Ansible to Windows using Kerberos not working

I am attempting to use Ansible 1.9.0.1 to configure Windows servers using a domain user name. I have successfully setup the Linux Ansible control box and have been able to use basic auth to run ansible/ansible-playbook plays. However running with a domain user fails. Kerberos is enabled on the Windows nodes:

winrm get winrm/config/client/auth Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = true

The playbook I am trying to run just references the win_ping module of ansible and the following is the output:

PLAY [Manage SMI] *************************************************************

TASK: [Ping] ******************************************************************
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host1
<host1> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO >host2
<host1> REMOTE_MODULE win_ping
<host1> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-231225138744234").FullName | Write-Host -Separator >'';
<host2> REMOTE_MODULE win_ping
<host2> EXEC (New-Item -Type Directory -Path $env:temp -Name >"ansible-tmp-1429639247.03-8060403929807").FullName | Write-Host -Separator '';

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/home/deck/test.retry

host1            : ok=0    changed=0    unreachable=1    failed=0
host2            : ok=0    changed=0    unreachable=1    failed=0

Per the System eventlog the user is being authenticated correctly so it looks like the file transfer to the tmp directory is failing.

Any help is greatly appreciated.

A co-worker found a workaround for this issue. It appears there is an issue in the pywinrm when using kerberos that causes the module to die when attempting to call KerbosTicket inside the Transport.py. If you patch transport.py with the following:

class KerberosTicket:
"""
Implementation based on http://ncoghlan_devs-python-notes.readthedocs.org/en/latest/python_kerberos.html
"""
def __init__(self, service):
    # added line below
    self.test=1
    ignored_code, krb_context = kerberos.authGSSClientInit(service)
    kerberos.authGSSClientStep(krb_context, '')
    # TODO authGSSClientStep may raise following error:
    #GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968),
    # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))
    self._krb_context = krb_context
    gss_response = kerberos.authGSSClientResponse(krb_context)
    self.auth_header = 'Negotiate {0}'.format(gss_response)

We are not 100% sure why this works but for now it is our workaround.