Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add workaround for non-standard kerberos environments #41465

Merged
merged 2 commits into from
Sep 18, 2018
Merged

Add workaround for non-standard kerberos environments #41465

merged 2 commits into from
Sep 18, 2018

Conversation

MrOwen
Copy link
Contributor

@MrOwen MrOwen commented Jun 12, 2018

SUMMARY

Add general information and small workaround for environments not using the standard MIT kerberos tooling.

ISSUE TYPE
  • Docs Pull Request
COMPONENT NAME

Windows Remote Management

ANSIBLE VERSION
ansible 2.5.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /var/lib/awx/venv/ansible/lib/python2.7/site-packages/ansible
  executable location = /var/lib/awx/venv/ansible/bin/ansible
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
ADDITIONAL INFORMATION

No additional info.

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 docs This issue/PR relates to or includes documentation. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jun 13, 2018
jborean93
jborean93 reviewed Jun 14, 2018
View reviewed changes
docs/docsite/rst/user_guide/windows_winrm.rst Outdated
@@ -426,6 +426,8 @@ work. To troubleshoot Kerberos issues, ensure that:
an alias is being used. The ``krb5.conf`` file needs to be updated so that
the fully qualified domain name is used and not an alias.

* If the default kerberos tooling has been replaced or modified (some IdM solutions may do this), it may cause issues when installing or upgrading the ``pykerberos`` python library from ``pip``. To resolve this issue, temporarily install the ``krb5-workstation`` and ``krb5-libs`` packages (for RHEL/Fedora), remove any custom kerberos tooling paths from the PATH environment variable, and retry the installation of ``pykerberos``.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few points;

  • I feel this is still too RHEL specific, we should be referencing the packages we listed in Installing the Kerberos Library rather than repeat it here
  • I would also not mention pykerberos explicitly but say the Python Kerberos library as this can change in the future to something else
  • MIT is not the only library we know works, some BSD based hosts like MacOS use Heimdal

Because this is a bit of a minefield I'm wondering whether to just have a blanket statement that says this has been tested on MIT krb5 and Heimdal, other solutions may cause issue with authentication and encryption and should be present when running pip install pywinrm[kerberos]. Then again, I'm not the best wordsmith so other's could have better ideas.

Copy link
Contributor Author

@MrOwen MrOwen Jun 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points, let's see if this sounds a little better:

If the default kerberos tooling has been replaced or modified (some IdM solutions may do this), it may cause issues when installing or upgrading the Python Kerberos library. As of the time of this writing, this library is called pykerberos and is known to work with both MIT and Heimdal Kerberos libraries. To resolve pykerberos installation issues, ensure the system dependencies for Kerberos have been met (this will link to the prereqs section of the doc), remove any custom Kerberos tooling paths from the PATH environment variable, and retry the installation of pykerberos.

I think this addresses all of your points and lets people know what we've "generally" tested with and a general approach for solving the issue.

I'd also like to see if we can target 2.6 if it's not too late. This issue affects pretty much any version of Ansible so I don't see a reason why we should target starting in 2.7.

@jborean93 jborean93 removed the needs_triage Needs a first human triage before being processed. label Jun 14, 2018
@MrOwen MrOwen changed the title Add workaround for non-standard MIT kerberos environments Add workaround for non-standard kerberos environments Jun 14, 2018
@ansibot ansibot added small_patch stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Jun 23, 2018
@ansibot
Copy link
Contributor

ansibot commented Aug 2, 2018

cc @acozine
click here for bot help

@jborean93
Copy link
Contributor

@acozine all good for you to merge/edit as needed.

@acozine acozine merged commit 4e532e0 into ansible:devel Sep 18, 2018
@acozine
Copy link
Contributor

acozine commented Sep 18, 2018

Thanks @MrOwen for enriching the documentation.

@samccann samccann mentioned this pull request Sep 19, 2018
Merged
acozine pushed a commit to samccann/ansible that referenced this pull request Sep 19, 2018
@MrOwen @acozine
Add workaround for non-standard kerberos environments (ansible#41465)
5a13bc3 
* Add workaround for non-standard MIT kerberos environments

* Generalize platform specific troubleshooting steps for Kerberos

(cherry picked from commit 4e532e0)
acozine pushed a commit that referenced this pull request Sep 20, 2018
@samccann @acozine
[WIP] Backport/2.7/batch port (#45859)
ceb474b 
Batch of docs backports:

* docs: Clarify include_task v import_tasks with conditionals (#43856)
(cherry picked from commit 6be42a2)

* Add single quotes around package name (#45152)
(cherry picked from commit 0d81386)

* prefer ansible_facts namespace and dict notation (#44980)
(cherry picked from commit 4451044)

* fix cherrypick conflict - scenario_guides

* Update implicit_localhost.rst (#45455)
(cherry picked from commit f68cd1a)

* updated fbsd install instructions (#45309)
(cherry picked from commit e9c2695)

* Change "Defaulting Undefined Variables" (#41379)
(cherry picked from commit e35c4be)

* adds license details to dev guide pages (#45574)
(cherry picked from commit 6e68d77)

* FAQ: fix a typo, add link to 'vars' lookup (#42412)
(cherry picked from commit 95649dc)

* Fix link and toctree (#45595)
(cherry picked from commit 6999bf3)

* Improve the local toctree (and title) (#45590)
(cherry picked from commit afea00f)

* Add undocumented configuration parameter and explain in porting guide (#36059)
(cherry picked from commit a892a6e)

* Simplify PPA installation for Ubuntu (#45690)
(cherry picked from commit 78e9f45)

* adding git+ssh uri scheme (#36025)
(cherry picked from commit 84a4257)

* Add workaround for non-standard kerberos environments (#41465)
(cherry picked from commit 4e532e0)

* Restore license agreement (#45809)
(cherry picked from commit f430f60)

* partial cherry-pick - lenovo doc update PR 45483
@ansible ansible locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@achinthagunasekara achinthagunasekara achinthagunasekara approved these changes

@jborean93 jborean93 jborean93 approved these changes

Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 docs This issue/PR relates to or includes documentation. small_patch stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MrOwen @ansibot @jborean93 @acozine @achinthagunasekara