[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-05 Thread William McKenzie
Thanks, I have tried NTLM and basic, and they both work fine. However, I am evaluating this for a 2+ node enterprise solution, and Kerberos is a must-have requirement. On Tuesday, April 4, 2017 at 7:37:03 PM UTC-5, Jarryd Took wrote: > > @william: > > The latest requests-ntlm in

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread Jarryd Took
@william: The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM against Windows machines. If this floats your boat as an alternative to kerberos tickets. ansible_connection: winrm ansible_winrm_transport: ntlm On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread William McKenzie
Bingo. I was suspecting some kind of isolation thing, because it was so clear that the environment was different when running a playbook than at the command line, even when sudo'd as awx. Many thanks. I'll never get that week back, but I love a mystery solved. ~Bill On Tue, Apr 4, 2017 at 3:59

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread Matt Davis
Tower uses an isolation tech called proot that will often break shared ticket caches. If you can't wait for Ansible 2.3 (should be released within the next couple weeks), I'd suggest disabling proot (IIRC it's in settings.py, but my Tower-fu is getting rusty). On Tuesday, April 4, 2017 at

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread William McKenzie
time is definitely good. i run ntpdate in my vagrant provisioning script just to be sure. On Tue, Apr 4, 2017 at 2:20 PM, cupcake wrote: > sanity check; is time in sync? windows AD/kerb wont auth if the skew is > more than 5 or 10 minutes off. I also saw some weirdness

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread cupcake
sanity check; is time in sync? windows AD/kerb wont auth if the skew is more than 5 or 10 minutes off. I also saw some weirdness like this recently and a reboot and then kinit again made it work but i think due to another config reason on my part. On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4,

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-04 Thread William McKenzie
I think that's what I'm doing. I've tried doing the kinit from the console, doing the kinit in a cron job, doing the kinit manually in a playbook before running the winrm play book, and doing it as a local_action in the winrm playbook itself. In all cases (except the last one), the kinit

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

2017-04-03 Thread Matt Davis
Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still in release candidate). Anything earlier, you'll have to do the kinit on the controller yourself (either via a cron job or as part of your playbook with a local action). On Monday, April 3, 2017 at 7:27:21 AM UTC-7,