subject:"\[ansible\-project\] Re\: Kerberos Delegation Issues"

[ansible-project] Re: Kerberos Delegation Issues

2016-10-31 Thread Surred

Okay. Do you know if it would be possible for paid support from Ansible to 
assist with troubleshooting?

On Monday, October 31, 2016 at 1:04:10 PM UTC-5, Matt Davis wrote:
>
> Don't know what else to say- works for everyone I know that's tried it, so 
> I'm suspecting some sort of local configuration or installation issue that 
> hasn't been covered yet.
>
> On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote:
>>
>> Thanks for the response Matt! I did verify we are running ansible version 
>> 2.1.1.0
>>
>> user@ansible:~> ansible --version
>> ansible 2.1.1.0
>>   config file = /etc/ansible/ansible.cfg
>>   configured module search path = Default w/o overrides
>>
>> I ran the klist command on the windows host (DC1) that ansible directly 
>> connects to via winrm and I do not see a cached ticket for the service 
>> account ansible is using. Your thoughts?
>>
>>
>> On Friday, October 28, 2016 at 1:07:11 PM UTC-5, Matt Davis wrote:
>>>
>>> You mentioned you were using ansible 2.1.0 and that you'd switched to 
>>> group_vars- that version has an inventory bug where any ansible_winrm_X 
>>> connection vars are ignored if they live in group_vars. Either upgrade to 
>>> at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
>>> Windows host with delegation enabled- you should see a TGT listed.
>>>
>>> On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:

 Apologies for the delayed response... I've been looking for ways to 
 work around this issue, but I hit a roadblock so I really need to figure 
 this out. Below are the logs from the server hosting the network share. 
 Apparently the login was successful, but it was as an anonymous user using 
 NTLM. I'm still receiving the same Access Denied message in ansible. Any 
 further assistance would be greatly appreciated. Thanks.

 Log Name:  Security
 Source:Microsoft-Windows-Security-Auditing
 Date:  10/28/2016 11:50:35 AM
 Event ID:  4624
 Task Category: Logon
 Level: Information
 Keywords:  Audit Success
 User:  N/A
 Computer:  SCCM01.domain.com
 Description:
 An account was successfully logged on.

 Subject:
 Security ID: NULL SID
 Account Name: -
 Account Domain: -
 Logon ID: 0x0

 Logon Type: 3

 Impersonation Level: Impersonation

 New Logon:
 Security ID: ANONYMOUS LOGON
 Account Name: ANONYMOUS LOGON
 Account Domain: NT AUTHORITY
 Logon ID: 0x614767F6
 Logon GUID: {----}

 Process Information:
 Process ID: 0x0
 Process Name: -

 Network Information:
 Workstation Name: DC1.domain.com
 Source Network Address: x.x.x.x
 Source Port: 59019

 Detailed Authentication Information:
 Logon Process: NtLmSsp 
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): NTLM V1
 Key Length: 128

 This event is generated when a logon session is created. It is 
 generated on the computer that was accessed.

 The subject fields indicate the account on the local system which 
 requested the logon. This is most commonly a service such as the Server 
 service, or a local process such as Winlogon.exe or Services.exe.

 The logon type field indicates the kind of logon that occurred. The 
 most common types are 2 (interactive) and 3 (network).

 The New Logon fields indicate the account for whom the new logon was 
 created, i.e. the account that was logged on.

 The network fields indicate where a remote logon request originated. 
 Workstation name is not always available and may be left blank in some 
 cases.

 The impersonation level field indicates the extent to which a process 
 in the logon session can impersonate.

 The authentication information fields provide detailed information 
 about this specific logon request.
 - Logon GUID is a unique identifier that can be used to correlate this 
 event with a KDC event.
 - Transited services indicate which intermediate services have 
 participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM 
 protocols.
 - Key length indicates the length of the generated session key. This 
 will be 0 if no session key was requested.
 Event Xml:
 http://schemas.microsoft.com/win/2004/08/events/event";>

 >>> Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
 4624
 1
 0
 12544
 0
 0x8020

 2087408

 Security
 SCCM01.domain.com

 S-1-0-0
 -
 -
 0x0
 S-1-5-7
 ANONYMOUS LOGON
 NT AUTHORITY
 0x614767f6
 3
 NtLm

[ansible-project] Re: Kerberos Delegation Issues

2016-10-31 Thread Matt Davis

Don't know what else to say- works for everyone I know that's tried it, so 
I'm suspecting some sort of local configuration or installation issue that 
hasn't been covered yet.

