Okay. Do you know if it would be possible for paid support from Ansible to
assist with troubleshooting?
On Monday, October 31, 2016 at 1:04:10 PM UTC-5, Matt Davis wrote:
>
> Don't know what else to say- works for everyone I know that's tried it, so
> I'm suspecting some sort of local configuration or installation issue that
> hasn't been covered yet.
>
> On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote:
>>
>> Thanks for the response Matt! I did verify we are running ansible version
>> 2.1.1.0
>>
>> user@ansible:~> ansible --version
>> ansible 2.1.1.0
>> config file = /etc/ansible/ansible.cfg
>> configured module search path = Default w/o overrides
>>
>> I ran the klist command on the windows host (DC1) that ansible directly
>> connects to via winrm and I do not see a cached ticket for the service
>> account ansible is using. Your thoughts?
>>
>>
>> On Friday, October 28, 2016 at 1:07:11 PM UTC-5, Matt Davis wrote:
>>>
>>> You mentioned you were using ansible 2.1.0 and that you'd switched to
>>> group_vars- that version has an inventory bug where any ansible_winrm_X
>>> connection vars are ignored if they live in group_vars. Either upgrade to
>>> at least 2.1.1, or move them back. Also, try doing a raw: klist on the
>>> Windows host with delegation enabled- you should see a TGT listed.
>>>
>>> On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>>>>
>>>> Apologies for the delayed response... I've been looking for ways to
>>>> work around this issue, but I hit a roadblock so I really need to figure
>>>> this out. Below are the logs from the server hosting the network share.
>>>> Apparently the login was successful, but it was as an anonymous user using
>>>> NTLM. I'm still receiving the same Access Denied message in ansible. Any
>>>> further assistance would be greatly appreciated. Thanks.
>>>>
>>>> Log Name: Security
>>>> Source: Microsoft-Windows-Security-Auditing
>>>> Date: 10/28/2016 11:50:35 AM
>>>> Event ID: 4624
>>>> Task Category: Logon
>>>> Level: Information
>>>> Keywords: Audit Success
>>>> User: N/A
>>>> Computer: SCCM01.domain.com
>>>> Description:
>>>> An account was successfully logged on.
>>>>
>>>> Subject:
>>>> Security ID: NULL SID
>>>> Account Name: -
>>>> Account Domain: -
>>>> Logon ID: 0x0
>>>>
>>>> Logon Type: 3
>>>>
>>>> Impersonation Level: Impersonation
>>>>
>>>> New Logon:
>>>> Security ID: ANONYMOUS LOGON
>>>> Account Name: ANONYMOUS LOGON
>>>> Account Domain: NT AUTHORITY
>>>> Logon ID: 0x614767F6
>>>> Logon GUID: {00000000-0000-0000-0000-000000000000}
>>>>
>>>> Process Information:
>>>> Process ID: 0x0
>>>> Process Name: -
>>>>
>>>> Network Information:
>>>> Workstation Name: DC1.domain.com
>>>> Source Network Address: x.x.x.x
>>>> Source Port: 59019
>>>>
>>>> Detailed Authentication Information:
>>>> Logon Process: NtLmSsp
>>>> Authentication Package: NTLM
>>>> Transited Services: -
>>>> Package Name (NTLM only): NTLM V1
>>>> Key Length: 128
>>>>
>>>> This event is generated when a logon session is created. It is
>>>> generated on the computer that was accessed.
>>>>
>>>> The subject fields indicate the account on the local system which
>>>> requested the logon. This is most commonly a service such as the Server
>>>> service, or a local process such as Winlogon.exe or Services.exe.
>>>>
>>>> The logon type field indicates the kind of logon that occurred. The
>>>> most common types are 2 (interactive) and 3 (network).
>>>>
>>>> The New Logon fields indicate the account for whom the new logon was
>>>> created, i.e. the account that was logged on.
>>>>
>>>> The network fields indicate where a remote logon request originated.
>>>> Workstation name is not always available and may be left blank in some
>>>> cases.
