I am attempting to use Ansible 1.9.0.1 to configure Windows servers using a domain user name. I have successfully setup the Linux Ansible control box and have been able to use basic auth to run ansible/ansible-playbook plays. However running with a domain user fails. Kerberos is enabled on the Windows nodes:
winrm get winrm/config/client/auth
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
The playbook I am trying to run just references the win_ping module of ansible and the following is the output:
PLAY [Manage SMI] *************************************************************
TASK: [Ping] ******************************************************************
<host1> ESTABLISH WINRM CONNECTION FOR USER: on PORT 5985 TO >host1
<host1> ESTABLISH WINRM CONNECTION FOR USER: on PORT 5985 TO >host2
<host1> REMOTE_MODULE win_ping
<host1> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-231225138744234").FullName | Write-Host -Separator >'';
<host2> REMOTE_MODULE win_ping
<host2> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-8060403929807").FullName | Write-Host -Separator '';
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/home/deck/test.retry
host1 : ok=0 changed=0 unreachable=1 failed=0
host2 : ok=0 changed=0 unreachable=1 failed=0
Per the System eventlog the user is being authenticated correctly so it looks like the file transfer to the tmp directory is failing.
Any help is greatly appreciated.
A co-worker found a workaround for this issue. It appears there is an issue in the pywinrm when using kerberos that causes the module to die when attempting to call KerbosTicket inside the Transport.py. If you patch transport.py with the following:
class KerberosTicket:
"""
Implementation based on http://ncoghlan_devs-python-notes.readthedocs.org/en/latest/python_kerberos.html
"""
def __init__(self, service):
# added line below
self.test=1
ignored_code, krb_context = kerberos.authGSSClientInit(service)
kerberos.authGSSClientStep(krb_context, '')
# TODO authGSSClientStep may raise following error:
#GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968),
# ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))
self._krb_context = krb_context
gss_response = kerberos.authGSSClientResponse(krb_context)
self.auth_header = 'Negotiate {0}'.format(gss_response)
We are not 100% sure why this works but for now it is our workaround.
来源:https://stackoverflow.com/questions/29780048/ansible-to-windows-using-kerberos-not-working