Only try kerberos auth when username contains `@` and pass realm to pywinrm. Alternative to #10644, fixes #10577.

10 years ago · 5675982b0f
parent 7f034a74d1
commit 5675982b0f
1 changed files with 7 additions and 2 deletions
--- a/lib/ansible/runner/connection_plugins/winrm.py
+++ b/lib/ansible/runner/connection_plugins/winrm.py
@ -90,13 +90,18 @@ class Connection(object):
            return _winrm_cache[cache_key]
        exc = None
        for transport, scheme in self.transport_schemes['http' if port == 5985 else 'https']:
-            if transport == 'kerberos' and not HAVE_KERBEROS:
+            if transport == 'kerberos' and (not HAVE_KERBEROS or not '@' in self.user):
                continue
+            if transport == 'kerberos':
+                realm = self.user.split('@', 1)[1].strip() or None
+            else:
+                realm = None
            endpoint = urlparse.urlunsplit((scheme, netloc, '/wsman', '', ''))
            vvvv('WINRM CONNECT: transport=%s endpoint=%s' % (transport, endpoint),
                 host=self.host)
            protocol = Protocol(endpoint, transport=transport,
-                                username=self.user, password=self.password)
+                                username=self.user, password=self.password,
+                                realm=realm)
            try:
                protocol.send_message('')
                _winrm_cache[cache_key] = protocol