Hello, I've been attempting to write playbooks that need to interact with Active Directory, I see now that a few official playbooks will be released in 2.4 that can manage AD groups and users which is sweet. My issue is that the only way I can run our current playbooks is by using a Domain Admin account to run them. To be more secure I don't want my Ansible account to be a DA. WinRM works fine for DA's from Ansible, however when I use an account that isn't a DA I get this error in response.
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc META: ran handlers <DChostname> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO <DChostname> creating Kerberos CC at /tmp/tmpb3JbPz calling kinit for principal [email protected] kinit succeeded for principal [email protected] <DChostname> WINRM CONNECT: transport=kerberos endpoint=https://DChostname:5986/wsman <DChostname> WINRM CONNECTION ERROR: (u'http', u'Bad HTTP response returned from server. Code 500') Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 214, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 191, in send_message raise WinRMTransportError('http', error_message) WinRMTransportError: (u'http', u'Bad HTTP response returned from server. Code 500') <DChostname> WINRM CONNECT: transport=ssl endpoint=https://DChostname:5986/wsman <DChostname> WINRM CONNECTION ERROR: the specified credentials were rejected by the server Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 214, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 179, in send_message raise InvalidCredentialsError("the specified credentials were rejected by the server") InvalidCredentialsError: the specified credentials were rejected by the server DChostname | UNREACHABLE! => { "changed": false, "msg": "kerberos: (u'http', u'Bad HTTP response returned from server. Code 500'), ssl: the specified credentials were rejected by the server", "unreachable": true } The analytic logs on the DC show this event after the nonDAacct gets authenticated via kerberos: An error was encountered while processing an operation. Error Code: 5 Error String:<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"; Code="5" Machine="windows-host"><f:Message>Access is denied. </f:Message></f:WSManFault> Ansible Inventory is setup like this: [Windows:vars] #[email protected] [email protected] ansible_port=5986 ansible_connection=winrm # The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: ansible_winrm_server_cert_validation=ignore ansible_winrm_kerberos_delegation=true When I connect to a DC from my desktop using the PowerShell command "enter-pssession <DC name> -credentials <nonDAacct>" I can access the DC and manipulate AD objects just fine. It is only using Ansible that I cannot connect properly. WinRM on the DC's have been configured and can use SSL. The user in question has been placed into the "Remote Management Users" group in the domain and the permissions on the Root WMI object have been altered to include that group as remote enabled, execute methods, and enable account as per this page: https://www.sevecek.com/Lists/Posts/Post.aspx?ID=280. That seems to enable the ability for my account to run the previously mentioned connection command. Does anyone else run commands that need to interact with AD objects as an account that is not a DA? Any other suggestions for things to try and or change? If anything isn't clear or I need to add some more detail please let me know and I'll be happy to share. Thanks -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bd98b71c-7c76-4ce3-800a-4d10949776fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
