#ansible-windows log

20:00:43 <nitzmahone> #startmeeting Ansible Windows Working Group
20:00:43 <zodbot> Meeting started Tue Aug 17 20:00:43 2021 UTC.
20:00:43 <zodbot> This meeting is logged and archived in a public location.
20:00:43 <zodbot> The chair is nitzmahone. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:43 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:00:43 <zodbot> The meeting name has been set to 'ansible_windows_working_group'
20:00:43 <zodbot_> nitzmahone: Error: Can't start another meeting, one is in progress.
20:00:57 <jborean93> what have you done!
20:01:20 * nitzmahone wonders if this has something to do with a Matrix mirror
20:01:27 <nitzmahone> ah well
20:01:31 <nitzmahone> #chair jborean93
20:01:31 <zodbot> Current chairs: jborean93 nitzmahone
20:01:31 <zodbot_> Current chairs: jborean93 nitzmahone
20:01:43 <nitzmahone> #info (empty) agenda at https://github.com/ansible/community/issues/581
20:01:50 <nitzmahone> #topic open floor
20:01:59 <briantist> nothing new from me
20:02:24 <jborean93> same, I'm banging my head with some Kerberos stuff
20:02:27 <jborean93> will be the death of me
20:02:29 <nitzmahone> ditto- just coming off a 4 day weekend :D
20:02:53 <nitzmahone> Is this still python-gssapi related fun, or moved on to actual client code now?
20:02:53 <briantist> 😩 kerberos stuff doesn't sound fun
20:03:31 <jborean93> I've got the bindings and getting the ticket working. It's now getting it working with SPNEGO auth which so far doesn't seem possible
20:03:32 * nitzmahone actually enjoys making the kerb stuff work, but hates debugging other people's messed up setups... "works on my machine!"
20:04:00 <jborean93> usually I'm the same but this exercise has just been 1 thing after another of caveats and workarounds
20:04:40 <jborean93> so essentially this krb API to get the forwardable ticket works if you use pure Kerberos auth but trying to get it to work with GSSAPI's SPNEGO (kerb + ntlm fallback) will not
20:05:46 <nitzmahone> So is this about getting it to work with the actual `WWW-Authenticate: Negotiate` header that's the default config for Windows, or just getting the actual NTLM fallback to behave?
20:07:26 <jborean93> if I want to use GSSAPI for Negotiate/SPNEGO it's not possible. But luckily my pyspnego has a Python wrapper to generate the SPNEGO tokens that source from GSSAPI/my own NTLM lib so it's not a big deal
20:07:33 <jborean93> just another annoying quirk I need to deal with
20:08:01 <briantist> oof :(
20:08:09 <jborean93> Currently I can use GSSAPI to generate the SPNEGO tokens and it handles all that stuff internally. Now it's just another scenario where I would need to use my own SPNEGO logic
20:09:09 <nitzmahone> Is it just because of the OID differences, or is it actually a structural problem or something that GSSAPI won't pass through properly?
20:09:40 <nitzmahone> PS: "extensible" APIs, ha! ;)
20:09:41 <jborean93> there's no way to get a GSSAPI credential handle with the SPNEGO OID with your own source
20:10:11 <nitzmahone> and only on Heimdal, or MIT as well?
20:10:28 <nitzmahone> (I thought SPNEGO + NTLM were built into MIT)
20:10:40 <jborean93> SPNEGO is, NTLM is provided by another library for MIT
20:10:47 <Dus10> SPNEGO... man... haven't heard anyone talk about that in a long while
20:11:04 <jborean93> Heimdal does have NTLM builtin but it's pretty much broken so that's what I use the pyspnego's SPNEGO wrapper for
20:11:26 <jborean93> which is basically use GSSAPI for Kerberos and my own code for NTLM and wrap it in the SPNEGO tokens accordingly
20:11:40 <Dus10> I played with that so long ago, but you still needed another credential, back like when NDS was a thing
20:11:41 <jborean93> It just means that now I essentially have to do the same for MIT when requesting a forwardable ticket
20:11:55 <nitzmahone> bleh
20:13:30 <jborean93> yea ugly but hey it's one of the reason why I wrote the Python SPNEGO logic
20:13:30 <nitzmahone> Well, if nothing new to discuss today, will close in 2min...
20:14:45 <jborean93> I'm all good
20:14:51 <briantist> same
20:17:07 <nitzmahone> Cool, til next week then!
20:17:10 <nitzmahone> Thanks all!
20:17:13 <nitzmahone> #endmeeting