Pre-2.1, Ansible *only* supported the "default" Kerberos principal, so folks needing more than one Kerberos principal at a time (eg, multiple principals in parallel or the ability to switch principals mid-run) were hosed. With 2.1 and later (and some associated fixes to pykerberos and requests_kerberos), we actually use ansible_user (when specified) to look up the right user. If it's not specified, we revert to the default principal behavior that 2.0 and previous used.
Why are you specifying a nonsensical value for ansible_user instead of just leaving it blank? If you need to set it back to null at the host level for some reason, you can do that in YAML (eg host_vars) with the ~ character as the value, or by using !!null. I don't believe those work in .ini inventory, though. I'd strongly suggest you just not set it to a garbage value, though. -Matt On Monday, November 14, 2016 at 7:42:52 AM UTC-8, mmcgrellis mmcgrellis wrote: > > We have a current setup that works using Ansible v2.0.0 in which we > specify ansible_ssh_user in inventory exactly as follows. > > ansible_ssh_user: user@realm > > When running playbooks we use kinit to get a kerberos ticket using real > credentials ([email protected]) and everything works. > That is ansible uses the kerberos ticket for [email protected] > and we can successfully connect to Windows servers. > > > However, behavior in Ansible 2.1 and 2.2 is different. When using the > newer versions, Ansible tries to connect with the fake user@realm username, > ignoring our kerberos ticket and hence failing to connect. > - changing ansible_ssh_user to ansible_user makes no difference > - specifying the [email protected] with the -u option on the > command line makes no difference > > What does work is setting ansible_user to [email protected] in > the inventory. However, this is problematic as we have several users and > don't want to have to constantly change our inventory depending on which > user is actually running playbooks. > > Am I missing something or did something change in regards to behavior? Is > there some way to get the old behavior? > > Thanks. > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/14c56364-10a5-46f5-a199-b5d7b37a77ac%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