On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote:
>
> Thanks for the response Matt! I did verify we are running ansible version 
> 2.1.1.0
>
> user@ansible:~> ansible --version
> ansible 2.1.1.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>
> I ran the klist command on the windows host (DC1) that ansible directly 
> connects to via winrm and I do not see a cached ticket for the service 
> account ansible is using. Your thoughts?
>
>
> On Friday, October 28, 2016 at 1:07:11 PM UTC-5, Matt Davis wrote:
>>
>> You mentioned you were using ansible 2.1.0 and that you'd switched to 
>> group_vars- that version has an inventory bug where any ansible_winrm_X 
>> connection vars are ignored if they live in group_vars. Either upgrade to 
>> at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
>> Windows host with delegation enabled- you should see a TGT listed.
>>
>> On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>>>
>>> Apologies for the delayed response... I've been looking for ways to work 
>>> around this issue, but I hit a roadblock so I really need to figure this 
>>> out. Below are the logs from the server hosting the network share. 
>>> Apparently the login was successful, but it was as an anonymous user using 
>>> NTLM. I'm still receiving the same Access Denied message in ansible. Any 
>>> further assistance would be greatly appreciated. Thanks.
>>>
>>> Log Name:  Security
>>> Source:Microsoft-Windows-Security-Auditing
>>> Date:  10/28/2016 11:50:35 AM
>>> Event ID:  4624
>>> Task Category: Logon
>>> Level: Information
>>> Keywords:  Audit Success
>>> User:  N/A
>>> Computer:  SCCM01.domain.com
>>> Description:
>>> An account was successfully logged on.
>>>
>>> Subject:
>>> Security ID: NULL SID
>>> Account Name: -
>>> Account Domain: -
>>> Logon ID: 0x0
>>>
>>> Logon Type: 3
>>>
>>> Impersonation Level: Impersonation
>>>
>>> New Logon:
>>> Security ID: ANONYMOUS LOGON
>>> Account Name: ANONYMOUS LOGON
>>> Account Domain: NT AUTHORITY
>>> Logon ID: 0x614767F6
>>> Logon GUID: {----}
>>>
>>> Process Information:
>>> Process ID: 0x0
>>> Process Name: -
>>>
>>> Network Information:
>>> Workstation Name: DC1.domain.com
>>> Source Network Address: x.x.x.x
>>> Source Port: 59019
>>>
>>> Detailed Authentication Information:
>>> Logon Process: NtLmSsp 
>>> Authentication Package: NTLM
>>> Transited Services: -
>>> Package Name (NTLM only): NTLM V1
>>> Key Length: 128
>>>
>>> This event is generated when a logon session is created. It is generated 
>>> on the computer that was accessed.
>>>
>>> The subject fields indicate the account on the local system which 
>>> requested the logon. This is most commonly a service such as the Server 
>>> service, or a local process such as Winlogon.exe or Services.exe.
>>>
>>> The logon type field indicates the kind of logon that occurred. The most 
>>> common types are 2 (interactive) and 3 (network).
>>>
>>> The New Logon fields indicate the account for whom the new logon was 
>>> created, i.e. the account that was logged on.
>>>
>>> The network fields indicate where a remote logon request originated. 
>>> Workstation name is not always available and may be left blank in some 
>>> cases.
>>>
>>> The impersonation level field indicates the extent to which a process in 
>>> the logon session can impersonate.
>>>
>>> The authentication information fields provide detailed information about 
>>> this specific logon request.
>>> - Logon GUID is a unique identifier that can be used to correlate this 
>>> event with a KDC event.
>>> - Transited services indicate which intermediate services have 
>>> participated in this logon request.
>>> - Package name indicates which sub-protocol was used among the NTLM 
>>> protocols.
>>> - Key length indicates the length of the generated session key. This 
>>> will be 0 if no session key was requested.
>>> Event Xml:
>>> http://schemas.microsoft.com/win/2004/08/events/event";>
>>>   
>>> >> Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
>>> 4624
>>> 1
>>> 0
>>> 12544
>>> 0
>>> 0x8020
>>> 
>>> 2087408
>>> 
>>> 
>>> Security
>>> SCCM01.domain.com
>>> 
>>>   
>>>   
>>> S-1-0-0
>>> -
>>> -
>>> 0x0
>>> S-1-5-7
>>> ANONYMOUS LOGON
>>> NT AUTHORITY
>>> 0x614767f6
>>> 3
>>> NtLmSsp 
>>> NTLM
>>> DC1.domain.com
>>> {----}
>>> -
>>> NTLM V1
>>> 128
>>> 0x0
>>> -
>>> x.x.x.x
>>> 59019
>>> %%1833
>>>   
>>> 
>>>
>>>
>>>
>>>
>>> Log Name:  Security
>>> Source:Microsoft-Windows-Security-Auditing
>>> Date:

[ansible-project] Re: Kerberos Delegation Issues

2016-10-31 Thread Surred

Thanks for the response Matt! I did verify we are running ansible version 
2.1.1.0

user@ansible:~> ansible --version
ansible 2.1.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

I ran the klist command on the windows host (DC1) that ansible directly 
connects to via winrm and I do not see a cached ticket for the service 
account ansible is using. Your thoughts?


