Chocolatey is unable to access Windows share on a Synology Diskstation if invoked from Ansible

Question

This problem is quite puzzling me and I have a hard time to formulate the right questions. So below my best effort. I'm are glad if you can help me improve this question.

Background: I manage the software installed on Windows 10 clients through Chocolatey which in turn is invoked remotely by Ansible. The repository of the Chocolatey Packages resides on a Windows share on a NAS. I first faced a second hop issue which was successfully solved by using kerberos tickets (see https://github.com/ansible/ansible/issues/15682). The clients and the Synology are joined to a AD Domain.

The issue I face now is, that if the repository is a Windows share on a Synology Diskstation, Chocolatey does not see the Packages if invoked remotely through Ansible. The command actually successfully runs but returns an empty list. If the same command (choco list) is invoked locally everything is fine. If the repository is on a share hosted on a OpenMediaVault (OMV) NAS it works with Ansible but only if the Samba option allow guest is enabled. I have tried to find similar settings on the Synology. I enabled Guest access which also seems to work as clients can connect to the share without providing username/password.

By using Wireshark I found that when running choco list locally the username/domain is provided (which is expected). If the command is invoked remotely through Ansible no username/domain is provided (value NULL) (which is not really expected). This explains why it works on the OMV only if allow guest access is enabled.

Currently I see two possible solution paths:

1. Get the remotely executed choco command to send user credentials when accessing the share (prefered solution as more secure)

   • How to configure remotely executed PowerShell Scripts (such as Chocolatey uses) to use user-/domainname from the user actually executing the script when connecting to a share?

2. Get the Synology Diskstation to accept the login with no username also from remotely executed scripts

   • This is actually puzzling me most. Guest access in principle works, as I can connect to shares where the user Guest is allowed from Linux and Windows boxes without being prompted for password/username.
   • Does anyone have an idea why it does not work if the choco command is invoked remotely and how to fix it?

I'll happily provide additional information...

Answer 1

WinRM sessions run as "batch" logins, which means the credential cache is not seeded with your username/password, and Microsoft makes it difficult to do so. We're planning on adding Windows become support in Ansible to partially address that issue (creates a new interactive logon session inside the WinRM session before running Ansible modules so things will behave more intuitively). If the Synology understands Kerberos, you might be able to get there by enabling kerberos delegation on pywinrm (set ansible_winrm_kerberos_delegation=true in your inventory on pywinrm 0.2.0 and Ansible 2.1+). Otherwise, you're kinda up the creek- some modules have solved this by adding in their own authentication (see win_package), but that's not sustainable- we want to solve it Ansible-wide, not module-by-module.