Hi, for some reason I’m really struggling with executing domain-related activities on Windows machines that are domain members. Two specific things that I’m trying to do is Rename-Computer and Remove-Computer. Note that I am using Kerberos for authentication and am not passing through credentials stored in any files.
When I try Rename-Computer I get an access denied error, if I supply the “DomainCredential” switch to include my username, the Ansible task simply sits there forever and I have to cancel the task.
Anyone have similar experiences? Ideas?
Kerberos auth is likely your problem- as soon as you rename the computer, the Kerberos service ticket is no longer valid, as it has the original hostname baked into it.
I see two options that might work: either use NTLM or CredSSP (at least for that task), or do the rename as a “run now-ish” scheduled task (you’d still need to avoid a race where the rename occurs before the Ansible task that schedules it has returned).
This could probably also be fixed by having pywinrm/requests-kerberos only pass the Kerberos auth headers on the initial connection (since it reuses the underlying HTTP connection), but that’s non-HTTP-RFC compliant and will likely cause problems for people running through proxies and other things that might cause the underlying connection to be broken. This is the way the Microsoft PS client stack does it, but I’m not sure how much hassle it’d be to implement (it’s several layers away from the Ansible code in requests-kerberos)- doing it right might require changes to requests/urllib3 directly.
-Matt