Chris Church has domain auth basically functional at this point - stay tuned for some updates, that possibly require some contributions not yet in winrm upstream…
Thanks, this is great news. For what its worth using my plugin, I noticed a couple of intermittent failures today when running against more than a few hosts. I assume this is because I haven’t implemented any synchronization around the calls to kinit.
So I look forward to Chris’ implementation. Happy to test when something is available.
Jon
Hi,
Has the function of Domain authentication for Windows been implemented?
I need to connect to Windows host with a domain user, how can I implement it?
Thanks,
Jiuxiang
在 2014年10月30日星期四UTC-4下午7时30分12秒,jhawkesworth写道:
Hi,
I’m just a user of Ansible, now I have a requirement of using Domain authentication for Windows, so I want to to know how can use this function.
Please let me know how to use it when you implement it, thanks,.
I also pay attention to this topic.
Thanks.
在 2014年12月27日星期六UTC-5上午12时57分57秒,Chris Church写道:
I set up the build described above using NTLM authentication (DOMAIN\user).
I run “whoami” register the variable and then run debug on the variable to confirm I am logged in as a domain user using NTLM credentials. When I try to run a long running process such as “setup.com /PrepareSchema” (this is the unattended setup command for installing Microsoft exchange) the playbook errors out with:
failed to exec cmd D:\setup.com /PrepareSchema
The last line in the callback is:
ReadTimeout: HTTPSConnectionPool (host=‘x.x.x.x’, port =5986): Read timed out. (read timeout=10)
Shorter running processes will complete just fine.
Using a standard Ansible build and running the same command on the host can be completed using psexec and local credentials, but this complicates the playbook and I would prefer to use the correct credentials for the job.
Has anyone seen this or made it work in their environments?
Chris,
Thanks so much for your work on this. I’m working on a project to automate Windows updates for our application and since domain auth was a must-have requirement, it wasn’t looking good for Ansible as the orchestrator – until I found this thread and tried-out you branches. Now, domain auth over kerberos is working just fine and we’re sticking with Ansible. TGT management with kinit is not a problem at all for me. I just added a local task to my playbook to get kinit to request the TGT using an encrypted keytab file and everything is automated.
-David
If you’re using Kerberos you’re probably running into double-hop authentication issues. Kerberos doesn’t support double-hops. As your Exchange server tries to execute a schema update against a Domain Controller I wouldnt be surprised if this is what’s causing it.
I’m not using Kerberos, just NTLM if that makes a difference.
-Greg
Hey Chris,
I noticed this mention of kerberos support in the stable-1.9 branch but after spot-comparing some of the code there with your winrm_kerberos_support branch, it doesn’t look like stable-1.9 has all of the changes you added for Kerberos yet. I’ve been using your fork for my project (which requires Kerberos domain auth) and it mostly works but I’m still getting some timeouts on win2008r2 so I was wondering if it would be worthwhile to give stable-1.9 a try yet. Do you have a suggestion?
-David
please do and report any issues you see, the reason for the release
candidate it to catch bugs like this one.
Brian,
I tried using keberos on the stable-1.9 branch and it failed immediately with:
fatal: [updateMe1] => Traceback (most recent call last):
File “/home/ansible/ansible/lib/ansible/runner/init.py”, line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/home/ansible/ansible/lib/ansible/runner/init.py”, line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/home/ansible/ansible/lib/ansible/runner/init.py”, line 960, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/home/ansible/ansible/lib/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/home/ansible/ansible/lib/ansible/runner/connection_plugins/winrm.py”, line 147, in connect
self.protocol = self._winrm_connect()
File “/home/ansible/ansible/lib/ansible/runner/connection_plugins/winrm.py”, line 87, in _winrm_connect
cache_key = ‘%s:%s@%s:%d’ % (self.user, hashlib.md5(self.password).hexdigest(), self.host, port)
TypeError: must be string or buffer, not None