How to force ansible to use http + kerberos (error WINRM CONNECTION ERROR: 401 Unauthorized.)

ansiblewinrm

I am configuring ansible (CentOS 6.7) to connnect to windows machine using http, winRM and kerberos

From the /etc/ansible/host file

[training]
machinename:5985

I have set host specific yaml file

ansible_winrm_scheme: http
ansible_port: 5985
ansible_connection: winrm

Then, following command 

 ansible machinename -m win_ping -vvvv

errors with following

<machinename > ESTABLISH WINRM CONNECTION FOR USER: jnambood on PORT 5985 TO machinename 
<machinename > WINRM CONNECT: transport=plaintext endpoint=http://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 401 Unauthorized.


<machinename > WINRM CONNECT: transport=plaintext endpoint=https://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
machinename  | FAILED => 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Ansible tried to http, got 401 error. How can I fix it?

Best Answer

If you have installed the kerberos module and ansible_user contains @ (e.g. username@realm), Ansible will first attempt Kerberos authentication. This method uses the principal you are authenticated to Kerberos with on the control machine and not ansible_user. If that fails, either because you are not signed into Kerberos on the control machine or because the corresponding domain account on the remote host is not available, then Ansible will fall back to “plain” username/password authentication. ~Ansible Windows Introduction

$ cat ansible/group_vars/os-windows.yml
# <user>@<realm> means use principal in krb5cc, name here doesn't matter
ansible_ssh_user: use@KERBEROS
ansible_ssh_port: 5985
ansible_connection: winrm

$ ansible host.ad.example.com -m win_ping -o
host.ad.example.com | success >> {"changed": false, "ping": "pong"}
Related Topic