On Friday, October 28, 2016 at 1:07:11 PM UTC-5, Matt Davis wrote:
>
> You mentioned you were using ansible 2.1.0 and that you'd switched to 
> group_vars- that version has an inventory bug where any ansible_winrm_X 
> connection vars are ignored if they live in group_vars. Either upgrade to 
> at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
> Windows host with delegation enabled- you should see a TGT listed.
>
> On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>>
>> Apologies for the delayed response... I've been looking for ways to work 
>> around this issue, but I hit a roadblock so I really need to figure this 
>> out. Below are the logs from the server hosting the network share. 
>> Apparently the login was successful, but it was as an anonymous user using 
>> NTLM. I'm still receiving the same Access Denied message in ansible. Any 
>> further assistance would be greatly appreciated. Thanks.
>>
>> Log Name:  Security
>> Source:Microsoft-Windows-Security-Auditing
>> Date:  10/28/2016 11:50:35 AM
>> Event ID:  4624
>> Task Category: Logon
>> Level: Information
>> Keywords:  Audit Success
>> User:  N/A
>> Computer:  SCCM01.domain.com
>> Description:
>> An account was successfully logged on.
>>
>> Subject:
>> Security ID: NULL SID
>> Account Name: -
>> Account Domain: -
>> Logon ID: 0x0
>>
>> Logon Type: 3
>>
>> Impersonation Level: Impersonation
>>
>> New Logon:
>> Security ID: ANONYMOUS LOGON
>> Account Name: ANONYMOUS LOGON
>> Account Domain: NT AUTHORITY
>> Logon ID: 0x614767F6
>> Logon GUID: {----}
>>
>> Process Information:
>> Process ID: 0x0
>> Process Name: -
>>
>> Network Information:
>> Workstation Name: DC1.domain.com
>> Source Network Address: x.x.x.x
>> Source Port: 59019
>>
>> Detailed Authentication Information:
>> Logon Process: NtLmSsp 
>> Authentication Package: NTLM
>> Transited Services: -
>> Package Name (NTLM only): NTLM V1
>> Key Length: 128
>>
>> This event is generated when a logon session is created. It is generated 
>> on the computer that was accessed.
>>
>> The subject fields indicate the account on the local system which 
>> requested the logon. This is most commonly a service such as the Server 
>> service, or a local process such as Winlogon.exe or Services.exe.
>>
>> The logon type field indicates the kind of logon that occurred. The most 
>> common types are 2 (interactive) and 3 (network).
>>
>> The New Logon fields indicate the account for whom the new logon was 
>> created, i.e. the account that was logged on.
>>
>> The network fields indicate where a remote logon request originated. 
>> Workstation name is not always available and may be left blank in some 
>> cases.
>>
>> The impersonation level field indicates the extent to which a process in 
>> the logon session can impersonate.
>>
>> The authentication information fields provide detailed information about 
>> this specific logon request.
>> - Logon GUID is a unique identifier that can be used to correlate this 
>> event with a KDC event.
>> - Transited services indicate which intermediate services have 
>> participated in this logon request.
>> - Package name indicates which sub-protocol was used among the NTLM 
>> protocols.
>> - Key length indicates the length of the generated session key. This will 
>> be 0 if no session key was requested.
>> Event Xml:
>> http://schemas.microsoft.com/win/2004/08/events/event";>
>>   
>> > Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
>> 4624
>> 1
>> 0
>> 12544
>> 0
>> 0x8020
>> 
>> 2087408
>> 
>> 
>> Security
>> SCCM01.domain.com
>> 
>>   
>>   
>> S-1-0-0
>> -
>> -
>> 0x0
>> S-1-5-7
>> ANONYMOUS LOGON
>> NT AUTHORITY
>> 0x614767f6
>> 3
>> NtLmSsp 
>> NTLM
>> DC1.domain.com
>> {----}
>> -
>> NTLM V1
>> 128
>> 0x0
>> -
>> x.x.x.x
>> 59019
>> %%1833
>>   
>> 
>>
>>
>>
>>
>> Log Name:  Security
>> Source:Microsoft-Windows-Security-Auditing
>> Date:  10/28/2016 11:50:35 AM
>> Event ID:  5140
>> Task Category: File Share
>> Level: Information
>> Keywords:  Audit Success
>> User:  N/A
>> Computer:  SCCM01.domain.com
>> Description:
>> A network share object was accessed.
>> Subject:
>> Security ID: ANONYMOUS LOGON
>> Account Name: ANONYMOUS LOGON
>> Account Domain: NT AUTHORITY
>> Logon ID: 0x614767F6
>>
>> Network Informa

[ansible-project] Re: Kerberos Delegation Issues

2016-10-28 Thread Matt Davis

You mentioned you were using ansible 2.1.0 and that you'd switched to 
group_vars- that version has an inventory bug where any ansible_winrm_X 
connection vars are ignored if they live in group_vars. Either upgrade to 
at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
Windows host with delegation enabled- you should see a TGT listed.

