Have a look in the event logs. I suspect all you will see is 'Access is denied'. Worth looking on the network share machine (if it is an actual windows box). If it isn't a windows box I guess there will be some kind of samba share logging that you could examine too.
Make sure that you are using the same user when logged in via remote desktop as the user that ansible is using. You could check for logon events in the event viewer and see what privileges are assigned to your ansible.... user and see how these differ when you login via RDP. My understanding is that the auth delegation changes the kerberos ticket in some some way so you could try examining the kerberos ticket using klist - unfortunately I can't try this myself at the moment. I wonder if it is possible for the domain controller to disallow granting the necessary kerberos ticket for auth delegation. Perhaps ask Active Directory administrators if they can do anything like this and whether it it is in place. I still think that you are 'almost there' with solving this problem. Hope the above helps, Jon On Tuesday, September 20, 2016 at 3:35:27 PM UTC+1, Surred wrote: > > JH, > > Do you know of any other tests/logging I could try/review to determine why > the kerberos delegation is not working in my environment? > > On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote: >> >> Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible >> versions. >> >> >> >> On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote: >>> >>> Thanks for the response JH. I've moved the winrm connection details to >>> group_vars as you suggested, but am still not able to list the files of a >>> network share. You said you are using "2.0.0.2 / 2.1.1" Can you please >>> clarify those version numbers and what they are associated with? >>> >>> host file: >>> user@ansible:~/ansible> cat inventories/domain >>> [test] >>> dc1.domain.com >>> >>> >>> group_vars: >>> user@ansible:~/ansible> cat inventories/group_vars/test.yml >>> --- >>> >>> ansible_ssh_port: 5986 >>> ansible_connection: winrm >>> ansible_winrm_transport: kerberos >>> ansible_winrm_kerberos_delegation: yes >>> ansible_ssh_user: [email protected] >>> ansible_winrm_server_cert_validation: ignore >>> >>> >>> output of playbook (i've added a debug task to dump the variables): >>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain >>> -vvvvv >>> Using /home/user/ansible/ansible.cfg as config file >>> Loaded callback default of type stdout, v2.0 >>> >>> PLAYBOOK: test.yml >>> ************************************************************* >>> 1 plays in test.yml >>> >>> PLAY [list unc] >>> **************************************************************** >>> >>> TASK [display variables] >>> ******************************************************* >>> task path: /home/user/ansible/test.yml:6 >>> ok: [dc1.domain.com] => { >>> "hostvars[inventory_hostname]": { >>> "ansible_check_mode": false, >>> "ansible_connection": "winrm", >>> "ansible_ssh_port": 5986, >>> "ansible_ssh_user": "[email protected]", >>> "ansible_version": { >>> "full": "2.1.0.0", >>> "major": 2, >>> "minor": 1, >>> "revision": 0, >>> "string": "2.1.0.0" >>> }, >>> "ansible_winrm_kerberos_delegation": true, >>> "ansible_winrm_server_cert_validation": "ignore", >>> "ansible_winrm_transport": "kerberos", >>> "group_names": [ >>> "test" >>> ], >>> "groups": { >>> "all": [ >>> "dc1.domain.com" >>> ], >>> "test": [ >>> "dc1.domain.com" >>> ], >>> "ungrouped": [] >>> }, >>> "inventory_dir": "/home/user/ansible/inventories", >>> "inventory_file": "inventories/domain", >>> "inventory_hostname": "dc1.domain.com", >>> "inventory_hostname_short": "dc1", >>> "omit": >>> "__omit_place_holder__aefe246ae370864260078b474e205946a8274802", >>> "playbook_dir": "/home/user/ansible" >>> } >>> } >>> >>> TASK [list unc] >>> **************************************************************** >>> task path: /home/user/ansible/test.yml:9 >>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: >>> [email protected] on PORT 5986 TO dc1.domain.com >>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= >>> https://dc1.domain.com:5986/wsman >>> <dc1.domain.com> WINRM OPEN SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E >>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>> (New-Item -Type Directory -Path $env:temp -Name >>> "ansible-tmp-1473950183.23-4669660185733").FullName | Write-Host -Separator >>> ''; >>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>> u'-EncodedCommand', >>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA=='] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out >>> "C:\\Users\\ansible_svc", err "">' >>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" >>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1" >>> >>> (offset=46 size=46) >>> <dc1.domain.com> EXEC & >>> >>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733\test.ps1' >>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', >>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', >>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOQA1ADAAMQA4ADMALgAyADMALQA0ADYANgA5ADYANgAwADEAOAA1ADcAMwAzAFwAdABlAHMAdAAuAHAAcwAxACcA'] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< >>> CLIXML\r\n<Objs Ver">' >>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>> Remove-Item >>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473950183.23-4669660185733" >>> >>> -Force -Recurse; >>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>> u'-EncodedCommand', >>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA5ADUAMAAxADgAMwAuADIAMwAtADQANgA2ADkANgA2ADAAMQA4ADUANwAzADMAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA'] >>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' >>> <dc1.domain.com> WINRM CLOSE SHELL: 33ADC923-1FA6-4D0D-B5AF-7A474202BD2E >>> changed: [dc1.domain.com] => {"changed": true, "invocation": >>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, >>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is >>> denied\r\nAt >>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 >>> >>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) >>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : >>> ItemExistsUnauthorizedAccessError,Microsoft.Powe >>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find >>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt >>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473950183.23-4669660185\r\n733\\test.ps1:1 >>> >>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], >>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : >>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", >>> "stdout": "", "stdout_lines": []} >>> >>> PLAY RECAP >>> ********************************************************************* >>> dc1.domain.com : ok=2 changed=1 unreachable=0 failed=0 >>> >>> user@ansible:~/ansible> >>> >>> >>> >>> On Wednesday, September 14, 2016 at 12:52:13 PM UTC-5, Surred wrote: >>>> >>>> Hello, >>>> >>>> I'm having issues getting the double hop scenario working. To test >>>> kerberos delegation I have a simple PowerShell script that does a >>>> Get-ChildItem on a UNC path. When running the command manually on the host >>>> it works, but when executing as playbook with Ansible I get "Access >>>> Denied." Below is my configuration and the verbose output I receive. Any >>>> help or suggestions would be greatly appreciated. >>>> >>>> >>>> Environment: >>>> user@ansible:~/ansible> pip list 2>/dev/null | grep -i pywinrm >>>> pywinrm (0.2.0) >>>> >>>> user@ansible:~/ansible> ansible --version >>>> ansible 2.1.0.0 >>>> config file = /home/user/ansible/ansible.cfg >>>> configured module search path = Default w/o overrides >>>> >>>> user@ansible:~/ansible> cat /etc/*-release >>>> NAME="SLES" >>>> VERSION="11.4" >>>> VERSION_ID="11.4" >>>> PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4" >>>> ID="sles" >>>> ANSI_COLOR="0;32" >>>> CPE_NAME="cpe:/o:suse:sles:11:4" >>>> SUSE Linux Enterprise Server 11 (x86_64) >>>> VERSION = 11 >>>> PATCHLEVEL = 4 >>>> >>>> >>>> Inventory excerpt: >>>> [all:vars] >>>> ansible_ssh_port=5986 >>>> ansible_connection=winrm >>>> ansible_winrm_transport=kerberos >>>> ansible_winrm_kerberos_delegation=yes >>>> [email protected] >>>> ansible_winrm_server_cert_validation=ignore >>>> >>>> Playbook output: >>>> user@ansible:~/ansible> ansible-playbook test.yml -i inventories/domain >>>> -vvvvv >>>> Using /home/user/ansible/ansible.cfg as config file >>>> Loaded callback default of type stdout, v2.0 >>>> >>>> PLAYBOOK: test.yml >>>> ************************************************************* >>>> 1 plays in test.yml >>>> >>>> PLAY [list unc] >>>> **************************************************************** >>>> >>>> TASK [list unc] >>>> **************************************************************** >>>> task path: /home/user/ansible/test.yml:6 >>>> <dc1.domain.com> ESTABLISH WINRM CONNECTION FOR USER: >>>> [email protected] on PORT 5986 TO dc1.domain.com >>>> <dc1.domain.com> WINRM CONNECT: transport=kerberos endpoint= >>>> https://dc1.domain.com:5986/wsman >>>> <dc1.domain.com> WINRM OPEN SHELL: 33CC652E-0DED-4C66-B898-2860580A29A8 >>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>>> (New-Item -Type Directory -Path $env:temp -Name >>>> "ansible-tmp-1473809521.62-137672088908702").FullName | Write-Host >>>> -Separator ''; >>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>>> u'-EncodedCommand', >>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA='] >>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out >>>> "C:\\Users\\ansible_svc", err "">' >>>> <dc1.domain.com> PUT "/home/user/ansible/test.ps1" TO >>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" >>>> <dc1.domain.com> WINRM PUT "/home/user/ansible/test.ps1" to >>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1" >>>> >>>> (offset=46 size=46) >>>> <dc1.domain.com> EXEC & >>>> >>>> 'C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702\test.ps1' >>>> <dc1.domain.com> WINRM EXEC 'PowerShell' ['-NoProfile', >>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', >>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABhAG4AcwBpAGIAbABlAF8AcwB2AGMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMAOAAwADkANQAyADEALgA2ADIALQAxADMANwA2ADcAMgAwADgAOAA5ADAAOAA3ADAAMgBcAHQAZQBzAHQALgBwAHMAMQAnAA=='] >>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "#< >>>> CLIXML\r\n<Objs Ver">' >>>> <dc1.domain.com> EXEC Set-StrictMode -Version Latest >>>> Remove-Item >>>> "C:\Users\ansible_svc\AppData\Local\Temp\ansible-tmp-1473809521.62-137672088908702" >>>> >>>> -Force -Recurse; >>>> <dc1.domain.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>>> u'-EncodedCommand', >>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAbgBzAGkAYgBsAGUAXwBzAHYAYwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA4ADAAOQA1ADIAMQAuADYAMgAtADEAMwA3ADYANwAyADAAOAA4ADkAMAA4ADcAMAAyACIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAGMAdQByAHMAZQA7AA=='] >>>> <dc1.domain.com> WINRM RESULT u'<Response code 0, out "", err "">' >>>> <dc1.domain.com> WINRM CLOSE SHELL: >>>> 33CC652E-0DED-4C66-B898-2860580A29A8 >>>> changed: [dc1.domain.com] => {"changed": true, "invocation": >>>> {"module_args": {"_raw_params": "/home/user/ansible/test.ps1"}, >>>> "module_name": "script"}, "rc": 0, "stderr": "Get-ChildItem : Access is >>>> denied\r\nAt >>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 >>>> >>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>>> PermissionDenied: (\\\\sccm01\\SMS_ABC\\Client \r\n:String) >>>> [Get-ChildItem], UnauthorizedAccessException\r\n+ FullyQualifiedErrorId : >>>> ItemExistsUnauthorizedAccessError,Microsoft.Powe >>>> \r\nrShell.Commands.GetChildItemCommand\r\n\r\nGet-ChildItem : Cannot find >>>> path '\\\\sccm01\\SMS_ABC\\Client' because it \r\ndoes not exist.\r\nAt >>>> C:\\Users\\ansible_svc\\AppData\\Local\\Temp\\ansible-tmp-1473809521.62-1376720889\r\n08702\\test.ps1:1 >>>> >>>> char:1\r\n+ Get-ChildItem \"\\\\sccm01\\SMS_ABC\\Client\"\r\n+ >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n+ CategoryInfo : >>>> ObjectNotFound: (\\\\sccm01\\SMS_ABC\\Client:S \r\ntring) [Get-ChildItem], >>>> ItemNotFoundException\r\n+ FullyQualifiedErrorId : >>>> PathNotFound,Microsoft.PowerShell.Commands.GetCh \r\nildItemCommand\r\n", >>>> "stdout": "", "stdout_lines": []} >>>> >>>> PLAY RECAP >>>> ********************************************************************* >>>> dc1.domain.com : ok=1 changed=1 unreachable=0 failed=0 >>>> >>>> user@ansible:~/ansible> >>>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ff039621-3b7e-458c-b249-4435b947f3a9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
