NTLM Delegation
67 views
Skip to first unread message
Karol Olczak
Jul 18, 2016, 5:19:35 AM7/18/16
to Ansible Project
Does Ansible 2.1 and pywinrm 0.2.p support NTLM delegation or only kerberos delegation ?
If not, when can we expect to implement NTLM delegation functionality ?
If not, when can we expect to implement NTLM delegation functionality ?
Regards
Karol
Andrea Tartaglia
Jul 18, 2016, 5:23:04 AM7/18/16
to ansible...@googlegroups.com
Hi Karol,
Yes, with pywinrm 0.2 you can use NTLM to connect to your windows hosts. Just as a side note this doesn’t have a lot to do with ansibile itself as it will only use whatever method pywinrm supports. To have NTLM support you should follow the pywinrm docs ( If I’m not wrong the only key package should be requests[Kerberos] ).
--
A.
>--
>You received this message because you are subscribed to the Google Groups "Ansible Project" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
>To post to this group, send email to ansible...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f86ada9d-3773-423d-833a-0fd5595459d9%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
Yes, with pywinrm 0.2 you can use NTLM to connect to your windows hosts. Just as a side note this doesn’t have a lot to do with ansibile itself as it will only use whatever method pywinrm supports. To have NTLM support you should follow the pywinrm docs ( If I’m not wrong the only key package should be requests[Kerberos] ).
--
A.
>You received this message because you are subscribed to the Google Groups "Ansible Project" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
>To post to this group, send email to ansible...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f86ada9d-3773-423d-833a-0fd5595459d9%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
Karol Olczak
Jul 18, 2016, 5:49:52 AM7/18/16
to Ansible Project
I am afraid there is only kerberos delegation support ...
Andrea Tartaglia
Jul 18, 2016, 6:00:41 AM7/18/16
to ansible...@googlegroups.com
I am definitely using NTLM for my windows hosts. I have the following packages installed:
Requests 2.10.0
Requests-kerberos 0.10.0
Requests-ntlm 0.3.0
Pywinrm 0.2.0
Just make sure you set “ansible_winrm_transport: ntlm” set in your vars.
You should also set your remote_user in the “DOMAIN\USER” form, if you use “user@domain” it should use Kerberos anyway.
--
A.
On 18/07/2016, 10:49, "Karol Olczak" <ansible...@googlegroups.com on behalf of karol....@gmail.com> wrote:
>I am afraid there is only kerberos delegation support ...
>
Requests 2.10.0
Requests-kerberos 0.10.0
Requests-ntlm 0.3.0
Pywinrm 0.2.0
Just make sure you set “ansible_winrm_transport: ntlm” set in your vars.
You should also set your remote_user in the “DOMAIN\USER” form, if you use “user@domain” it should use Kerberos anyway.
--
A.
On 18/07/2016, 10:49, "Karol Olczak" <ansible...@googlegroups.com on behalf of karol....@gmail.com> wrote:
>I am afraid there is only kerberos delegation support ...
>
>--
>You received this message because you are subscribed to the Google Groups "Ansible Project" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
>To post to this group, send email to ansible...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/07911eb9-c7ff-4609-a878-d45b737095f9%40googlegroups.com.
>You received this message because you are subscribed to the Google Groups "Ansible Project" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
>To post to this group, send email to ansible...@googlegroups.com.
J Hawkesworth
Jul 19, 2016, 5:01:22 AM7/19/16
to Ansible Project, m...@andreatartaglia.com
Just to clarify, delegation here means the ability to pass logged in credentials along to the remote host so that you can have the same rights and permssions on the remote host. This lets you do things like use remote shares in your playbooks.
You can use NTLM with pywinrm 0.2.0 but I believe the credentials will only allow you 'single hop' access to a remote machine. You can't then use resources on other windows machines from the one you are controlling remotely without delegation, and its my understanding that is only available via kerberos right now.
Jon
Matt Davis
Jul 21, 2016, 2:48:00 PM7/21/16
to Ansible Project, m...@andreatartaglia.com
I don't believe NTLM credential delegation is supported by WinRM (I've not been able to find anything about it), which means by definition it wouldn't be supported by Ansible either.
That said, I've been experimenting with various mechanisms for become support on Windows (soft target for Ansible 2.3), most of which would get you effectively the same behavior.
Reply all
Reply to author
Forward
0 new messages