On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>
> Apologies for the delayed response... I've been looking for ways to work 
> around this issue, but I hit a roadblock so I really need to figure this 
> out. Below are the logs from the server hosting the network share. 
> Apparently the login was successful, but it was as an anonymous user using 
> NTLM. I'm still receiving the same Access Denied message in ansible. Any 
> further assistance would be greatly appreciated. Thanks.
>
> Log Name:  Security
> Source:Microsoft-Windows-Security-Auditing
> Date:  10/28/2016 11:50:35 AM
> Event ID:  4624
> Task Category: Logon
> Level: Information
> Keywords:  Audit Success
> User:  N/A
> Computer:  SCCM01.domain.com
> Description:
> An account was successfully logged on.
>
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
>
> Logon Type: 3
>
> Impersonation Level: Impersonation
>
> New Logon:
> Security ID: ANONYMOUS LOGON
> Account Name: ANONYMOUS LOGON
> Account Domain: NT AUTHORITY
> Logon ID: 0x614767F6
> Logon GUID: {----}
>
> Process Information:
> Process ID: 0x0
> Process Name: -
>
> Network Information:
> Workstation Name: DC1.domain.com
> Source Network Address: x.x.x.x
> Source Port: 59019
>
> Detailed Authentication Information:
> Logon Process: NtLmSsp 
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): NTLM V1
> Key Length: 128
>
> This event is generated when a logon session is created. It is generated 
> on the computer that was accessed.
>
> The subject fields indicate the account on the local system which 
> requested the logon. This is most commonly a service such as the Server 
> service, or a local process such as Winlogon.exe or Services.exe.
>
> The logon type field indicates the kind of logon that occurred. The most 
> common types are 2 (interactive) and 3 (network).
>
> The New Logon fields indicate the account for whom the new logon was 
> created, i.e. the account that was logged on.
>
> The network fields indicate where a remote logon request originated. 
> Workstation name is not always available and may be left blank in some 
> cases.
>
> The impersonation level field indicates the extent to which a process in 
> the logon session can impersonate.
>
> The authentication information fields provide detailed information about 
> this specific logon request.
> - Logon GUID is a unique identifier that can be used to correlate this 
> event with a KDC event.
> - Transited services indicate which intermediate services have 
> participated in this logon request.
> - Package name indicates which sub-protocol was used among the NTLM 
> protocols.
> - Key length indicates the length of the generated session key. This will 
> be 0 if no session key was requested.
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event";>
>   
>  Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> 4624
> 1
> 0
> 12544
> 0
> 0x8020
> 
> 2087408
> 
> 
> Security
> SCCM01.domain.com
> 
>   
>   
> S-1-0-0
> -
> -
> 0x0
> S-1-5-7
> ANONYMOUS LOGON
> NT AUTHORITY
> 0x614767f6
> 3
> NtLmSsp 
> NTLM
> DC1.domain.com
> {----}
> -
> NTLM V1
> 128
> 0x0
> -
> x.x.x.x
> 59019
> %%1833
>   
> 
>
>
>
>
> Log Name:  Security
> Source:Microsoft-Windows-Security-Auditing
> Date:  10/28/2016 11:50:35 AM
> Event ID:  5140
> Task Category: File Share
> Level: Information
> Keywords:  Audit Success
> User:  N/A
> Computer:  SCCM01.domain.com
> Description:
> A network share object was accessed.
> Subject:
> Security ID: ANONYMOUS LOGON
> Account Name: ANONYMOUS LOGON
> Account Domain: NT AUTHORITY
> Logon ID: 0x614767F6
>
> Network Information: 
> Object Type: File
> Source Address: x.x.x.x
> Source Port: 59019
> Share Information:
> Share Name: \\*\IPC$
> Share Path: 
>
> Access Request Information:
> Access Mask: 0x1
> Accesses: ReadData (or ListDirectory)
>
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event";>
>   
>  Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> 5140
> 1
> 0
> 12808
> 0
> 0x8020
> 
> 2087409
> 
> 
> Security
> SCCM01.domain.com
> 
>   
>   
> S-1-5-7
> ANONYMOUS LOGON
> NT AUTHORITY
> 0x614767f6
> File
> x.x.x.x
> 59019
> \\*\IPC$
>

[ansible-project] Re: Kerberos Delegation Issues

2016-10-28 Thread Surred

Apologies for the delayed response... I've been looking for ways to work 
around this issue, but I hit a roadblock so I really need to figure this 
out. Below are the logs from the server hosting the network share. 
Apparently the login was successful, but it was as an anonymous user using 
NTLM. I'm still receiving the same Access Denied message in ansible. Any 
further assistance would be greatly appreciated. Thanks.

Log Name:  Security
Source:Microsoft-Windows-Security-Auditing
Date:  10/28/2016 11:50:35 AM
Event ID:  4624
Task Category: Logon
Level: Information
Keywords:  Audit Success
User:  N/A
Computer:  SCCM01.domain.com
Description:
An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x614767F6
Logon GUID: {----}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: DC1.domain.com
Source Network Address: x.x.x.x
Source Port: 59019

Detailed Authentication Information:
Logon Process: NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

This event is generated when a logon session is created. It is generated on 
the computer that was accessed.

The subject fields indicate the account on the local system which requested 
the logon. This is most commonly a service such as the Server service, or a 
local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most 
common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was 
created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. 
Workstation name is not always available and may be left blank in some 
cases.

The impersonation level field indicates the extent to which a process in 
the logon session can impersonate.

