Clever Geek Handbook

Unable to Windows using Kerberos does not work

I am trying to use Ansible 1.9.0.1 to set up windows servers using a domain username. I successfully installed the Linux Ansible control box and was able to use basic auth to run play / listen games. However works with a domain user. Kerberos is enabled on Windows hosts:

winrm get winrm/config/client/auth Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true

The playlist I'm trying to run just links to the win_ping module and the following output is:

PLAY [Manage SMI] *************************************************************

TASK: [Ping] ******************************************************************
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host1
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host2
<host1> REMOTE_MODULE win_ping
<host1> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-231225138744234").FullName | Write-Host -Separator >'';
<host2> REMOTE_MODULE win_ping
<host2> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-8060403929807").FullName | Write-Host -Separator '';

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/home/deck/test.retry

host1            : ok=0    changed=0    unreachable=1    failed=0
host2            : ok=0    changed=0    unreachable=1    failed=0

In the system event log, the user is authenticated correctly, so it looks like transferring a file to the tmp directory is not working.

Any help is appreciated.

+3


source to share


1 answer


A coworker found a workaround for this problem. Apparently there is a problem in pywinrm when using keberos which causes the module to die when trying to call KerbosTicket inside Transport.py. If you installed a transport.py file with the following:

class KerberosTicket:
"""
Implementation based on http://ncoghlan_devs-python-notes.readthedocs.org/en/latest/python_kerberos.html
"""
def __init__(self, service):
    # added line below
    self.test=1
    ignored_code, krb_context = kerberos.authGSSClientInit(service)
    kerberos.authGSSClientStep(krb_context, '')
    # TODO authGSSClientStep may raise following error:
    #GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968),
    # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))
    self._krb_context = krb_context
    gss_response = kerberos.authGSSClientResponse(krb_context)
    self.auth_header = 'Negotiate {0}'.format(gss_response)


We're not 100% sure why this works, but for now this is our workaround.

+2


source






More articles:


All Articles