More interesting would be to use restricted endpoints, which lets you execute stuff as a different user as the one you're logging in with. That way you'd have one credential that would actually do all the things, and another credential to connect with. Unsure whether pywinrm supports it - maybe Matt would know?
On Monday, March 27, 2017 at 1:02:49 AM UTC+2, Jordan Borean wrote: > > You definitely can allow a non admin account to run through WinRM but it > is definitely not something that is enabled by default and would require > some fiddling with the SSDL and endpoint ACLs. This issue has most of the > information that is required to add a non admin > https://github.com/ansible/ansible/issues/16478. Trond is right though > usually you require admin priviledges to do anything in Windows like > install applications or change config so I don't see there being a large > case for this in Ansible. Happy to be proven otherwise though. > > On Monday, March 27, 2017 at 7:17:59 AM UTC+10, Trond Hindenes wrote: >> >> I think it's possible to tweak the winrm service to allow non-admin >> logins but still - lots of the operations you perform against the server >> requires administrator proveliges anyways so I don't see the point in >> spending time on it. >> >> On Tuesday, February 28, 2017 at 3:02:41 PM UTC+1, J Hawkesworth wrote: >>> >>> Winrm is intended for system administration, so using with a regular, >>> non administrator user might not have sufficient grants/permissions. >>> >>> Can you make your local user a local administrator perhaps? >>> >>> On Thursday, February 16, 2017 at 10:12:20 AM UTC, Hmdi Bz wrote: >>>> >>>> no I'm not using a domain login, just a normal user (not an admin) , >>>> the User Account Control is disabled. >>>> >>>> update: >>>> I've tried to win_ping to the admin account and it work, the thing is I >>>> need it to work with just a normal account >>>> >>>> On Wednesday, February 15, 2017 at 12:56:52 PM UTC+1, J Hawkesworth >>>> wrote: >>>>> >>>>> "the specified credentials were rejected by the server" can often mean >>>>> the password doesn't match what's expected for the user name. >>>>> >>>>> Are you using a domain login? If so you'll need to set up the >>>>> kerberos support. If not check the windows event log to see which user >>>>> it >>>>> reckons you are logging in as. >>>>> >>>>> Hope this helps, >>>>> >>>>> Jon >>>>> >>>>> On Tuesday, February 14, 2017 at 6:20:28 PM UTC, Hmdi Bz wrote: >>>>>> >>>>>> Hi, >>>>>> I'm using ansible on centos 7 guest on virtualBox using a bridged >>>>>> network with a windows host >>>>>> they can both ping each other. (windows address: 192.168.1.2, centos7 >>>>>> address: 192.168.1.3) >>>>>> I'm using a basic winrm connection and I've already executed >>>>>> configureRemotingForAnsible.ps1 successfuly on the host along with >>>>>> these >>>>>> two commands: >>>>>> >>>>>> winrm set winrm/config/service/auth '@{Basic="true"}' >>>>>> winrm set winrm/config/service '@{AllowUnencrypted="true"}' >>>>>> >>>>>> I've also disabled firewall on both sides. >>>>>> My windows account is not part of any Domain. >>>>>> >>>>>> >>>>>> ansible version is 2.2.1.0 >>>>>> the inventory file: inv.ini >>>>>> >>>>>> [windowsTest] >>>>>> 192.168.1.2 >>>>>> [windowsTest:vars] >>>>>> ansible_username=myUsername >>>>>> ansible_password=myPassword >>>>>> ansible_port=5985 >>>>>> ansible_connection=winrm >>>>>> ansible_winrm_scheme=http >>>>>> ansible_winrm_server_cert_validation=ignore >>>>>> ansible_winrm_transport=basic >>>>>> >>>>>> >>>>>> when I execute : >>>>>> >>>>>> $ ansible windowsTest -i inv.ini -m win_ping >>>>>> >>>>>> I get this error: >>>>>> >>>>>> 192.168.1.2 |Unreachable! => { >>>>>> "changed": false, >>>>>> "msg": "basic: the specified credentials were rejected by the >>>>>> server", >>>>>> "unreachable": true >>>>>> } >>>>>> >>>>>> any Help? >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2ff4b447-23eb-4f33-b1fe-cc166c0d3a07%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
