JH, Do you know of any other tests/logging I could try/review to determine why the kerberos delegation is not working in my environment?
On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote: > > Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible versions. > > > > On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote: >> >> Thanks for the response JH. I've moved the winrm connection details to >> group_vars as you suggested, but am still not able to list the files of a >> network share. You said you are using "2.0.0.2 / 2.1.1" Can you please >> clarify those version numbers and what they are associated with? >> >> host file: >> user@ansible:~/ansible> cat inventories/domain >> [test] >> dc1.domain.com >> >> >> group_vars: >> user@ansible:~/ansible> cat inventories/group_vars/test.yml >> --- >> >> ansible_ssh_port: 5986 >> ansible_connection: winrm >> ansible_winrm_transport: kerberos >> ansible_winrm_kerberos_delegation: yes >> ansible_ssh_user: [email protected] >> ansible_winrm_server_cert_validation: ignore >> >> >> output of playbook (i've added a debug task to dump the variables): >> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain >> -vvvvv >> Using /home/user/ansible/ansible.cfg as config file >> Loaded callback default of type stdout, v2.0 >> >> PLAYBOOK: test.yml >> ************************************************************* >> 1 plays in test.yml >> >> PLAY [list unc] >> **************************************************************** >> >> TASK [display variables] >> ******************************************************* >> task path: /home/user/ansible/test.yml:6 >> ok: [dc1.domain.com] => { >> "hostvars[inventory_hostname]": { >> "ansible_check_mode": false, >> "ansible_connection": "winrm", >> "ansible_ssh_port": 5986, >> "ansible_ssh_user": "[email protected]", >> "ansible_version": { >> "full": "2.1.0.0", >> "major": 2, >> "minor": 1, >> "revision": 0, >> "string": "2.1.0.0" >> }, >> "ansible_winrm_kerberos_delegation": true, >> "ansible_winrm_server_cert_validation": "ignore", >> "ansible_winrm_transport": "kerberos", >> "group_names": [ >> "test" >> ], >> "groups": { >> "all": [ >> "dc1.domain.com" >> ], >> "test": [ >> "dc1.domain.com" >> ], >> "ungrouped": [] >> }, >> "inventory_dir": "/home/user/ansible/inventories", >> "inventory_file": "inventories/domain", >> "inventory_hostname": "dc1.domain.com", >> "inventory_hostname_short": "dc1", >> "omit": >> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802", >> "playbook_dir": "/home/user/ansible" >> } >> } >> >> TASK [list unc] >> **************************************************************** >> task path: /home/user/ansible/test.yml:9 >> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] >> on PORT 5986 TO dc1.domain.com >> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= >> https://dc1.domain.com:5986/wsman >> <dc1.domain.com> WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E >> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >> (New-Item -Type Directory -Path $env:temp -Name >> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator >> ''; >> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >> u'-EncodedCommand', >> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA=='] >> <dc1.domain.com> WINRM RESULT u'<Response code 0, out >> "C:\\Users\\ansible_svc", err "">' >> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO >> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" >> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to >> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" >> >> (offset=46 size=46) >> <dc1.domain.com> EXEC & >> >> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1' >> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', >> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', >> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA'] >> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< >> CLIXML\r\n<Objs Ver">' >> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >> Remove-Item >> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733" >> >> -Force -Recurse; >> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >> u'-EncodedCommand', >> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA'] >> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' >> <dc1.domain.com> WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E >> changed: [dc1.domain.com] => {"changed": true, "invocation": >> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, >> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is >> denied\r\nAt >> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 >> >> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) >> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : >> ItemExistsUnauthorizedAccessError,Microsoft.Powe >> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find >> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt >> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 >> >> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], >> ItemNotFoundException\r\n+ FullyQualifiedErrorId : >> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", >> "stdout": "", "stdout_lines": []} >> >> PLAY RECAP >> ********************************************************************* >> dc1.domain.com : ok=2 changed=1 unreachable=0 failed=0 >> >> user@ansible:~/ansible> >> >> >> >> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote: >>> >>> Hello, >>> >>> I'm having issues getting the double hop scenario working. To test >>> kerberos delegation I have a simple PowerShell script that does a >>> Get-ChildItem on a UNC path. When running the command manually on the host >>> it works, but when executing as playbook with Ansible I get "Access >>> Denied." Below is my configuration and the verbose output I receive. Any >>> help or suggestions would be greatly appreciated. >>> >>> >>> Environment: >>> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm >>> pywinrm (0.2.0) >>> >>> user@ansible:~/ansible> ansible --version >>> ansible 2.1.0.0 >>> config file = /home/user/ansible/ansible.cfg >>> configured module search path = Default w/o overrides >>> >>> user@ansible:~/ansible> cat /etc/*-release >>> NAME="SLES" >>> VERSION="11.4" >>> VERSION_ID="11.4" >>> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4" >>> ID="sles" >>> ANSI_COLOR="0;32" >>> CPE_NAME="cpe:/o:suse:sles:11:4" >>> SUSE Linux Enterprise Server 11 (x86_64) >>> VERSION = 11 >>> PATCHLEVEL = 4 >>> >>> >>> Inventory excerpt: >>> [all:vars] >>> ansible_ssh_port=5986 >>> ansible_connection=winrm >>> ansible_winrm_transport=kerberos >>> ansible_winrm_kerberos_delegation=yes >>> [email protected] >>> ansible_winrm_server_cert_validation=ignore >>> >>> Playbook output: >>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain >>> -vvvvv >>> Using /home/user/ansible/ansible.cfg as config file >>> Loaded callback default of type stdout, v2.0 >>> >>> PLAYBOOK: test.yml >>> ************************************************************* >>> 1 plays in test.yml >>> >>> PLAY [list unc] >>> **************************************************************** >>> >>> TASK [list unc] >>> **************************************************************** >>> task path: /home/user/ansible/test.yml:6 >>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: >>> [email protected] on PORT 5986 TO dc1.domain.com >>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= >>> https://dc1.domain.com:5986/wsman >>> <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 >>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>> (New-Item -Type Directory -Path $env:temp -Name >>> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host >>> -Separator ''; >>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>> u'-EncodedCommand', >>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA='] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out >>> "C:\\Users\\ansible_svc", err "">' >>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" >>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" >>> >>> (offset=46 size=46) >>> <dc1.domain.com> EXEC & >>> >>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1' >>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', >>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', >>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA=='] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< >>> CLIXML\r\n<Objs Ver">' >>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>> Remove-Item >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702" >>> >>> -Force -Recurse; >>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>> u'-EncodedCommand', >>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA=='] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' >>> <dc1.domain.com> WINRM CLOSE SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 >>> changed: [dc1.domain.com] => {"changed": true, "invocation": >>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, >>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is >>> denied\r\nAt >>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 >>> >>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) >>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : >>> ItemExistsUnauthorizedAccessError,Microsoft.Powe >>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find >>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt >>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 >>> >>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], >>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : >>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", >>> "stdout": "", "stdout_lines": []} >>> >>> PLAY RECAP >>> ********************************************************************* >>> dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0 >>> >>> user@ansible:~/ansible> >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/48e80efd-c22e-43da-ba27-94659640e37b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
