yes it does, thank you. does this not seem like a bug?
On Wednesday, August 19, 2015 at 2:40:53 PM UTC+3, J Hawkesworth wrote: > > I think this is because when you logged into the machine, as part of the > login process a kerberos ticket has been cached for the user you logged in > as. > > When ansible runs, the winrm connection plugin determines that you want to > connect via kerberos (there is a bit of guessing going on here, from memory > it is assumed you want to connect using kerberos based on having an @ in > the ansible_ssh_user and having the python kerberos library loaded. > > The actual authorisation is then handled by the kerberos library and since > you have a kerberos ticket (as a result of logging in), I suspect it is > using that. > > If you can I suggest you install krb5-workstation and then log in as > whichever user, then try running klist to see what tickets are cached for > your user. > > if you want to manually create a ticket for the other user, you can do > that like this: > > kinit user@FULLY.QUALIFIED.DOMAIN > > (note domain name must be in upper case). > > Does that clarify things at all? > > > > > > On Wednesday, August 19, 2015 at 11:38:26 AM UTC+1, Amir Luzon wrote: >> >> LDAP user is a user in the active directory. >> >> "and ansible is then attempting to use your kerberos credentials to talk >> to your windows machines." - but we configured the "ansible_ssh_user| to a >> specific user and it is not using that user but the user logged in to the >> control machine...why is that? >> >> The control machine is: Linux version 2.6.32-504.16.2.el6.x86_64 ( >> mock...@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat >> 4.4.7-11) (GCC) ) >> >> On Wednesday, August 19, 2015 at 12:56:53 PM UTC+3, J Hawkesworth wrote: >>> >>> Not hit this- I'm not sure what you mean by 'LDAP (windows) users' but >>> if you are logging in to your ansible controller using a windows domain >>> user, and password then chances are you are using kerberos and ansible is >>> then attempting to use your kerberos credentials to talk to your windows >>> machines. >>> >>> You don't mention which OS you are running your ansible controller on >>> but if you have krb5-workstation (yum package) or apt-get equivalent >>> installed, you can run the command >>> >>> klist >>> >>> which will show any kerberos credentials you have. I suspect ansible is >>> using these. >>> >>> If I'm right then I think your options are >>> >>> a/ use a local user on your windows machines (change >>> ansible_ssh_user=some_local_user not a user@domain) >>> >>> b/ log in to your ansible controller as a domain user with suitable >>> privileges for whatever it is you need to do on your windows machines and >>> change your >>> ansible_ssh_user=domain_user_you_logged_in_to_ansible_as@DOMAIN ) >>> >>> Hope the above helps >>> >>> Jon >>> >>> On Wednesday, August 19, 2015 at 9:19:46 AM UTC+1, Amir Luzon wrote: >>>> >>>> hi guys, >>>> >>>> our control machine is configured so that we can login to the machine >>>> with our LDAP (windows) users. from there we run ansible playbooks. >>>> >>>> here are some of the configurations we use: >>>> >>>> [windows:vars] >>>> ansible_ssh_user=[DeployUser]@[OurDomain] >>>> ansible_ssh_pass=password >>>> ansible_connection=winrm >>>> >>>> the [DeployUser] is not the same as the LDAP user to login to the >>>> ansible control machine. >>>> >>>> yet when running powershell modules on a windows machine we noticed >>>> that Ansible will use the LDAP user used to login to control machine and >>>> not the user configured in the hosts file on ansible_ssh_user. >>>> >>>> from what i understand ansible should use the ansible_ssh_user on >>>> windows machine to do whatever but for us it uses the LDAP user??? >>>> >>>> anyone encounter this issue? please help! >>>> >>>> >>>> thanks in advance >>>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/47cb9d41-4ff2-4016-bdf4-9501574071f9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
