Windows host management via WinRM (Kerberos) from Mac clients

Huskers79 · September 18, 2024, 5:34pm

Good day,

We are having issues managing Windows hosts from Mac clients when the Ansible user is not the user logged into the Mac client. It appears the Kerberos ticket of the logged in user is always utilized. This is for both manual and managed ansible_winrm_kinit_mode. Setting KRB5CCNAME to point to the cache of the Ansible user works for klist, kinit, etc, but it does not appear to be honored when calling ansible.

As a workaround we can kdestroy the logged in user’s cache, but this negatively impacts other activities on the client. When only the Ansible user’s cache exists Ansible works as expected.

Is there anyway to direct ansible to a specific Kerberos cache?

Thank you for any assistance you can provide.

Huskers79 · October 10, 2024, 1:11pm

Do you have any recommendations here @jborean ?

Thank you.

jborean · October 10, 2024, 9:29pm

macOS uses the API ccache which is managed by some system service and is tied to the user. You can set the krb5.conf to change the default ccache to something else like FILE that is accessible by both the normal user and whatever is running Ansible. Keep in mind macOS can be difficult with GSSAPI due to the fork/exec problem present with how Ansible runs each worker. Some things work but others can fail.

Topic		Replies	Views
Ansible.builtin.wait_for issue weird behaviour with kerberos Get Help awx , collections , windows	7	188	February 10, 2024
Ansible - Bad HTTP Response Get Help ansible-core , windows	1	87	November 13, 2024
WinRM on APT Ansible installation Get Help ubuntu , windows , ssh , winrm	9	600	October 15, 2023
Ansible Uses Random Hostname despite having DNS setup Get Help windows , aap	4	32	September 23, 2024
Winrm commands through a jumphost Get Help collections , windows , aws , winrm	0	305	December 22, 2023

Windows host management via WinRM (Kerberos) from Mac clients

Related topics