我正在設定 ansible (CentOS 6.7) 以使用 http、winRM 和 kerberos 連接到 Windows 機器
從/etc/ansible/host文件中
[training]
machinename:5985
我已經設定了主機特定的 yaml 文件
ansible_winrm_scheme: http
ansible_port: 5985
ansible_connection: winrm
然後,執行以下命令
ansible machinename -m win_ping -vvvv
以下錯誤
<machinename > ESTABLISH WINRM CONNECTION FOR USER: jnambood on PORT 5985 TO machinename
<machinename > WINRM CONNECT: transport=plaintext endpoint=http://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 401 Unauthorized.
<machinename > WINRM CONNECT: transport=plaintext endpoint=https://machinename :5985/wsman
<machinename > WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
machinename | FAILED => 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Ansible 嘗試 http,收到 401 錯誤。我該如何修復它?
答案1
如果您已經安裝了kerberos模組且ansible_user包含@(例如username@realm),Ansible將首先嘗試Kerberos身份驗證。此方法使用您在控制電腦上透過 Kerberos 進行身份驗證的主體,而不是
ansible_user。如果失敗,要么是因為您沒有在控制電腦上登入 Kerberos,要么是因為遠端主機上相應的網域帳戶不可用,那麼 Ansible 將回退到「純」使用者名稱/密碼驗證。~Ansible Windows 簡介
$ cat ansible/group_vars/os-windows.yml
# <user>@<realm> means use principal in krb5cc, name here doesn't matter
ansible_ssh_user: use@KERBEROS
ansible_ssh_port: 5985
ansible_connection: winrm
$ ansible host.ad.example.com -m win_ping -o
host.ad.example.com | success >> {"changed": false, "ping": "pong"}