse;
>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>> u'-EncodedCommand', 
>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA']
>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>> <dc1.domain.com> WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>> changed: [dc1.domain.com] => {"changed": true, "invocation": 
>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, 
>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is 
>> denied\r\nAt 
>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>  
>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) 
>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : 
>> ItemExistsUnauthorizedAccessError,Microsoft.Powe 
>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find 
>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt 
>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>  
>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], 
>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : 
>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", 
>> "stdout": "", "stdout_lines": []}
>>
>> PLAY RECAP 
>> *********************************************************************
>> dc1.domain.com : ok=2    changed=1    unreachable=0    failed=0
>>
>> user@ansible:~/ansible>
>>
>>
>>
>> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote:
>>>
>>> Hello,
>>>
>>> I'm having issues getting the double hop scenario working. To test 
>>> kerberos delegation I have a simple PowerShell script that does a 
>>> Get-ChildItem on a UNC path. When running the command manually on the host 
>>> it works, but when executing as playbook with Ansible I get "Access 
>>> Denied." Below is my configuration and the verbose output I receive. Any 
>>> help or suggestions would be greatly appreciated.
>>>
>>>
>>> Environment:
>>> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm
>>> pywinrm (0.2.0)
>>>
>>> user@ansible:~/ansible> ansible --version
>>> ansible 2.1.0.0
>>>   config file = /home/user/ansible/ansible.cfg
>>>   configured module search path = Default w/o overrides
>>>
>>> user@ansible:~/ansible> cat /etc/*-release
>>> NAME="SLES"
>>> VERSION="11.4"
>>> VERSION_ID="11.4"
>>> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"
>>> ID="sles"
>>> ANSI_COLOR="0;32"
>>> CPE_NAME="cpe:/o:suse:sles:11:4"
>>> SUSE Linux Enterprise Server 11 (x86_64)
>>> VERSION = 11
>>> PATCHLEVEL = 4
>>>
>>>
>>> Inventory excerpt:
>>> [all:vars]
>>> ansible_ssh_port=5986
>>> ansible_connection=winrm
>>> ansible_winrm_transport=kerberos
>>> ansible_winrm_kerberos_delegation=yes
>>> ansible_ssh_user=ansib...@domain.com
>>> ansible_winrm_server_cert_validation=ignore
>>>
>>> Playbook output:
>>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>>> -vvvvv
>>> Using /home/user/ansible/ansible.cfg as config file
>>> Loaded callback default of type stdout, v2.0
>>>
>>> PLAYBOOK: test.yml 
>>> *************************************************************
>>> 1 plays in test.yml
>>>
>>> PLAY [list unc] 
>>> ****************************************************************
>>>
>>> TASK [list unc] 
>>> ****************************************************************
>>> task path: /home/user/ansible/test.yml:6
>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: 
>>> ansib...@domain.com on PORT 5986 TO dc1.domain.com
>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>>> https://dc1.domain.com:5986/wsman
>>> <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>> (New-Item -Type Directory -Path $env:temp -Name 
>>> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host 
>>> -Separator '';
>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out 
>>> "C:\\Users\\ansible_svc", err "">'
>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>>  
>>> (offset=46 size=46)
>>> <dc1.domain.com> EXEC & 
>>>  
>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1'
>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', 
>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA==']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< 
>>> CLIXML\r\n<Objs Ver">'
>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>> Remove-Item 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702"
>>>  
>>> -Force -Recurse;
>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA==']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>>> <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
>>> changed: [dc1.domain.com] => {"changed": true, "invocation": 
>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, 
>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is 
>>> denied\r\nAt 
>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>  
>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) 
>>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : 
>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe 
>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find 
>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt 
>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>  
>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], 
>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : 
>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", 
>>> "stdout": "", "stdout_lines": []}
>>>
>>> PLAY RECAP 
>>> *********************************************************************
>>> dc1.domain.com : ok=1    changed=1    unreachable=0    failed=0
>>>
>>> user@ansible:~/ansible>
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/48e80efd-c22e-43da-ba27-94659640e37b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to