NTLM Delegation

Does Ansible 2.1 and pywinrm 0.2.p support NTLM delegation or only kerberos delegation ?
If not, when can we expect to implement NTLM delegation functionality ?

Regards
Karol

Hi Karol,

Yes, with pywinrm 0.2 you can use NTLM to connect to your windows hosts. Just as a side note this doesn’t have a lot to do with ansibile itself as it will only use whatever method pywinrm supports. To have NTLM support you should follow the pywinrm docs ( If I’m not wrong the only key package should be requests[Kerberos] ).

I am afraid there is only kerberos delegation support ...

I am definitely using NTLM for my windows hosts. I have the following packages installed:
Requests 2.10.0
Requests-kerberos 0.10.0
Requests-ntlm 0.3.0
Pywinrm 0.2.0

Just make sure you set “ansible_winrm_transport: ntlm” set in your vars.
You should also set your remote_user in the “DOMAIN\USER” form, if you use “user@domain” it should use Kerberos anyway.

Just to clarify, delegation here means the ability to pass logged in credentials along to the remote host so that you can have the same rights and permssions on the remote host. This lets you do things like use remote shares in your playbooks.

You can use NTLM with pywinrm 0.2.0 but I believe the credentials will only allow you ‘single hop’ access to a remote machine. You can’t then use resources on other windows machines from the one you are controlling remotely without delegation, and its my understanding that is only available via kerberos right now.
Jon

I don’t believe NTLM credential delegation is supported by WinRM (I’ve not been able to find anything about it), which means by definition it wouldn’t be supported by Ansible either.

That said, I’ve been experimenting with various mechanisms for become support on Windows (soft target for Ansible 2.3), most of which would get you effectively the same behavior.