20:00:43 #startmeeting Ansible Windows Working Group 20:00:43 Meeting started Tue Aug 17 20:00:43 2021 UTC. 20:00:43 This meeting is logged and archived in a public location. 20:00:43 The chair is nitzmahone. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:43 Useful Commands: #action #agreed #halp #info #idea #link #topic. 20:00:43 The meeting name has been set to 'ansible_windows_working_group' 20:00:43 nitzmahone: Error: Can't start another meeting, one is in progress. 20:00:57 what have you done! 20:01:20 * nitzmahone wonders if this has something to do with a Matrix mirror 20:01:27 ah well 20:01:31 #chair jborean93 20:01:31 Current chairs: jborean93 nitzmahone 20:01:31 Current chairs: jborean93 nitzmahone 20:01:43 #info (empty) agenda at https://github.com/ansible/community/issues/581 20:01:50 #topic open floor 20:01:59 nothing new from me 20:02:24 same, I'm banging my head with some Kerberos stuff 20:02:27 will be the death of me 20:02:29 ditto- just coming off a 4 day weekend :D 20:02:53 Is this still python-gssapi related fun, or moved on to actual client code now? 20:02:53 😩 kerberos stuff doesn't sound fun 20:03:31 I've got the bindings and getting the ticket working. It's now getting it working with SPNEGO auth which so far doesn't seem possible 20:03:32 * nitzmahone actually enjoys making the kerb stuff work, but hates debugging other people's messed up setups... "works on my machine!" 20:04:00 usually I'm the same but this exercise has just been 1 thing after another of caveats and workarounds 20:04:40 so essentially this krb API to get the forwardable ticket works if you use pure Kerberos auth but trying to get it to work with GSSAPI's SPNEGO (kerb + ntlm fallback) will not 20:05:46 So is this about getting it to work with the actual `WWW-Authenticate: Negotiate` header that's the default config for Windows, or just getting the actual NTLM fallback to behave? 20:07:26 if I want to use GSSAPI for Negotiate/SPNEGO it's not possible. But luckily my pyspnego has a Python wrapper to generate the SPNEGO tokens that source from GSSAPI/my own NTLM lib so it's not a big deal 20:07:33 just another annoying quirk I need to deal with 20:08:01 oof :( 20:08:09 Currently I can use GSSAPI to generate the SPNEGO tokens and it handles all that stuff internally. Now it's just another scenario where I would need to use my own SPNEGO logic 20:09:09 Is it just because of the OID differences, or is it actually a structural problem or something that GSSAPI won't pass through properly? 20:09:40 PS: "extensible" APIs, ha! ;) 20:09:41 there's no way to get a GSSAPI credential handle with the SPNEGO OID with your own source 20:10:11 and only on Heimdal, or MIT as well? 20:10:28 (I thought SPNEGO + NTLM were built into MIT) 20:10:40 SPNEGO is, NTLM is provided by another library for MIT 20:10:47 SPNEGO... man... haven't heard anyone talk about that in a long while 20:11:04 Heimdal does have NTLM builtin but it's pretty much broken so that's what I use the pyspnego's SPNEGO wrapper for 20:11:26 which is basically use GSSAPI for Kerberos and my own code for NTLM and wrap it in the SPNEGO tokens accordingly 20:11:40 I played with that so long ago, but you still needed another credential, back like when NDS was a thing 20:11:41 It just means that now I essentially have to do the same for MIT when requesting a forwardable ticket 20:11:55 bleh 20:13:30 yea ugly but hey it's one of the reason why I wrote the Python SPNEGO logic 20:13:30 Well, if nothing new to discuss today, will close in 2min... 20:14:45 I'm all good 20:14:51 same 20:17:07 Cool, til next week then! 20:17:10 Thanks all! 20:17:13 #endmeeting