Thanks, I have tried NTLM and basic, and they both work fine. However, I am evaluating this for a 20000+ node enterprise solution, and Kerberos is a must-have requirement.
On Tuesday, April 4, 2017 at 7:37:03 PM UTC-5, Jarryd Took wrote: > > @william: > > The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM > against Windows machines. If this floats your boat as an alternative to > kerberos tickets. > > ansible_connection: winrm > ansible_winrm_transport: ntlm > > > > On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William McKenzie wrote: >> >> Here's my setup: >> >> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post >> provisioning steps to setup krb5 and join the box to my domain. >> >> Kerberos configuration is good. I can kinit, klist, etc. etc. from >> command line. >> >> python winrm is good: >> >> vagrant@ansible-tower ~]$ sudo su - awx >> >> Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 >> >> >> *Welcome to Ansible Tower!* >> >> Log into the web interface here: etc... >> >> -bash-4.2$ cat test.py >> >> import sys >> >> from winrm.protocol import Protocol >> >> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' >> >> class RM(): >> >> >> def __init__(self): >> >> self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= >> 'kerberos', server_cert_validation='ignore') >> >> >> def test(self): >> >> shell_id = self.win_connect.open_shell() >> >> cmd = "dir" >> >> command_id = self.win_connect.run_command(shell_id, cmd) >> >> output,error_value,exit_status = self.win_connect. >> get_command_output(shell_id, command_id) >> >> self.win_connect.cleanup_command(shell_id, command_id) >> >> self.win_connect.close_shell(shell_id) >> >> print output >> >> >> def main(): >> >> rm = RM() >> >> rm.test() >> >> if __name__ == '__main__': >> >> main() >> >> sys.exit() >> >> -bash-4.2$ python test.py >> >> Volume in drive C is SAMSUNG 512GB SSD >> >> Volume Serial Number is 2C8F-7BFA >> >> >> Directory of C:\Users\ansible >> >> >> 03/31/2017 11:04 AM <DIR> . >> >> 03/31/2017 11:04 AM <DIR> .. >> >> 07/16/2016 06:47 AM <DIR> Desktop >> >> 03/31/2017 11:04 AM <DIR> Documents >> >> 07/16/2016 06:47 AM <DIR> Downloads >> >> 07/16/2016 06:47 AM <DIR> Favorites >> >> 07/16/2016 06:47 AM <DIR> Links >> >> 07/16/2016 06:47 AM <DIR> Music >> >> 07/16/2016 06:47 AM <DIR> Pictures >> >> 07/16/2016 06:47 AM <DIR> Saved Games >> >> 07/16/2016 06:47 AM <DIR> Videos >> >> 0 File(s) 0 bytes >> >> 11 Dir(s) 291,787,771,904 bytes free >> >> >> -bash-4.2$ >> >> So now, I manually create some inventory in the default directories/files >> for ansible (not Tower). Works perfectly: >> >> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml >> >> ansible_connection: winrm >> >> ansible_user: ans...@home.cartewright.com >> >> ansible_password: R1pflash >> >> ansible_winrm_server_cert_validation: ignore >> >> >> -bash-4.2$ >> >> -bash-4.2$ ansible windows -m win_ping -v >> >> Using /etc/ansible/ansible.cfg as config file >> >> louis.home.cartewright.com | SUCCESS => { >> >> "changed": false, >> >> "ping": "pong" >> >> } >> >> >> Now, I create the exact same inventory in tower, exact same credentials ( >> ans...@home.cartewright.com) and now matter how I tweak it, always the >> same thing: >> >> Using /etc/ansible/ansible.cfg as config file SSH password: Using module >> file >> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 >> <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: >> ans...@home.cartewright.com on PORT 5986 TO louis.home.cartewright.com < >> louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint= >> https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> >> WINRM CONNECTION ERROR: authGSSClientInit() failed: (('Unspecified GSS >> failure. Minor code may provide more information', 851968), ("Can't find >> client principal ans...@home.cartewright.com in cache collection", >> -1765328243)) Traceback (most recent call last): File >> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >> line 154, in _winrm_connect self.shell_id = >> protocol.open_shell(codepage=65001) # UTF-8 File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 207, in send_message return self.transport.send_message(message) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >> line 181, in send_message prepared_request = >> self.session.prepare_request(request) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", >> >> line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >> line 298, in prepare self.prepare_auth(auth, url) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >> line 500, in prepare_auth r = auth(self) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> >> line 308, in __call__ auth_header = self.generate_request_header(None, >> host, is_preemptive=True) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> >> line 148, in generate_request_header raise KerberosExchangeError("%s >> failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: >> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may >> provide more information', 851968), ("Can't find client principal >> ans...@home.cartewright.com in cache collection", -1765328243)) < >> louis.home.cartewright.com> WINRM CONNECT: transport=ssl endpoint= >> https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> >> WINRM CONNECTION ERROR: the specified credentials were rejected by the >> server Traceback (most recent call last): File >> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >> line 154, in _winrm_connect self.shell_id = >> protocol.open_shell(codepage=65001) # UTF-8 File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 207, in send_message return self.transport.send_message(message) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >> line 190, in send_message raise InvalidCredentialsError("the specified >> credentials were rejected by the server") InvalidCredentialsError: the >> specified credentials were rejected by the server >> louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg": >> "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor >> code may provide more information', 851968), (\"Can't find client principal >> ans...@home.cartewright.com in cache collection\", -1765328243)), ssl: >> the specified credentials were rejected by the server", "unreachable": true >> } >> >> >> Just completely unable to find the credentials in the cache, no matter >> how I do it. I've put the password in the tower credentials, in the >> inventory, using ASK, no matter what I do, it cannot find credentials. >> >> What am I missing? >> >> ~Bill >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c5942cd8-7fd6-4051-8c1d-dfd0cad9e914%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
