@william: The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM against Windows machines. If this floats your boat as an alternative to kerberos tickets.
ansible_connection: winrm ansible_winrm_transport: ntlm On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William McKenzie wrote: > > Here's my setup: > > Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post > provisioning steps to setup krb5 and join the box to my domain. > > Kerberos configuration is good. I can kinit, klist, etc. etc. from command > line. > > python winrm is good: > > vagrant@ansible-tower ~]$ sudo su - awx > > Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 > > > *Welcome to Ansible Tower!* > > Log into the web interface here: etc... > > -bash-4.2$ cat test.py > > import sys > > from winrm.protocol import Protocol > > HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' > > class RM(): > > > def __init__(self): > > self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= > 'kerberos', server_cert_validation='ignore') > > > def test(self): > > shell_id = self.win_connect.open_shell() > > cmd = "dir" > > command_id = self.win_connect.run_command(shell_id, cmd) > > output,error_value,exit_status = self.win_connect. > get_command_output(shell_id, command_id) > > self.win_connect.cleanup_command(shell_id, command_id) > > self.win_connect.close_shell(shell_id) > > print output > > > def main(): > > rm = RM() > > rm.test() > > if __name__ == '__main__': > > main() > > sys.exit() > > -bash-4.2$ python test.py > > Volume in drive C is SAMSUNG 512GB SSD > > Volume Serial Number is 2C8F-7BFA > > > Directory of C:\Users\ansible > > > 03/31/2017 11:04 AM <DIR> . > > 03/31/2017 11:04 AM <DIR> .. > > 07/16/2016 06:47 AM <DIR> Desktop > > 03/31/2017 11:04 AM <DIR> Documents > > 07/16/2016 06:47 AM <DIR> Downloads > > 07/16/2016 06:47 AM <DIR> Favorites > > 07/16/2016 06:47 AM <DIR> Links > > 07/16/2016 06:47 AM <DIR> Music > > 07/16/2016 06:47 AM <DIR> Pictures > > 07/16/2016 06:47 AM <DIR> Saved Games > > 07/16/2016 06:47 AM <DIR> Videos > > 0 File(s) 0 bytes > > 11 Dir(s) 291,787,771,904 bytes free > > > -bash-4.2$ > > So now, I manually create some inventory in the default directories/files > for ansible (not Tower). Works perfectly: > > -bash-4.2$ cat /etc/ansible/group_vars/windows.yml > > ansible_connection: winrm > > ansible_user: [email protected] <javascript:> > > ansible_password: R1pflash > > ansible_winrm_server_cert_validation: ignore > > > -bash-4.2$ > > -bash-4.2$ ansible windows -m win_ping -v > > Using /etc/ansible/ansible.cfg as config file > > louis.home.cartewright.com | SUCCESS => { > > "changed": false, > > "ping": "pong" > > } > > > Now, I create the exact same inventory in tower, exact same credentials ( > [email protected] <javascript:>) and now matter how I tweak it, > always the same thing: > > Using /etc/ansible/ansible.cfg as config file SSH password: Using module > file > /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 > <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: > [email protected] <javascript:> on PORT 5986 TO > louis.home.cartewright.com <louis.home.cartewright.com> WINRM CONNECT: > transport=kerberos endpoint=https://louis.home.cartewright.com:5986/wsman > <louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit() > failed: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ("Can't find client principal > [email protected] <javascript:> in cache collection", > -1765328243)) Traceback (most recent call last): File > "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", > line 154, in _winrm_connect self.shell_id = > protocol.open_shell(codepage=65001) # UTF-8 File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 207, in send_message return self.transport.send_message(message) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", > line 181, in send_message prepared_request = > self.session.prepare_request(request) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", > line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", > line 298, in prepare self.prepare_auth(auth, url) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", > line 500, in prepare_auth r = auth(self) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > > line 308, in __call__ auth_header = self.generate_request_header(None, > host, is_preemptive=True) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > > line 148, in generate_request_header raise KerberosExchangeError("%s > failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: > authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may > provide more information', 851968), ("Can't find client principal > [email protected] <javascript:> in cache collection", > -1765328243)) <louis.home.cartewright.com> WINRM CONNECT: transport=ssl > endpoint=https://louis.home.cartewright.com:5986/wsman < > louis.home.cartewright.com> WINRM CONNECTION ERROR: the specified > credentials were rejected by the server Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", > line 154, in _winrm_connect self.shell_id = > protocol.open_shell(codepage=65001) # UTF-8 File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 207, in send_message return self.transport.send_message(message) File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", > line 190, in send_message raise InvalidCredentialsError("the specified > credentials were rejected by the server") InvalidCredentialsError: the > specified credentials were rejected by the server > louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg": > "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor > code may provide more information', 851968), (\"Can't find client principal > [email protected] <javascript:> in cache collection\", > -1765328243)), ssl: the specified credentials were rejected by the server", > "unreachable": true } > > > Just completely unable to find the credentials in the cache, no matter how > I do it. I've put the password in the tower credentials, in the inventory, > using ASK, no matter what I do, it cannot find credentials. > > What am I missing? > > ~Bill > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6fcfa0ab-4dcb-4bf3-a9c7-a6cbeda2e80d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