>>>>
>>>> The impersonation level field indicates the extent to which a process
>>>> in the logon session can impersonate.
>>>>
>>>> The authentication information fields provide detailed information
>>>> about this specific logon request.
>>>> - Logon GUID is a unique identifier that can be used to correlate this
>>>> event with a KDC event.
>>>> - Transited services indicate which intermediate services have
>>>> participated in this logon request.
>>>> - Package name indicates which sub-protocol was used among the NTLM
>>>> protocols.
>>>> - Key length indicates the length of the generated session key. This
>>>> will be 0 if no session key was requested.
>>>> Event Xml:
>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
>>>> <System>
>>>> <Provider Name="Microsoft-Windows-Security-Auditing"
>>>> Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
>>>> <EventID>4624</EventID>
>>>> <Version>1</Version>
>>>> <Level>0</Level>
>>>> <Task>12544</Task>
>>>> <Opcode>0</Opcode>
>>>> <Keywords>0x8020000000000000</Keywords>
>>>> <TimeCreated SystemTime="2016-10-28T16:50:35.912189700Z" />
>>>> <EventRecordID>2087408</EventRecordID>
>>>> <Correlation />
>>>> <Execution ProcessID="492" ThreadID="7628" />
>>>> <Channel>Security</Channel>
>>>> <Computer>SCCM01.domain.com</Computer>
>>>> <Security />
>>>> </System>
>>>> <EventData>
>>>> <Data Name="SubjectUserSid">S-1-0-0</Data>
>>>> <Data Name="SubjectUserName">-</Data>
>>>> <Data Name="SubjectDomainName">-</Data>
>>>> <Data Name="SubjectLogonId">0x0</Data>
>>>> <Data Name="TargetUserSid">S-1-5-7</Data>
>>>> <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
>>>> <Data Name="TargetDomainName">NT AUTHORITY</Data>
>>>> <Data Name="TargetLogonId">0x614767f6</Data>
>>>> <Data Name="LogonType">3</Data>
>>>> <Data Name="LogonProcessName">NtLmSsp </Data>
>>>> <Data Name="AuthenticationPackageName">NTLM</Data>
>>>> <Data Name="WorkstationName">DC1.domain.com</Data>
>>>> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
>>>> <Data Name="TransmittedServices">-</Data>
>>>> <Data Name="LmPackageName">NTLM V1</Data>
>>>> <Data Name="KeyLength">128</Data>
>>>> <Data Name="ProcessId">0x0</Data>
>>>> <Data Name="ProcessName">-</Data>
>>>> <Data Name="IpAddress">x.x.x.x</Data>
>>>> <Data Name="IpPort">59019</Data>
>>>> <Data Name="ImpersonationLevel">%%1833</Data>
>>>> </EventData>
>>>> </Event>
>>>>
>>>>
>>>>
>>>>
>>>> Log Name: Security
>>>> Source: Microsoft-Windows-Security-Auditing
>>>> Date: 10/28/2016 11:50:35 AM
>>>> Event ID: 5140
>>>> Task Category: File Share
>>>> Level: Information
>>>> Keywords: Audit Success
>>>> User: N/A
>>>> Computer: SCCM01.domain.com
>>>> Description:
>>>> A network share object was accessed.
