como forçar ansible para usar http + kerberos (erro WINRM CONNECTION ERROR: 401 Unauthorized.)

Navegue suas respostas
1

Estou configurando ansible (CentOS 6.7) para conectar a máquina Windows usando http, winRM e kerberos

Do arquivo /etc/ansible/host 

[training]
machinename:5985

Eu configurei o arquivo yaml específico do host 

ansible_winrm_scheme: http
ansible_port: 5985
ansible_connection: winrm

Então, seguindo o comando 

 ansible machinename -m win_ping -vvvv

erros ao seguir 

<machinename > ESTABLISH WINRM CONNECTION FOR USER: jnambood on PORT 5985 TO machinename 
<machinename > WINRM CONNECT: transport=plaintext endpoint=http://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 401 Unauthorized.


<machinename > WINRM CONNECT: transport=plaintext endpoint=https://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
machinename  | FAILED => 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Ansible tentou http, obteve um erro 401. Como posso consertar isso?

    
por Jayan 10.10.2015 / 06:12

1 resposta

2

If you have installed the kerberos module and ansible_user contains @ (e.g. username@realm), Ansible will first attempt Kerberos authentication. This method uses the principal you are authenticated to Kerberos with on the control machine and not ansible_user. If that fails, either because you are not signed into Kerberos on the control machine or because the corresponding domain account on the remote host is not available, then Ansible will fall back to “plain” username/password authentication. ~Ansible Windows Introduction

$ cat ansible/group_vars/os-windows.yml
# <user>@<realm> means use principal in krb5cc, name here doesn't matter
ansible_ssh_user: use@KERBEROS
ansible_ssh_port: 5985
ansible_connection: winrm

$ ansible host.ad.example.com -m win_ping -o
host.ad.example.com | success >> {"changed": false, "ping": "pong"}
    
por 10.10.2015 / 08:05

Tags

Quais são as implicações de inserir um registro DKIM para um terceiro enviando e-mail em nosso nome? Use um token criptográfico físico com a versão da comunidade OpenVPN (gratuita)