I just got this working a couple of days ago. The only differences I can see between your set up and mine are
I set up win connection vars in group vars, rather than host vars (mixed environment - not all my hosts are windows). Might be worth trying to switch to group_vars as at some point I think there was some difference in how host vars and group vars were loaded, although I think that has been resolved now. I am using 2.0.0.2 / 2.1.1 my ansible controllers are Centos So I suggest trying to configure with group_vars instead of host vars. I tested a very similar one line powershell script to do the same as you (access files on a network share), so I'm sure this can be made to work. Hope this helps, Jon On Wednesday, September 14, 2016 at 6:52:13 PM UTC+1, Surred wrote: > > Hello, > > I'm having issues getting the double hop scenario working. To test > kerberos delegation I have a simple PowerShell script that does a > Get-ChildItem on a UNC path. When running the command manually on the host > it works, but when executing as playbook with Ansible I get "Access > Denied." Below is my configuration and the verbose output I receive. Any > help or suggestions would be greatly appreciated. > > > Environment: > user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm > pywinrm (0.2.0) > > user@ansible:~/ansible> ansible --version > ansible 2.1.0.0 > config file = /home/user/ansible/ansible.cfg > configured module search path = Default w/o overrides > > user@ansible:~/ansible> cat /etc/*-release > NAME="SLES" > VERSION="11.4" > VERSION_ID="11.4" > PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4" > ID="sles" > ANSI_COLOR="0;32" > CPE_NAME="cpe:/o:suse:sles:11:4" > SUSE Linux Enterprise Server 11 (x86_64) > VERSION = 11 > PATCHLEVEL = 4 > > > Inventory excerpt: > [all:vars] > ansible_ssh_port=5986 > ansible_connection=winrm > ansible_winrm_transport=kerberos > ansible_winrm_kerberos_delegation=yes > [email protected] <javascript:> > ansible_winrm_server_cert_validation=ignore > > Playbook output: > user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain > -vvvvv > Using /home/user/ansible/ansible.cfg as config file > Loaded callback default of type stdout, v2.0 > > PLAYBOOK: test.yml > ************************************************************* > 1 plays in test.yml > > PLAY [list unc] > **************************************************************** > > TASK [list unc] > **************************************************************** > task path: /home/user/ansible/test.yml:6 > <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] > <javascript:> on PORT 5986 TO dc1.domain.com > <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= > https://dc1.domain.com:5986/wsman > <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 > <dc1.domain.com> EXEC Set-StrictMode -Version Latest > (New-Item -Type Directory -Path $env:temp -Name > "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host > -Separator ''; > <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', > u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', > u'-EncodedCommand', > u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out > "C:\\Users\\ansible_svc", err "">' > <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" > <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" > > (offset=46 size=46) > <dc1.domain.com> EXEC & > > 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1' > <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', > 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA=='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< > CLIXML\r\n<Objs Ver">' > <dc1.domain.com> EXEC Set-StrictMode -Version Latest > Remove-Item > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702" > > -Force -Recurse; > <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', > u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', > u'-EncodedCommand', > u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA=='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' > <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 > changed: [dc1.domain.com] => {"changed": true, "invocation": > {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, > "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is > denied\r\nAt > C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 > > char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : > PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) > [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : > ItemExistsUnauthorizedAccessError,Microsoft.Powe > \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find > path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt > C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 > > char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : > ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], > ItemNotFoundException\r\n+ FullyQualifiedErrorId : > PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", > "stdout": "", "stdout_lines": []} > > PLAY RECAP > ********************************************************************* > dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0 > > user@ansible:~/ansible> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dd3defb3-edbf-451b-ae59-241a35cc7603%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
