From 5675982b0f64cbc3bf01eff63951d1302132c6d2 Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Thu, 9 Apr 2015 13:36:58 -0400
Subject: [PATCH] Only try kerberos auth when username contains `@` and pass
 realm to pywinrm. Alternative to #10644, fixes #10577.

---
 lib/ansible/runner/connection_plugins/winrm.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/runner/connection_plugins/winrm.py b/lib/ansible/runner/connection_plugins/winrm.py
index 7a2d6d3318..eb02d74307 100644
--- a/lib/ansible/runner/connection_plugins/winrm.py
+++ b/lib/ansible/runner/connection_plugins/winrm.py
@@ -90,13 +90,18 @@ class Connection(object):
             return _winrm_cache[cache_key]
         exc = None
         for transport, scheme in self.transport_schemes['http' if port == 5985 else 'https']:
-            if transport == 'kerberos' and not HAVE_KERBEROS:
+            if transport == 'kerberos' and (not HAVE_KERBEROS or not '@' in self.user):
                 continue
+            if transport == 'kerberos':
+                realm = self.user.split('@', 1)[1].strip() or None
+            else:
+                realm = None
             endpoint = urlparse.urlunsplit((scheme, netloc, '/wsman', '', ''))
             vvvv('WINRM CONNECT: transport=%s endpoint=%s' % (transport, endpoint),
                  host=self.host)
             protocol = Protocol(endpoint, transport=transport,
-                                username=self.user, password=self.password)
+                                username=self.user, password=self.password,
+                                realm=realm)
             try:
                 protocol.send_message('')
                 _winrm_cache[cache_key] = protocol