Have a look in the event logs.  I suspect all you will see is 'Access is 
denied'.  Worth looking on the network share machine (if it is an actual 
windows box).  If it isn't a windows box I guess there will be some kind of 
samba share logging that you could examine too.

Make sure that you are using the same user when logged in via remote 
desktop as the user that ansible is using.

You could check for logon events in the event viewer and see what 
privileges are assigned to your ansible.... user and see how these differ 
when you login via RDP.

My understanding is that the auth delegation changes the kerberos ticket in 
some some way so you could try examining the kerberos ticket using klist - 
unfortunately I can't try this myself at the moment.

I wonder if it is possible for the domain controller to disallow granting 
the necessary kerberos ticket for auth delegation.  Perhaps ask Active 
Directory administrators if they can do anything like this and whether it 
it is in place.

I still think that you are 'almost there' with solving this problem.

Hope the above helps,

Jon


On Tuesday, September 20, 2016 at 3:35:27 PM UTC+1, Surred wrote:
>
> JH,
>
> Do you know of any other tests/logging I could try/review to determine why 
> the kerberos delegation is not working in my environment?
>
> On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote:
>>
>> Sorry, I should have been clearer.  2.0.0.2 and 2.1.1 are ansible 
>> versions.
>>
>>
>>
>> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>>>
>>> Thanks for the response JH. I've moved the winrm connection details to 
>>> group_vars as you suggested, but am still not able to list the files of a 
>>> network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
>>> clarify those version numbers and what they are associated with?
>>>
>>> host file:
>>> user@ansible:~/ansible> cat inventories/domain
>>> [test]
>>> dc1.domain.com
>>>
>>>
>>> group_vars:
>>> user@ansible:~/ansible> cat inventories/group_vars/test.yml
>>> ---
>>>
>>> ansible_ssh_port: 5986
>>> ansible_connection: winrm
>>> ansible_winrm_transport: kerberos
>>> ansible_winrm_kerberos_delegation: yes
>>> ansible_ssh_user: ansib...@domain.com
>>> ansible_winrm_server_cert_validation: ignore
>>>
>>>
>>> output of playbook (i've added a debug task to dump the variables):
>>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>>> -vvvvv
>>> Using /home/user/ansible/ansible.cfg as config file
>>> Loaded callback default of type stdout, v2.0
>>>
>>> PLAYBOOK: test.yml 
>>> *************************************************************
>>> 1 plays in test.yml
>>>
>>> PLAY [list unc] 
>>> ****************************************************************
>>>
>>> TASK [display variables] 
>>> *******************************************************
>>> task path: /home/user/ansible/test.yml:6
>>> ok: [dc1.domain.com] => {
>>>     "hostvars[inventory_hostname]": {
>>>         "ansible_check_mode": false,
>>>         "ansible_connection": "winrm",
>>>         "ansible_ssh_port": 5986,
>>>         "ansible_ssh_user": "ansib...@domain.com",
>>>         "ansible_version": {
>>>             "full": "2.1.0.0",
>>>             "major": 2,
>>>             "minor": 1,
>>>             "revision": 0,
>>>             "string": "2.1.0.0"
>>>         },
>>>         "ansible_winrm_kerberos_delegation": true,
>>>         "ansible_winrm_server_cert_validation": "ignore",
>>>         "ansible_winrm_transport": "kerberos",
>>>         "group_names": [
>>>             "test"
>>>         ],
>>>         "groups": {
>>>             "all": [
>>>                 "dc1.domain.com"
>>>             ],
>>>             "test": [
>>>                 "dc1.domain.com"
>>>             ],
>>>             "ungrouped": []
>>>         },
>>>         "inventory_dir": "/home/user/ansible/inventories",
>>>         "inventory_file": "inventories/domain",
>>>         "inventory_hostname": "dc1.domain.com",
>>>         "inventory_hostname_short": "dc1",
>>>         "omit": 
>>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
>>>         "playbook_dir": "/home/user/ansible"
>>>     }
>>> }
>>>
>>> TASK [list unc] 
>>> ****************************************************************
>>> task path: /home/user/ansible/test.yml:9
>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: 
>>> ansib...@domain.com on PORT 5986 TO dc1.domain.com
>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>>> https://dc1.domain.com:5986/wsman
>>> <dc1.domain.com> WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>> (New-Item -Type Directory -Path $env:temp -Name 
>>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
>>> '';
>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out 
>>> "C:\\Users\\ansible_svc", err "">'
>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>>  
>>> (offset=46 size=46)
>>> <dc1.domain.com> EXEC & 
>>>  
>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', 
>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< 
>>> CLIXML\r\n<Objs Ver">'
>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>> Remove-Item 
>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733"
>>>  
>>> -Force -Recurse;
>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA']
>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>>> <dc1.domain.com> WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>> changed: [dc1.domain.com] => {"changed": true, "invocation": 
>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, 
>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is 
>>> denied\r\nAt 
>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>>  
