Alternate solution needed for winrm connections
25 views
Skip to first unread message
sase kumar
Nov 7, 2018, 1:35:38 PM11/7/18
to Ansible Project
Hi Team,
In our environment , basic , ntlm ,credssp is disabled by default in windows2012 machines and I tried it out with last option that is kerberos .
Scenario -
centos machine has ansible controller
new domain has been created and it has few servers with it
I added the domain fqdn in etc/hosts to make it reachable because initially only IP is reachable from ansible
I installed all kerberos libraries uisng pip and configured krb.conf file accordingly
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OPS68.ISYNTAX.NET
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
kdc = OPS68.isyntax.net
default_domain = OPS68.ISYNTAX.NET
}
[domain_realm]
But still if i try to run playbooks , it says "Cannot find
KDC for realm \"ops68.isyntax.net\" while getting initial credentials",
Any help is appreciated?
S C Rigler
Nov 7, 2018, 2:24:43 PM11/7/18
to ansible...@googlegroups.com
Try adding a mapping in your domain_realms section to associate
lowercase ops68.isyntax.net to realm OPS68.ISYNTAX.NET.
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/12419e23-5c43-4fbf-b915-b19b563d6938%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
lowercase ops68.isyntax.net to realm OPS68.ISYNTAX.NET.
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/12419e23-5c43-4fbf-b915-b19b563d6938%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jordan Borean
Nov 7, 2018, 2:44:58 PM11/7/18
to Ansible Project
Your realms don't really make sense, the realm should be the domain part and not a hostname whereas you are using the same realm for the KDC hostname. The KDC is the FQDN of the domain controller whereas the realm is the domain part of that controller. When you go to log in with a UPN do you do user...@OPS68.ISYNTAX.NET or user...@ISYNTAX.NET and OPS68 is your DC?
Thanks
Jordan
sase kumar
Nov 8, 2018, 11:41:13 PM11/8/18
to Ansible Project
Hi Jordan
My DC FQDN - OPS68MG1.OPS68.ISYNTAX.NET
DC - OPS68.ISYNTAX.NET
I have added now the DC FQDN as KDC and DC name as realm name
but still error says unable to reach KDC to get the initial credentials
Initially FQDN is not reachable from ansible controller machine but now I mapped FQDN with IP on /etc/hosts
Is that sufficient? and is there any specific ports which needs to be checked for this communication from ansible host?
Reply all
Reply to author
Forward
0 new messages