>>>> Subject:
>>>> Security ID: ANONYMOUS LOGON
>>>> Account Name: ANONYMOUS LOGON
>>>> Account Domain: NT AUTHORITY
>>>> Logon ID: 0x614767F6
>>>>
>>>> Network Information:
>>>> Object Type: File
>>>> Source Address: x.x.x.x
>>>> Source Port: 59019
>>>> Share Information:
>>>> Share Name: \\*\IPC$
>>>> Share Path:
>>>>
>>>> Access Request Information:
>>>> Access Mask: 0x1
>>>> Accesses: ReadData (or ListDirectory)
>>>>
>>>> Event Xml:
>>>> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
>>>> <System>
>>>> <Provider Name="Microsoft-Windows-Security-Auditing"
>>>> Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
>>>> <EventID>5140</EventID>
>>>> <Version>1</Version>
>>>> <Level>0</Level>
>>>> <Task>12808</Task>
>>>> <Opcode>0</Opcode>
>>>> <Keywords>0x8020000000000000</Keywords>
>>>> <TimeCreated SystemTime="2016-10-28T16:50:35.912189700Z" />
>>>> <EventRecordID>2087409</EventRecordID>
>>>> <Correlation />
>>>> <Execution ProcessID="4" ThreadID="9240" />
>>>> <Channel>Security</Channel>
>>>> <Computer>SCCM01.domain.com</Computer>
>>>> <Security />
>>>> </System>
>>>> <EventData>
>>>> <Data Name="SubjectUserSid">S-1-5-7</Data>
>>>> <Data Name="SubjectUserName">ANONYMOUS LOGON</Data>
>>>> <Data Name="SubjectDomainName">NT AUTHORITY</Data>
>>>> <Data Name="SubjectLogonId">0x614767f6</Data>
>>>> <Data Name="ObjectType">File</Data>
>>>> <Data Name="IpAddress">x.x.x.x</Data>
>>>> <Data Name="IpPort">59019</Data>
>>>> <Data Name="ShareName">\\*\IPC$</Data>
>>>> <Data Name="ShareLocalPath">
>>>> </Data>
>>>> <Data Name="AccessMask">0x1</Data>
>>>> <Data Name="AccessList">%%4416
>>>> </Data>
>>>> </EventData>
>>>> </Event>
>>>>
>>>>
>>>>
>>>> On Thursday, September 22, 2016 at 2:15:09 AM UTC-5, J Hawkesworth
>>>> wrote:
>>>>>
>>>>> Have a look in the event logs. I suspect all you will see is 'Access
>>>>> is denied'. Worth looking on the network share machine (if it is an
>>>>> actual
>>>>> windows box). If it isn't a windows box I guess there will be some kind
>>>>> of
>>>>> samba share logging that you could examine too.
>>>>>
>>>>> Make sure that you are using the same user when logged in via remote
>>>>> desktop as the user that ansible is using.
>>>>>
>>>>> You could check for logon events in the event viewer and see what
>>>>> privileges are assigned to your ansible.... user and see how these differ
>>>>> when you login via RDP.
>>>>>
>>>>> My understanding is that the auth delegation changes the kerberos
>>>>> ticket in some some way so you could try examining the kerberos ticket
>>>>> using klist - unfortunately I can't try this myself at the moment.
>>>>>
>>>>> I wonder if it is possible for the domain controller to disallow
>>>>> granting the necessary kerberos ticket for auth delegation. Perhaps ask
>>>>> Active Directory administrators if they can do anything like this and
>>>>> whether it it is in place.
>>>>>
>>>>> I still think that you are 'almost there' with solving this problem.
>>>>>
>>>>> Hope the above helps,
>>>>>
>>>>> Jon
>>>>>
>>>>>
>>>>> On Tuesday, September 20, 2016 at 3:35:27 PM UTC+1, Surred wrote:
>>>>>>
>>>>>> JH,
>>>>>>
>>>>>> Do you know of any other tests/logging I could try/review to
>>>>>> determine why the kerberos delegation is not working in my environment?
>>>>>>
>>>>>> On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth
>>>>>> wrote:
>>>>>>>
>>>>>>> Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible
>>>>>>> versions.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>>>>>>>>
>>>>>>>> Thanks for the response JH. I've moved the winrm connection details
>>>>>>>> to group_vars as you suggested, but am still not able to list the
>>>>>>>> files of
>>>>>>>> a network share. You said you are using "2.0.0.2 / 2.1.1" Can you
>>>>>>>> please
>>>>>>>> clarify those version numbers and what they are associated with?
