Thanks for the response JH. I've moved the winrm connection details to group_vars as you suggested, but am still not able to list the files of a network share. You said you are using "2.0.0.2 / 2.1.1" Can you please clarify those version numbers and what they are associated with?
host file: user@ansible:~/ansible> cat inventories/domain [test] dc1.domain.com group_vars: user@ansible:~/ansible> cat inventories/group_vars/test.yml --- ansible_ssh_port: 5986 ansible_connection: winrm ansible_winrm_transport: kerberos ansible_winrm_kerberos_delegation: yes ansible_ssh_user: [email protected] ansible_winrm_server_cert_validation: ignore output of playbook (i've added a debug task to dump the variables): user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain -vvvvv Using /home/user/ansible/ansible.cfg as config file Loaded callback default of type stdout, v2.0 PLAYBOOK: test.yml ************************************************************* 1 plays in test.yml PLAY [list unc] **************************************************************** TASK [display variables] ******************************************************* task path: /home/user/ansible/test.yml:6 ok: [dc1.domain.com] => { "hostvars[inventory_hostname]": { "ansible_check_mode": false, "ansible_connection": "winrm", "ansible_ssh_port": 5986, "ansible_ssh_user": "[email protected]", "ansible_version": { "full": "2.1.0.0", "major": 2, "minor": 1, "revision": 0, "string": "2.1.0.0" }, "ansible_winrm_kerberos_delegation": true, "ansible_winrm_server_cert_validation": "ignore", "ansible_winrm_transport": "kerberos", "group_names": [ "test" ], "groups": { "all": [ "dc1.domain.com" ], "test": [ "dc1.domain.com" ], "ungrouped": [] }, "inventory_dir": "/home/user/ansible/inventories", "inventory_file": "inventories/domain", "inventory_hostname": "dc1.domain.com", "inventory_hostname_short": "dc1", "omit": "__omit_place_holder__aefe246ae370864260078b474e205946a8274802", "playbook_dir": "/home/user/ansible" } } TASK [list unc] **************************************************************** task path: /home/user/ansible/test.yml:9 <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO dc1.domain.com <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint=https://dc1.domain.com:5986/wsman <dc1.domain.com> WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E <dc1.domain.com> EXEC Set-StrictMode -Version Latest (New-Item -Type Directory -Path $env:temp -Name "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator ''; <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', u'-EncodedCommand', u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA=='] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "C:\\Users\\ansible_svc", err "">' <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" (offset=46 size=46) <dc1.domain.com> EXEC & 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1' <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA'] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< CLIXML\r\n<Objs Ver">' <dc1.domain.com> EXEC Set-StrictMode -Version Latest Remove-Item "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733" -Force -Recurse; <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', u'-EncodedCommand', u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA'] <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' <dc1.domain.com> WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E changed: [dc1.domain.com] => {"changed": true, "invocation": {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is denied\r\nAt C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.Powe \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], ItemNotFoundException\r\n+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", "stdout": "", "stdout_lines": []} PLAY RECAP ********************************************************************* dc1.domain.com : ok=2 changed=1 unreachable=0 failed=0 user@ansible:~/ansible> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote: > > Hello, > > I'm having issues getting the double hop scenario working. To test > kerberos delegation I have a simple PowerShell script that does a > Get-ChildItem on a UNC path. When running the command manually on the host > it works, but when executing as playbook with Ansible I get "Access > Denied." Below is my configuration and the verbose output I receive. Any > help or suggestions would be greatly appreciated. > > > Environment: > user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm > pywinrm (0.2.0) > > user@ansible:~/ansible> ansible --version > ansible 2.1.0.0 > config file = /home/user/ansible/ansible.cfg > configured module search path = Default w/o overrides > > user@ansible:~/ansible> cat /etc/*-release > NAME="SLES" > VERSION="11.4" > VERSION_ID="11.4" > PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4" > ID="sles" > ANSI_COLOR="0;32" > CPE_NAME="cpe:/o:suse:sles:11:4" > SUSE Linux Enterprise Server 11 (x86_64) > VERSION = 11 > PATCHLEVEL = 4 > > > Inventory excerpt: > [all:vars] > ansible_ssh_port=5986 > ansible_connection=winrm > ansible_winrm_transport=kerberos > ansible_winrm_kerberos_delegation=yes > [email protected] > ansible_winrm_server_cert_validation=ignore > > Playbook output: > user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain > -vvvvv > Using /home/user/ansible/ansible.cfg as config file > Loaded callback default of type stdout, v2.0 > > PLAYBOOK: test.yml > ************************************************************* > 1 plays in test.yml > > PLAY [list unc] > **************************************************************** > > TASK [list unc] > **************************************************************** > task path: /home/user/ansible/test.yml:6 > <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: > [email protected] on PORT 5986 TO dc1.domain.com > <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= > https://dc1.domain.com:5986/wsman > <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 > <dc1.domain.com> EXEC Set-StrictMode -Version Latest > (New-Item -Type Directory -Path $env:temp -Name > "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host > -Separator ''; > <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', > u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', > u'-EncodedCommand', > u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out > "C:\\Users\\ansible_svc", err "">' > <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" > <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" > > (offset=46 size=46) > <dc1.domain.com> EXEC & > > 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1' > <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', > 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA=='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< > CLIXML\r\n<Objs Ver">' > <dc1.domain.com> EXEC Set-StrictMode -Version Latest > Remove-Item > "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702" > > -Force -Recurse; > <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', > u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', > u'-EncodedCommand', > u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA=='] > <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' > <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 > changed: [dc1.domain.com] => {"changed": true, "invocation": > {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, > "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is > denied\r\nAt > C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 > > char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : > PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) > [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : > ItemExistsUnauthorizedAccessError,Microsoft.Powe > \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find > path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt > C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 > > char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : > ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], > ItemNotFoundException\r\n+ FullyQualifiedErrorId : > PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", > "stdout": "", "stdout_lines": []} > > PLAY RECAP > ********************************************************************* > dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0 > > user@ansible:~/ansible> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5e945933-81ee-4287-8811-a08d44137308%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