The authentication information fields provide detailed information about 
this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this 
event with a KDC event.
- Transited services indicate which intermediate services have participated 
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM 
protocols.
- Key length indicates the length of the generated session key. This will 
be 0 if no session key was requested.
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event";>

4624
1
0
12544
0
0x8020

2087408

Security
SCCM01.domain.com

S-1-0-0
-
-
0x0
S-1-5-7
ANONYMOUS LOGON
NT AUTHORITY
0x614767f6
3
NtLmSsp 
NTLM
DC1.domain.com
{----}
-
NTLM V1
128
0x0
-
x.x.x.x
59019
%%1833

Log Name:  Security
Source:Microsoft-Windows-Security-Auditing
Date:  10/28/2016 11:50:35 AM
Event ID:  5140
Task Category: File Share
Level: Information
Keywords:  Audit Success
User:  N/A
Computer:  SCCM01.domain.com
Description:
A network share object was accessed.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x614767F6

Network Information: 
Object Type: File
Source Address: x.x.x.x
Source Port: 59019
Share Information:
Share Name: \\*\IPC$
Share Path: 

Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)

Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event";>

5140
1
0
12808
0
0x8020

2087409

Security
SCCM01.domain.com

S-1-5-7
ANONYMOUS LOGON
NT AUTHORITY
0x614767f6
File
x.x.x.x
59019
\\*\IPC$

0x1
%%4416

On Thursday, September 22, 2016 at 2:15:09 AM UTC-5, J Hawkesworth wrote:
>
> Have a look in the event logs.  I suspect all you will see is 'Access is 
> denied'.  Worth looking on the network share machine (if it is an actual 
> windows box).  If it isn't a windows box I guess there will be some kind of 
> samba share logging that you could examine too.
>
> Make sure that you are using the same user when logged in via remote 
> desktop as the user that ansible is using.
>
> You could check for logon events in the event viewer and see what 
> privileges are assigned to your ansible user and see how these differ 
> when you login via RDP.
>
> My understanding is that the auth delegation changes the kerberos ticket 
> in some some way so you could try examining the kerberos ticket using klist 
> - unfortunately I can't try

[ansible-project] Re: Kerberos Delegation Issues

2016-09-22 Thread 'J Hawkesworth' via Ansible Project

Have a look in the event logs.  I suspect all you will see is 'Access is 
denied'.  Worth looking on the network share machine (if it is an actual 
windows box).  If it isn't a windows box I guess there will be some kind of 
samba share logging that you could examine too.

Make sure that you are using the same user when logged in via remote 
desktop as the user that ansible is using.

You could check for logon events in the event viewer and see what 
privileges are assigned to your ansible user and see how these differ 
when you login via RDP.

My understanding is that the auth delegation changes the kerberos ticket in 
some some way so you could try examining the kerberos ticket using klist - 
unfortunately I can't try this myself at the moment.

I wonder if it is possible for the domain controller to disallow granting 
the necessary kerberos ticket for auth delegation.  Perhaps ask Active 
Directory administrators if they can do anything like this and whether it 
it is in place.

I still think that you are 'almost there' with solving this problem.

Hope the above helps,

Jon


On Tuesday, September 20, 2016 at 3:35:27 PM UTC+1, Surred wrote:
>
> JH,
>
> Do you know of any other tests/logging I could try/review to determine why 
> the kerberos delegation is not working in my environment?
>
> On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote:
>>
>> Sorry, I should have been clearer.  2.0.0.2 and 2.1.1 are ansible 
>> versions.
>>
>>
>>
>> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>>>
>>> Thanks for the response JH. I've moved the winrm connection details to 
>>> group_vars as you suggested, but am still not able to list the files of a 
>>> network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
>>> clarify those version numbers and what they are associated with?
>>>
>>> host file:
>>> user@ansible:~/ansible> cat inventories/domain
>>> [test]
>>> dc1.domain.com
>>>
>>>
>>> group_vars:
>>> user@ansible:~/ansible> cat inventories/group_vars/test.yml
>>> ---
>>>
>>> ansible_ssh_port: 5986
>>> ansible_connection: winrm
>>> ansible_winrm_transport: kerberos
>>> ansible_winrm_kerberos_delegation: yes
>>> ansible_ssh_user: ansib...@domain.com
>>> ansible_winrm_server_cert_validation: ignore
>>>
>>>
>>> output of playbook (i've added a debug task to dump the variables):
>>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>>> -v
>>> Using /home/user/ansible/ansible.cfg as config file
>>> Loaded callback default of type stdout, v2.0
>>>
>>> PLAYBOOK: test.yml 
>>> *
>>> 1 plays in test.yml
>>>
>>> PLAY [list unc] 
>>> 
>>>
>>> TASK [display variables] 
>>> ***
>>> task path: /home/user/ansible/test.yml:6
>>> ok: [dc1.domain.com] => {
>>> "hostvars[inventory_hostname]": {
>>> "ansible_check_mode": false,
>>> "ansible_connection": "winrm",
>>> "ansible_ssh_port": 5986,
>>> "ansible_ssh_user": "ansib...@domain.com",
>>> "ansible_version": {
>>> "full": "2.1.0.0",
>>> "major": 2,
>>> "minor": 1,
>>> "revision": 0,
>>> "string": "2.1.0.0"
>>> },
>>> "ansible_winrm_kerberos_delegation": true,
>>> "ansible_winrm_server_cert_validation": "ignore",
>>> "ansible_winrm_transport": "kerberos",
>>> "group_names": [
>>> "test"
>>> ],
>>> "groups": {
>>> "all": [
>>> "dc1.domain.com"
>>> ],
>>> "test": [
>>> "dc1.domain.com"
>>> ],
>>> "ungrouped": []
>>> },
>>> "inventory_dir": "/home/user/ansible/inventories",
>>> "inventory_file": "inventories/domain",
>>> "inventory_hostname": "dc1.domain.com",
>>> "inventory_hostname_short": "dc1",
>>> "omit": 
>>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
>>> "playbook_dir": "/home/user/ansible"
>>> }
>>> }
>>>
>>> TASK [list unc] 
>>> 
>>> task path: /home/user/ansible/test.yml:9
>>>  ESTABLISH WINRM CONNECTION FOR USER: 
>>> ansib...@domain.com on PORT 5986 TO dc1.domain.com
>>>  WINRM CONNECT: transport=kerberos endpoint=
>>> https://dc1.domain.com:5986/wsman
>>>  WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>>  EXEC Set-StrictMode -Version Latest
>>> (New-Item -Type Directory -Path $env:temp -Name 
>>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
>>> '';
>>>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoA

[ansible-project] Re: Kerberos Delegation Issues

2016-09-20 Thread Surred

JH,

Do you know of any other tests/logging I could try/review to determine why 
the kerberos delegation is not working in my environment?

On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote:
>
> Sorry, I should have been clearer.  2.0.0.2 and 2.1.1 are ansible versions.
>
>
>
> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>>
>> Thanks for the response JH. I've moved the winrm connection details to 
>> group_vars as you suggested, but am still not able to list the files of a 
>> network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
>> clarify those version numbers and what they are associated with?
>>
>> host file:
>> user@ansible:~/ansible> cat inventories/domain
>> [test]
>> dc1.domain.com
>>
>>
>> group_vars:
>> user@ansible:~/ansible> cat inventories/group_vars/test.yml
>> ---
>>
>> ansible_ssh_port: 5986
>> ansible_connection: winrm
>> ansible_winrm_transport: kerberos
>> ansible_winrm_kerberos_delegation: yes
>> ansible_ssh_user: ansib...@domain.com
>> ansible_winrm_server_cert_validation: ignore
>>
>>
>> output of playbook (i've added a debug task to dump the variables):
>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
>> -v
>> Using /home/user/ansible/ansible.cfg as config file
>> Loaded callback default of type stdout, v2.0
>>
>> PLAYBOOK: test.yml 
>> *
>> 1 plays in test.yml
>>
>> PLAY [list unc] 
>> 
>>
>> TASK [display variables] 
>> ***
>> task path: /home/user/ansible/test.yml:6
>> ok: [dc1.domain.com] => {
>> "hostvars[inventory_hostname]": {
>> "ansible_check_mode": false,
>> "ansible_connection": "winrm",
>> "ansible_ssh_port": 5986,
>> "ansible_ssh_user": "ansib...@domain.com",
>> "ansible_version": {
>> "full": "2.1.0.0",
>> "major": 2,
>> "minor": 1,
>> "revision": 0,
>> "string": "2.1.0.0"
>> },
>> "ansible_winrm_kerberos_delegation": true,
>> "ansible_winrm_server_cert_validation": "ignore",
>> "ansible_winrm_transport": "kerberos",
>> "group_names": [
>> "test"
>> ],
>> "groups": {
>> "all": [
>> "dc1.domain.com"
>> ],
>> "test": [
>> "dc1.domain.com"
>> ],
>> "ungrouped": []
>> },
>> "inventory_dir": "/home/user/ansible/inventories",
>> "inventory_file": "inventories/domain",
>> "inventory_hostname": "dc1.domain.com",
>> "inventory_hostname_short": "dc1",
>> "omit": 
>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
>> "playbook_dir": "/home/user/ansible"
>> }
>> }
>>
>> TASK [list unc] 
>> 
>> task path: /home/user/ansible/test.yml:9
>>  ESTABLISH WINRM CONNECTION FOR USER: ansib...@domain.com 
>> on PORT 5986 TO dc1.domain.com
>>  WINRM CONNECT: transport=kerberos endpoint=
>> https://dc1.domain.com:5986/wsman
>>  WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>>  EXEC Set-StrictMode -Version Latest
>> (New-Item -Type Directory -Path $env:temp -Name 
>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
>> '';
>>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>> u'-EncodedCommand', 
>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
>>  WINRM RESULT u'> "C:\\Users\\ansible_svc", err "">'
>>  PUT "/home/user/ansible/test.ps1" TO 
>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>  WINRM PUT "/home/user/ansible/test.ps1" to 
>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>>  
>> (offset=46 size=46)
>>  EXEC & 
>>  
>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
>>  WINRM EXEC 'PowerShell' ['-NoProfile', 
>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
>>  WINRM RESULT u'> CLIXML\r\n'
>>  EXEC Set-StrictMode -Version Latest
>> Remove-Item 
>

[ansible-project] Re: Kerberos Delegation Issues

2016-09-16 Thread 'J Hawkesworth' via Ansible Project

Sorry, I should have been clearer.  2.0.0.2 and 2.1.1 are ansible versions.