>>>>>>>>
>>>>>>>> host file:
>>>>>>>> user@ansible:~/ansible> cat inventories/domain
>>>>>>>> [test]
>>>>>>>> dc1.domain.com
>>>>>>>>
>>>>>>>>
>>>>>>>> group_vars:
>>>>>>>> user@ansible:~/ansible> cat inventories/group_vars/test.yml
>>>>>>>> ---
>>>>>>>>
>>>>>>>> ansible_ssh_port: 5986
>>>>>>>> ansible_connection: winrm
>>>>>>>> ansible_winrm_transport: kerberos
>>>>>>>> ansible_winrm_kerberos_delegation: yes
>>>>>>>> ansible_ssh_user: [email protected]
>>>>>>>> ansible_winrm_server_cert_validation: ignore
>>>>>>>>
>>>>>>>>
>>>>>>>> output of playbook (i've added a debug task to dump the variables):
>>>>>>>> user@ansible:~/ansible> ansible-playbook test.yml -i
>>>>>>>> inventories/domain -vvvvv
>>>>>>>> Using /home/user/ansible/ansible.cfg as config file
>>>>>>>> Loaded callback default of type stdout, v2.0
>>>>>>>>
>>>>>>>> PLAYBOOK: test.yml
>>>>>>>> *************************************************************
>>>>>>>> 1 plays in test.yml
>>>>>>>>
>>>>>>>> PLAY [list unc]
>>>>>>>> ****************************************************************
>>>>>>>>
>>>>>>>> TASK [display variables]
>>>>>>>> *******************************************************
>>>>>>>> task path: /home/user/ansible/test.yml:6
>>>>>>>> ok: [dc1.domain.com] => {
>>>>>>>> "hostvars[inventory_hostname]": {
>>>>>>>> "ansible_check_mode": false,
>>>>>>>> "ansible_connection": "winrm",
>>>>>>>> "ansible_ssh_port": 5986,
>>>>>>>> "ansible_ssh_user": "[email protected]",
>>>>>>>> "ansible_version": {
>>>>>>>> "full": "2.1.0.0",
>>>>>>>> "major": 2,
>>>>>>>> "minor": 1,
>>>>>>>> "revision": 0,
>>>>>>>> "string": "2.1.0.0"
>>>>>>>> },
>>>>>>>> "ansible_winrm_kerberos_delegation": true,
>>>>>>>> "ansible_winrm_server_cert_validation": "ignore",
>>>>>>>> "ansible_winrm_transport": "kerberos",
>>>>>>>> "group_names": [
>>>>>>>> "test"
>>>>>>>> ],
>>>>>>>> "groups": {
>>>>>>>> "all": [
>>>>>>>> "dc1.domain.com"
>>>>>>>> ],
>>>>>>>> "test": [
>>>>>>>> "dc1.domain.com"
>>>>>>>> ],
>>>>>>>> "ungrouped": []
>>>>>>>> },
>>>>>>>> "inventory_dir": "/home/user/ansible/inventories",
>>>>>>>> "inventory_file": "inventories/domain",
>>>>>>>> "inventory_hostname": "dc1.domain.com",
>>>>>>>> "inventory_hostname_short": "dc1",
>>>>>>>> "omit":
>>>>>>>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
>>>>>>>> "playbook_dir": "/home/user/ansible"
>>>>>>>> }
>>>>>>>> }
>>>>>>>>
>>>>>>>> TASK [list unc]
>>>>>>>> ****************************************************************
>>>>>>>> task path: /home/user/ansible/test.yml:9
>>>>>>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER:
>>>>>>>> [email protected] on PORT 5986 TO dc1.domain.com
>>>>>>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>>>>>>>> https://dc1.domain.com:5986/wsman
>>>>>>>> <dc1.domain.com> WINRM OPEN SHELL:
>>>>>>>> 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>>>>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>>>>>> (New-Item -Type Directory -Path $env:temp -Name
>>>>>>>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host
>>>>>>>> -Separator
>>>>>>>> '';
>>>>>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile',
>>>>>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted',
>>>>>>>> u'-EncodedCommand',
>>>>>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out
>>>>>>>> "C:\\Users\\ansible_svc", err "">'
>>>>>>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO
>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>>>>>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to
>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>>>>>>>
>>>>>>>> (offset=46 size=46)
>>>>>>>> <dc1.domain.com> EXEC &
>>>>>>>>
>>>>>>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
>>>>>>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile',
>>>>>>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted',
>>>>>>>> '-EncodedCommand',
>>>>>>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#<
>>>>>>>> CLIXML\r\n<Objs Ver">'
>>>>>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>>>>>> Remove-Item
>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733"