>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) 
>>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : 
>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe 
>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find 
>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt 
>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>>  
>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], 
>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : 
>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", 
>>> "stdout": "", "stdout_lines": []}
>>>
>>> PLAY RECAP 
>>> *********************************************************************
>>> dc1.domain.com : ok=2    changed=1    unreachable=0    failed=0
>>>
>>> user@ansible:~/ansible>
>>>
>>>
>>>
>>> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm having issues getting the double hop scenario working. To test 
>>>> kerberos delegation I have a simple PowerShell script that does a 
>>>> Get-ChildItem on a UNC path. When running the command manually on the host 
>>>> it works, but when executing as playbook with Ansible I get "Access 
>>>> Denied." Below is my configuration and the verbose output I receive. Any 
>>>> help or suggestions would be greatly appreciated.
>>>>
>>>>
>>>> Environment:
>>>> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm
>>>> pywinrm (0.2.0)
>>>>
>>>> user@ansible:~/ansible> ansible --version
>>>> ansible 2.1.0.0
>>>>   config file = /home/user/ansible/ansible.cfg
>>>>   configured module search path = Default w/o overrides
>>>>
>>>> user@ansible:~/ansible> cat /etc/*-release
>>>> NAME="SLES"
>>>> VERSION="11.4"
>>>> VERSION_ID="11.4"
>>>> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"
>>>> ID="sles"
>>>> ANSI_COLOR="0;32"
>>>> CPE_NAME="cpe:/o:suse:sles:11:4"
>>>> SUSE Linux Enterprise Server 11 (x86_64)
>>>> VERSION = 11
>>>> PATCHLEVEL = 4
>>>>
>>>>
>>>> Inventory excerpt:
>>>> [all:vars]
>>>> ansible_ssh_port=5986
>>>> ansible_connection=winrm
>>>> ansible_winrm_transport=kerberos
>>>> ansible_winrm_kerberos_delegation=yes
>>>> ansible_ssh_user=ansib...@domain.com
>>>> ansible_winrm_server_cert_validation=ignore
>>>>
>>>> Playbook output:
>>>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>>>> -vvvvv
>>>> Using /home/user/ansible/ansible.cfg as config file
>>>> Loaded callback default of type stdout, v2.0
>>>>
>>>> PLAYBOOK: test.yml 
>>>> *************************************************************
>>>> 1 plays in test.yml
>>>>
>>>> PLAY [list unc] 
>>>> ****************************************************************
>>>>
>>>> TASK [list unc] 
>>>> ****************************************************************
>>>> task path: /home/user/ansible/test.yml:6
>>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: 
>>>> ansib...@domain.com on PORT 5986 TO dc1.domain.com
>>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>>>> https://dc1.domain.com:5986/wsman
>>>> <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>> (New-Item -Type Directory -Path $env:temp -Name 
>>>> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host 
>>>> -Separator '';
>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>>> u'-EncodedCommand', 
>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=']
>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out 
>>>> "C:\\Users\\ansible_svc", err "">'
>>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO 
>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to 
>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>>>  
>>>> (offset=46 size=46)
>>>> <dc1.domain.com> EXEC & 
>>>>  
>>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1'
>>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', 
>>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA==']
>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< 
>>>> CLIXML\r\n<Objs Ver">'
>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>> Remove-Item 
>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702"
>>>>  
>>>> -Force -Recurse;
>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>>> u'-EncodedCommand', 
>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA==']
>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>>>> <dc1.domain.com> WINRM CLOSE SHELL: 
>>>> 33CC652E-0DED-4C66-B898-2860580A29A8
>>>> changed: [dc1.domain.com] => {"changed": true, "invocation": 
>>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, 
>>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is 
>>>> denied\r\nAt 
>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>>  
>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) 
>>>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : 
>>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe 
>>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find 
>>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt 
>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>>  
>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ 
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo          : 
>>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], 
>>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : 
>>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", 
>>>> "stdout": "", "stdout_lines": []}
>>>>
>>>> PLAY RECAP 
>>>> *********************************************************************
>>>> dc1.domain.com : ok=1    changed=1    unreachable=0    failed=0
>>>>
>>>> user@ansible:~/ansible>
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ff039621-3b7e-458c-b249-4435b947f3a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to