and then I am running this with ansible -i inventories/my_inventory.ini target_host copy_test.yml -u ansible_user_name -k -K
and get an error indicating that the file does not exist. I have verified that the files do exist, and that the user has permissions to them.
I’ve been working through both the double hop and winrm setup guides, specifically around kerberos and delegation.
Additionally, this “used to work” (as reported by the playbook authors).
The only thing I’ve found that might be relevant is cve-2025-26647 indicating a change in kerberos from Microsoft. My initial read of the provided documentation doesn’t seem like it would specifically impact this authentication flow, but the timing is too suspicious to ignore.
Has anyone see similar issues since that patch was deployed? Does anyone know of any work arounds (either in ansible directly, or domain changes)
The only thing I’ve found that might be relevant is cve-2025-26647 indicating a change in kerberos from Microsoft
That CVE is for Kerberos certificates and not something relevent to your playbook. Also just to be clear the become work used in Ansible is not related to Kerberos delegation, it is something done outside of the authentication mechanism that Kerberos sits at.
One thing I highly recommend you do is try it out with a hardcoded ansible_become_user and ansible_become_pass variable. That way you can complete rule out whether an incorrect variable or some other reference not passing through properly.
- name: "Copy File From Network Share"
ansible.windows.win_copy:
src: \\path\to\file.txt
dest: C:\Temp\Test\
remote_src: True
become: True
become_method: runas
become_flags: logon_type=new_credentials logon_flags=netcredentials_only
vars:
ansible_become_user: hard code username
ansible_become_pass: hard code password
This is just for a test to run with and verify whether become is working or not. I wouldn’t recommend using this method in a real environment.
If you were wanting to try out Kerberos delegation without become then using klist.exe on the remote side is your friend. It’ll show the Kerberos TGT information for the current session. Kerberos Authentication — Ansible Community Documentation goes into a lot more detail around Kerberos delegation and how to debug things there.