SPNEGO authentication with uri module

Question

Using curl I can access HTTP resource on a Web service with Kerberos / SPNEGO this way, after I did a kinit

curl -x POST --negotiate -u : http://host.mydomain.net:14000/my/web/resource

You can see I just pass -u : without actually passing any user / password and it works because of --negotiate

With ansible I can access the resource but I need to put my credentials

 - uri:
     url: "http://host.mydomain.net:14000/my/web/resource"
     return_content: true
     method: POST
     headers:
       Content-Type: "application/x-www-form-urlencoded"
     user: "{{ myuser }}"
     password: "{{ mypass }}"
   register: login

 - debug:
     msg: "{{ login.content }}"

Now I like to access the resource only using Kerberos authentication so the executor will use it's credentials, I tried to define user and password parameters empty but this fails.

So I'd like to know if uri module support SPNEGO and how I should do?

Thanks

did you figure out an alternate solution? – ali haider Jun 16 '19 at 17:20 — ali haider, Jun 16 '19 at 17:20

score 1 · Accepted Answer · answered Aug 05 '18 at 20:31

Curl comitter here...

This will not work. Curl cannot authenticate for you. The authentication has to happen at logon time to the machine/server. Since you want to automate that, create a service account, export the keytab and provide the keytab file with the env var KRB5_CLIENT_KTNAME to Ansible. This will work, but you need MIT Kerberos.

Please read my canonical answer to this. If you are in a Active Directory environment, you can easily use msktutil(1) which will do all the magic for you.

SPNEGO authentication with uri module

1 Answers1