>>>>>>>>
>>>>>>>> -Force -Recurse;
>>>>>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile',
>>>>>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted',
>>>>>>>> u'-EncodedCommand',
>>>>>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA']
>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>>>>>>>> <dc1.domain.com> WINRM CLOSE SHELL:
>>>>>>>> 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>>>>>>> changed: [dc1.domain.com] => {"changed": true, "invocation":
>>>>>>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"},
>>>>>>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access
>>>>>>>> is
>>>>>>>> denied\r\nAt
>>>>>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>>>>>>>
>>>>>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+
>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo
>>>>>>>> :
>>>>>>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String)
>>>>>>>> [Get-ChildItem], UnauthorizedAccessException\r\n+
>>>>>>>> FullyQualifiedErrorId :
>>>>>>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe
>>>>>>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot
>>>>>>>> find
>>>>>>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not
>>>>>>>> exist.\r\nAt
>>>>>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1
>>>>>>>>
>>>>>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+
>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo
>>>>>>>> :
>>>>>>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring)
>>>>>>>> [Get-ChildItem],
>>>>>>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId :
>>>>>>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh
>>>>>>>> \r\nildItemCommand\r\n",
>>>>>>>> "stdout": "", "stdout_lines": []}
>>>>>>>>
>>>>>>>> PLAY RECAP
>>>>>>>> *********************************************************************
>>>>>>>> dc1.domain.com : ok=2 changed=1 unreachable=0 failed=0
>>>>>>>>
>>>>>>>> user@ansible:~/ansible>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote:
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I'm having issues getting the double hop scenario working. To test
>>>>>>>>> kerberos delegation I have a simple PowerShell script that does a
>>>>>>>>> Get-ChildItem on a UNC path. When running the command manually on the
>>>>>>>>> host
>>>>>>>>> it works, but when executing as playbook with Ansible I get "Access
>>>>>>>>> Denied." Below is my configuration and the verbose output I receive.
>>>>>>>>> Any
>>>>>>>>> help or suggestions would be greatly appreciated.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Environment:
>>>>>>>>> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm
>>>>>>>>> pywinrm (0.2.0)
>>>>>>>>>
>>>>>>>>> user@ansible:~/ansible> ansible --version
>>>>>>>>> ansible 2.1.0.0
>>>>>>>>> config file = /home/user/ansible/ansible.cfg
>>>>>>>>> configured module search path = Default w/o overrides
>>>>>>>>>
>>>>>>>>> user@ansible:~/ansible> cat /etc/*-release
>>>>>>>>> NAME="SLES"
>>>>>>>>> VERSION="11.4"
>>>>>>>>> VERSION_ID="11.4"
>>>>>>>>> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"
>>>>>>>>> ID="sles"
>>>>>>>>> ANSI_COLOR="0;32"
>>>>>>>>> CPE_NAME="cpe:/o:suse:sles:11:4"
>>>>>>>>> SUSE Linux Enterprise Server 11 (x86_64)
>>>>>>>>> VERSION = 11
>>>>>>>>> PATCHLEVEL = 4
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Inventory excerpt:
>>>>>>>>> [all:vars]
>>>>>>>>> ansible_ssh_port=5986
>>>>>>>>> ansible_connection=winrm
>>>>>>>>> ansible_winrm_transport=kerberos
>>>>>>>>> ansible_winrm_kerberos_delegation=yes
>>>>>>>>> [email protected]
>>>>>>>>> ansible_winrm_server_cert_validation=ignore
>>>>>>>>>
>>>>>>>>> Playbook output:
>>>>>>>>> user@ansible:~/ansible> ansible-playbook test.yml -i
>>>>>>>>> inventories/domain -vvvvv
>>>>>>>>> Using /home/user/ansible/ansible.cfg as config file
>>>>>>>>> Loaded callback default of type stdout, v2.0
>>>>>>>>>
>>>>>>>>> PLAYBOOK: test.yml
>>>>>>>>> *************************************************************
>>>>>>>>> 1 plays in test.yml
>>>>>>>>>
>>>>>>>>> PLAY [list unc]