On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>
> Thanks for the response JH. I've moved the winrm connection details to 
> group_vars as you suggested, but am still not able to list the files of a 
> network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
> clarify those version numbers and what they are associated with?
>
> host file:
> user@ansible:~/ansible> cat inventories/domain
> [test]
> dc1.domain.com
>
>
> group_vars:
> user@ansible:~/ansible> cat inventories/group_vars/test.yml
> ---
>
> ansible_ssh_port: 5986
> ansible_connection: winrm
> ansible_winrm_transport: kerberos
> ansible_winrm_kerberos_delegation: yes
> ansible_ssh_user: ansib...@domain.com 
> ansible_winrm_server_cert_validation: ignore
>
>
> output of playbook (i've added a debug task to dump the variables):
> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
> -v
> Using /home/user/ansible/ansible.cfg as config file
> Loaded callback default of type stdout, v2.0
>
> PLAYBOOK: test.yml 
> *
> 1 plays in test.yml
>
> PLAY [list unc] 
> 
>
> TASK [display variables] 
> ***
> task path: /home/user/ansible/test.yml:6
> ok: [dc1.domain.com] => {
> "hostvars[inventory_hostname]": {
> "ansible_check_mode": false,
> "ansible_connection": "winrm",
> "ansible_ssh_port": 5986,
> "ansible_ssh_user": "ansib...@domain.com ",
> "ansible_version": {
> "full": "2.1.0.0",
> "major": 2,
> "minor": 1,
> "revision": 0,
> "string": "2.1.0.0"
> },
> "ansible_winrm_kerberos_delegation": true,
> "ansible_winrm_server_cert_validation": "ignore",
> "ansible_winrm_transport": "kerberos",
> "group_names": [
> "test"
> ],
> "groups": {
> "all": [
> "dc1.domain.com"
> ],
> "test": [
> "dc1.domain.com"
> ],
> "ungrouped": []
> },
> "inventory_dir": "/home/user/ansible/inventories",
> "inventory_file": "inventories/domain",
> "inventory_hostname": "dc1.domain.com",
> "inventory_hostname_short": "dc1",
> "omit": 
> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
> "playbook_dir": "/home/user/ansible"
> }
> }
>
> TASK [list unc] 
> 
> task path: /home/user/ansible/test.yml:9
>  ESTABLISH WINRM CONNECTION FOR USER: ansib...@domain.com 
>  on PORT 5986 TO dc1.domain.com
>  WINRM CONNECT: transport=kerberos endpoint=
> https://dc1.domain.com:5986/wsman
>  WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
>  EXEC Set-StrictMode -Version Latest
> (New-Item -Type Directory -Path $env:temp -Name 
> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
> '';
>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
>  WINRM RESULT u' "C:\\Users\\ansible_svc", err "">'
>  PUT "/home/user/ansible/test.ps1" TO 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>  WINRM PUT "/home/user/ansible/test.ps1" to 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
>  
> (offset=46 size=46)
>  EXEC & 
>  
> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
>  WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
>  WINRM RESULT u' CLIXML\r\n'
>  EXEC Set-StrictMode -Version Latest
> Remove-Item 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733"
>  
> -Force -Recurse;
>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQB

[ansible-project] Re: Kerberos Delegation Issues

2016-09-15 Thread Surred

Thanks for the response JH. I've moved the winrm connection details to 
group_vars as you suggested, but am still not able to list the files of a 
network share. You said you are using "2.0.0.2  / 2.1.1" Can you please 
clarify those version numbers and what they are associated with?

host file:
user@ansible:~/ansible> cat inventories/domain
[test]
dc1.domain.com


group_vars:
user@ansible:~/ansible> cat inventories/group_vars/test.yml
---

ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_kerberos_delegation: yes
ansible_ssh_user: ansible_...@domain.com
ansible_winrm_server_cert_validation: ignore


output of playbook (i've added a debug task to dump the variables):
user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
-v
Using /home/user/ansible/ansible.cfg as config file
Loaded callback default of type stdout, v2.0

PLAYBOOK: test.yml 
*
1 plays in test.yml

PLAY [list unc] 


TASK [display variables] 
***
task path: /home/user/ansible/test.yml:6
ok: [dc1.domain.com] => {
"hostvars[inventory_hostname]": {
"ansible_check_mode": false,
"ansible_connection": "winrm",
"ansible_ssh_port": 5986,
"ansible_ssh_user": "ansible_...@domain.com",
"ansible_version": {
"full": "2.1.0.0",
"major": 2,
"minor": 1,
"revision": 0,
"string": "2.1.0.0"
},
"ansible_winrm_kerberos_delegation": true,
"ansible_winrm_server_cert_validation": "ignore",
"ansible_winrm_transport": "kerberos",
"group_names": [
"test"
],
"groups": {
"all": [
"dc1.domain.com"
],
"test": [
"dc1.domain.com"
],
"ungrouped": []
},
"inventory_dir": "/home/user/ansible/inventories",
"inventory_file": "inventories/domain",
"inventory_hostname": "dc1.domain.com",
"inventory_hostname_short": "dc1",
"omit": 
"__omit_place_holder__aefe246ae370864260078b474e205946a8274802",
"playbook_dir": "/home/user/ansible"
}
}

