Thanks, I have tried NTLM and basic, and they both work fine. However, I am evaluating this for a 20000+ node enterprise solution, and Kerberos is a must-have requirement.
On Tuesday, April 4, 2017 at 7:37:03 PM UTC-5, Jarryd Took wrote: > > @william: > > The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM > against Windows machines. If this floats your boat as an alternative to > kerberos tickets. > > ansible_connection: winrm > ansible_winrm_transport: ntlm > > > > On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William McKenzie wrote: >> >> Here's my setup: >> >> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post >> provisioning steps to setup krb5 and join the box to my domain. >> >> Kerberos configuration is good. I can kinit, klist, etc. etc. from >> command line. >> >> python winrm is good: >> >> vagrant@ansible-tower ~]$ sudo su - awx >> >> Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 >> >> >> *Welcome to Ansible Tower!* >> >> Log into the web interface here: etc... >> >> -bash-4.2$ cat test.py >> >> import sys >> >> from winrm.protocol import Protocol >> >> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' >> >> class RM(): >> >> >> def __init__(self): >> >> self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= >> 'kerberos', server_cert_validation='ignore') >> >> >> def test(self): >> >> shell_id = self.win_connect.open_shell() >> >> cmd = "dir" >> >> command_id = self.win_connect.run_command(shell_id, cmd) >> >> output,error_value,exit_status = self.win_connect. >> get_command_output(shell_id, command_id) >> >> self.win_connect.cleanup_command(shell_id, command_id) >> >> self.win_connect.close_shell(shell_id) >> >> print output >> >> >> def main(): >> >> rm = RM() >> >> rm.test() >> >> if __name__ == '__main__': >> >> main() >> >> sys.exit() >> >> -bash-4.2$ python test.py >> >> Volume in drive C is SAMSUNG 512GB SSD >> >> Volume Serial Number is 2C8F-7BFA >> >> >> Directory of C:\Users\ansible >> >> >> 03/31/2017 11:04 AM <DIR> . >> >> 03/31/2017 11:04 AM <DIR> .. >> >> 07/16/2016 06:47 AM <DIR> Desktop >> >> 03/31/2017 11:04 AM <DIR> Documents >> >> 07/16/2016 06:47 AM <DIR> Downloads >> >> 07/16/2016 06:47 AM <DIR> Favorites >> >> 07/16/2016 06:47 AM <DIR> Links >> >> 07/16/2016 06:47 AM <DIR> Music >> >> 07/16/2016 06:47 AM <DIR> Pictures >> >> 07/16/2016 06:47 AM <DIR> Saved Games >> >> 07/16/2016 06:47 AM <DIR> Videos >> >> 0 File(s) 0 bytes >> >> 11 Dir(s) 291,787,771,904 bytes free >> >> >> -bash-4.2$ >> >> So now, I manually create some inventory in the default directories/files >> for ansible (not Tower). Works perfectly: >> >> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml >> >> ansible_connection: winrm >> >> ansible_user: [email protected] >> >> ansible_password: R1pflash >> >> ansible_winrm_server_cert_validation: ignore >> >> >> -bash-4.2$ >> >> -bash-4.2$ ansible windows -m win_ping -v >> >> Using /etc/ansible/ansible.cfg as config file >> >> louis.home.cartewright.com | SUCCESS => { >> >> "changed": false, >> >> "ping": "pong" >> >> } >> >> >> Now, I create the exact same inventory in tower, exact same credentials ( >> [email protected]) and now matter how I tweak it, always the >> same thing: >> >> Using /etc/ansible/ansible.cfg as config file SSH password: Using module >> file >> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 >> <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: >> [email protected] on PORT 5986 TO louis.home.cartewright.com < >> louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint= >> https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> >> WINRM CONNECTION ERROR: authGSSClientInit() failed: (('Unspecified GSS >> failure. Minor code may provide more information', 851968), ("Can't find >> client principal [email protected] in cache collection", >> -1765328243)) Traceback (most recent call last): File >> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >> line 154, in _winrm_connect self.shell_id = >> protocol.open_shell(codepage=65001) # UTF-8 File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 207, in send_message return self.transport.send_message(message) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >> line 181, in send_message prepared_request = >> self.session.prepare_request(request) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", >> >> line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >> line 298, in prepare self.prepare_auth(auth, url) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >> line 500, in prepare_auth r = auth(self) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> >> line 308, in __call__ auth_header = self.generate_request_header(None, >> host, is_preemptive=True) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >> >> line 148, in generate_request_header raise KerberosExchangeError("%s >> failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: >> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may >> provide more information', 851968), ("Can't find client principal >> [email protected] in cache collection", -1765328243)) < >> louis.home.cartewright.com> WINRM CONNECT: transport=ssl endpoint= >> https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> >> WINRM CONNECTION ERROR: the specified credentials were rejected by the >> server Traceback (most recent call last): File >> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >> line 154, in _winrm_connect self.shell_id = >> protocol.open_shell(codepage=65001) # UTF-8 File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 207, in send_message return self.transport.send_message(message) File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >> line 190, in send_message raise InvalidCredentialsError("the specified >> credentials were rejected by the server") InvalidCredentialsError: the >> specified credentials were rejected by the server >> louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg": >> "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor >> code may provide more information', 851968), (\"Can't find client principal >> [email protected] in cache collection\", -1765328243)), ssl: >> the specified credentials were rejected by the server", "unreachable": true >> } >> >> >> Just completely unable to find the credentials in the cache, no matter >> how I do it. I've put the password in the tower credentials, in the >> inventory, using ASK, no matter what I do, it cannot find credentials. >> >> What am I missing? >> >> ~Bill >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c5942cd8-7fd6-4051-8c1d-dfd0cad9e914%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
