Windows host management via WinRM (Kerberos) from Mac clients

Good day,

We are having issues managing Windows hosts from Mac clients when the Ansible user is not the user logged into the Mac client. It appears the Kerberos ticket of the logged in user is always utilized. This is for both manual and managed ansible_winrm_kinit_mode. Setting KRB5CCNAME to point to the cache of the Ansible user works for klist, kinit, etc, but it does not appear to be honored when calling ansible.

As a workaround we can kdestroy the logged in user’s cache, but this negatively impacts other activities on the client. When only the Ansible user’s cache exists Ansible works as expected.

Is there anyway to direct ansible to a specific Kerberos cache?

Thank you for any assistance you can provide.

Do you have any recommendations here @jborean ?

Thank you.

macOS uses the API ccache which is managed by some system service and is tied to the user. You can set the krb5.conf to change the default ccache to something else like FILE that is accessible by both the normal user and whatever is running Ansible. Keep in mind macOS can be difficult with GSSAPI due to the fork/exec problem present with how Ansible runs each worker. Some things work but others can fail.