TASK [list unc] 

task path: /home/user/ansible/test.yml:9
 ESTABLISH WINRM CONNECTION FOR USER: 
ansible_...@domain.com on PORT 5986 TO dc1.domain.com
 WINRM CONNECT: transport=kerberos 
endpoint=https://dc1.domain.com:5986/wsman
 WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
 EXEC Set-StrictMode -Version Latest
(New-Item -Type Directory -Path $env:temp -Name 
"ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator 
'';
 WINRM EXEC u'PowerShell' [u'-NoProfile', 
u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
u'-EncodedCommand', 
u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA==']
 WINRM RESULT u''
 PUT "/home/user/ansible/test.ps1" TO 
"C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
 WINRM PUT "/home/user/ansible/test.ps1" to 
"C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1"
 
(offset=46 size=46)
 EXEC & 
 
'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1'
 WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', 
'-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA']
 WINRM RESULT u''
 EXEC Set-StrictMode -Version Latest
Remove-Item 
"C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733"
 
-Force -Recurse;
 WINRM EXEC u'PowerShell' [u'-NoProfile', 
u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
u'-EncodedCommand', 
u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA']
 WINRM RESULT u''
 WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E
changed: [dc1.domain.com] => {"changed": true,

[ansible-project] Re: Kerberos Delegation Issues

2016-09-15 Thread 'J Hawkesworth' via Ansible Project

I just got this working a couple of days ago.
The only differences I can see between your set up and mine are

I set up win connection vars in group vars, rather than host vars (mixed 
environment - not all my hosts are windows).  Might be worth trying to 
switch to group_vars as at some point I think there was some difference in 
how host vars and group vars were loaded, although I think that has been 
resolved now.
I am using 2.0.0.2  / 2.1.1
my ansible controllers are Centos

So I suggest trying to configure with group_vars instead of host vars.

I tested a very similar one line powershell script to do the same as you 
(access files on a network share), so I'm sure this can be made to work.

Hope this helps,

Jon



On Wednesday, September 14, 2016 at 6:52:13 PM UTC+1, Surred wrote:
>
> Hello,
>
> I'm having issues getting the double hop scenario working. To test 
> kerberos delegation I have a simple PowerShell script that does a 
> Get-ChildItem on a UNC path. When running the command manually on the host 
> it works, but when executing as playbook with Ansible I get "Access 
> Denied." Below is my configuration and the verbose output I receive. Any 
> help or suggestions would be greatly appreciated.
>
>
> Environment:
> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm
> pywinrm (0.2.0)
>
> user@ansible:~/ansible> ansible --version
> ansible 2.1.0.0
>   config file = /home/user/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>
> user@ansible:~/ansible> cat /etc/*-release
> NAME="SLES"
> VERSION="11.4"
> VERSION_ID="11.4"
> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4"
> ID="sles"
> ANSI_COLOR="0;32"
> CPE_NAME="cpe:/o:suse:sles:11:4"
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 4
>
>
> Inventory excerpt:
> [all:vars]
> ansible_ssh_port=5986
> ansible_connection=winrm
> ansible_winrm_transport=kerberos
> ansible_winrm_kerberos_delegation=yes
> ansible_ssh_user=ansib...@domain.com 
> ansible_winrm_server_cert_validation=ignore
>
> Playbook output:
> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain 
> -v
> Using /home/user/ansible/ansible.cfg as config file
> Loaded callback default of type stdout, v2.0
>
> PLAYBOOK: test.yml 
> *
> 1 plays in test.yml
>
> PLAY [list unc] 
> 
>
> TASK [list unc] 
> 
> task path: /home/user/ansible/test.yml:6
>  ESTABLISH WINRM CONNECTION FOR USER: ansib...@domain.com 
>  on PORT 5986 TO dc1.domain.com
>  WINRM CONNECT: transport=kerberos endpoint=
> https://dc1.domain.com:5986/wsman
>  WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8
>  EXEC Set-StrictMode -Version Latest
> (New-Item -Type Directory -Path $env:temp -Name 
> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host 
> -Separator '';
>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=']
>  WINRM RESULT u' "C:\\Users\\ansible_svc", err "">'
>  PUT "/home/user/ansible/test.ps1" TO 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>  WINRM PUT "/home/user/ansible/test.ps1" to 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1"
>  
> (offset=46 size=46)
>  EXEC & 
>  
> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1'
>  WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA==']
>  WINRM RESULT u' CLIXML\r\n'
>  EXEC Set-StrictMode -Version Latest
> Remove-Item 
> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702"
>  
> -Force -Recurse;
>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4A

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

[ansible-project] Re: Kerberos Delegation Issues

10 matches

Site Navigation

Mail list logo

Footer information