-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add workaround for non-standard kerberos environments #41465
Conversation
@@ -426,6 +426,8 @@ work. To troubleshoot Kerberos issues, ensure that: | |||
an alias is being used. The ``krb5.conf`` file needs to be updated so that | |||
the fully qualified domain name is used and not an alias. | |||
|
|||
* If the default kerberos tooling has been replaced or modified (some IdM solutions may do this), it may cause issues when installing or upgrading the ``pykerberos`` python library from ``pip``. To resolve this issue, temporarily install the ``krb5-workstation`` and ``krb5-libs`` packages (for RHEL/Fedora), remove any custom kerberos tooling paths from the PATH environment variable, and retry the installation of ``pykerberos``. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few points;
- I feel this is still too RHEL specific, we should be referencing the packages we listed in
Installing the Kerberos Library
rather than repeat it here - I would also not mention
pykerberos
explicitly but saythe Python Kerberos library
as this can change in the future to something else - MIT is not the only library we know works, some BSD based hosts like MacOS use Heimdal
Because this is a bit of a minefield I'm wondering whether to just have a blanket statement that says this has been tested on MIT krb5 and Heimdal, other solutions may cause issue with authentication and encryption and should be present when running pip install pywinrm[kerberos]
. Then again, I'm not the best wordsmith so other's could have better ideas.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good points, let's see if this sounds a little better:
If the default kerberos tooling has been replaced or modified (some IdM solutions may do this), it may cause issues when installing or upgrading the Python Kerberos library. As of the time of this writing, this library is called
pykerberos
and is known to work with both MIT and Heimdal Kerberos libraries. To resolvepykerberos
installation issues, ensure the system dependencies for Kerberos have been met (this will link to the prereqs section of the doc), remove any custom Kerberos tooling paths from the PATH environment variable, and retry the installation ofpykerberos
.
I think this addresses all of your points and lets people know what we've "generally" tested with and a general approach for solving the issue.
I'd also like to see if we can target 2.6 if it's not too late. This issue affects pretty much any version of Ansible so I don't see a reason why we should target starting in 2.7.
@acozine all good for you to merge/edit as needed. |
Thanks @MrOwen for enriching the documentation. |
* Add workaround for non-standard MIT kerberos environments * Generalize platform specific troubleshooting steps for Kerberos (cherry picked from commit 4e532e0)
Batch of docs backports: * docs: Clarify include_task v import_tasks with conditionals (#43856) (cherry picked from commit 6be42a2) * Add single quotes around package name (#45152) (cherry picked from commit 0d81386) * prefer ansible_facts namespace and dict notation (#44980) (cherry picked from commit 4451044) * fix cherrypick conflict - scenario_guides * Update implicit_localhost.rst (#45455) (cherry picked from commit f68cd1a) * updated fbsd install instructions (#45309) (cherry picked from commit e9c2695) * Change "Defaulting Undefined Variables" (#41379) (cherry picked from commit e35c4be) * adds license details to dev guide pages (#45574) (cherry picked from commit 6e68d77) * FAQ: fix a typo, add link to 'vars' lookup (#42412) (cherry picked from commit 95649dc) * Fix link and toctree (#45595) (cherry picked from commit 6999bf3) * Improve the local toctree (and title) (#45590) (cherry picked from commit afea00f) * Add undocumented configuration parameter and explain in porting guide (#36059) (cherry picked from commit a892a6e) * Simplify PPA installation for Ubuntu (#45690) (cherry picked from commit 78e9f45) * adding git+ssh uri scheme (#36025) (cherry picked from commit 84a4257) * Add workaround for non-standard kerberos environments (#41465) (cherry picked from commit 4e532e0) * Restore license agreement (#45809) (cherry picked from commit f430f60) * partial cherry-pick - lenovo doc update PR 45483
SUMMARY
Add general information and small workaround for environments not using the standard MIT kerberos tooling.
ISSUE TYPE
COMPONENT NAME
Windows Remote Management
ANSIBLE VERSION
ADDITIONAL INFORMATION
No additional info.