>>>>>>>>> ****************************************************************
>>>>>>>>>
>>>>>>>>> TASK [list unc]
>>>>>>>>> ****************************************************************
>>>>>>>>> task path: /home/user/ansible/test.yml:6
>>>>>>>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER:
>>>>>>>>> [email protected] on PORT 5986 TO dc1.domain.com
>>>>>>>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=
>>>>>>>>> https://dc1.domain.com:5986/wsman
>>>>>>>>> <dc1.domain.com> WINRM OPEN SHELL:
>>>>>>>>> 33CC652E-0DED-4C66-B898-2860580A29A8
>>>>>>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>>>>>>> (New-Item -Type Directory -Path $env:temp -Name
>>>>>>>>> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host
>>>>>>>>> -Separator '';
>>>>>>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile',
>>>>>>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted',
>>>>>>>>> u'-EncodedCommand',
>>>>>>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=']
>>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out
>>>>>>>>> "C:\\Users\\ansible_svc", err "">'
>>>>>>>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO
>>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>>>>>>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to
>>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>>>>>>>>>
>>>>>>>>> (offset=46 size=46)
>>>>>>>>> <dc1.domain.com> EXEC &
>>>>>>>>>
>>>>>>>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1'
>>>>>>>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile',
>>>>>>>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted',
>>>>>>>>> '-EncodedCommand',
>>>>>>>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA==']
>>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#<
>>>>>>>>> CLIXML\r\n<Objs Ver">'
>>>>>>>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest
>>>>>>>>> Remove-Item
>>>>>>>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702"
>>>>>>>>>
>>>>>>>>> -Force -Recurse;
>>>>>>>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile',
>>>>>>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted',
>>>>>>>>> u'-EncodedCommand',
>>>>>>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA==']
>>>>>>>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">'
>>>>>>>>> <dc1.domain.com> WINRM CLOSE SHELL:
>>>>>>>>> 33CC652E-0DED-4C66-B898-2860580A29A8
>>>>>>>>> changed: [dc1.domain.com] => {"changed": true, "invocation":
>>>>>>>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"},
>>>>>>>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access
>>>>>>>>> is
>>>>>>>>> denied\r\nAt
>>>>>>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>>>>>>>
>>>>>>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+
>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo
>>>>>>>>> :
>>>>>>>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String)
>>>>>>>>> [Get-ChildItem], UnauthorizedAccessException\r\n+
>>>>>>>>> FullyQualifiedErrorId :
>>>>>>>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe
>>>>>>>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot
>>>>>>>>> find
>>>>>>>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not
>>>>>>>>> exist.\r\nAt
>>>>>>>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1
>>>>>>>>>
>>>>>>>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+
>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo
>>>>>>>>> :
>>>>>>>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring)
>>>>>>>>> [Get-ChildItem],
>>>>>>>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId :
>>>>>>>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh
>>>>>>>>> \r\nildItemCommand\r\n",
>>>>>>>>> "stdout": "", "stdout_lines": []}
>>>>>>>>>
>>>>>>>>> PLAY RECAP
>>>>>>>>> *********************************************************************
>>>>>>>>> dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0
>>>>>>>>>
>>>>>>>>> user@ansible:~/ansible>
>>>>>>>>>
>>>>>>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cfb2b212-0043-4488-9c05-06c0f9723cab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
