我正在配置 ansible(CentOS 6.7)以使用 http、winRM 和 kerberos 连接到 Windows 机器
来自/etc/ansible/host文件
[training]
machinename:5985
我已经设置了主机特定的 yaml 文件
ansible_winrm_scheme: http
ansible_port: 5985
ansible_connection: winrm
然后,按照命令
ansible machinename -m win_ping -vvvv
出现以下错误
<machinename > ESTABLISH WINRM CONNECTION FOR USER: jnambood on PORT 5985 TO machinename
<machinename > WINRM CONNECT: transport=plaintext endpoint=http://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 401 Unauthorized.
<machinename > WINRM CONNECT: transport=plaintext endpoint=https://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
machinename | FAILED => 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Ansible 尝试 http,出现 401 错误。我该如何修复?
答案1
如果您安装了 kerberos 模块并且 ansible_user 包含 @(例如 username@realm),Ansible 将首先尝试 Kerberos 身份验证。此方法使用您在控制计算机上通过 Kerberos 身份验证的主体,而不是
ansible_user。如果失败(因为您未在控制计算机上登录 Kerberos,或者因为远程主机上的相应域帐户不可用),则 Ansible 将回退到“普通”用户名/密码身份验证。~Ansible Windows 简介
$ cat ansible/group_vars/os-windows.yml
# <user>@<realm> means use principal in krb5cc, name here doesn't matter
ansible_ssh_user: use@KERBEROS
ansible_ssh_port: 5985
ansible_connection: winrm
$ ansible host.ad.example.com -m win_ping -o
host.ad.example.com | success >> {"changed": false, "ping": "pong"}