Ansible windows kerberos issue

[Mayur Barge]

Hi I'm facing below issue while connecting to windows machine using AD accounts 

File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 586, in _executor

    exec_rc = self._executor_internal(host, new_stdin)

  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 789, in _executor_internal

    return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)

  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 968, in _executor_internal_inner

    conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect

    self.active = conn.connect()

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect

    self.protocol = self._winrm_connect()

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect

    protocol.send_message('')

  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message

    return self.transport.send_message(message)

  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in send_message

    krb_ticket = KerberosTicket(self.krb_service)

  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in __init__

    kerberos.authGSSClientStep(krb_context, '')

GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))

Please help

Thanks,

Mayur

[J Hawkesworth]

Hi Mayur,

You usually get that message when kerberos is not configured properly on your ansible controller.

Please ensure you have followed the setup instructions here:

http://docs.ansible.com/ansible/intro_windows.html#configuring-kerberos

Without this, the ansible controller does cannot connect to your windows domain, because it is unaware of the network location of your windows domain controllers.

Hope this helps,

Jon

[Mayur Barge]

Hi Jon,

Thanks for your inputs 

If I manage windows machine using local administrator account then it works. But for AD account following is the error. I can successfully do kinit with domain user and klist displays appropriate ticket

<win2k8r2-client> ESTABLISH WINRM CONNECTION FOR USER: on PORT 5986 TO win2k8r2-client

<win2k8r2-client> WINRM CONNECT: transport=kerberos endpoint=https://win2k8r2-client:5986/wsman

win2k8r2-client | FAILED => Traceback (most recent call last):

[Joe Levis]

Mayur,

Make sure your Linux Control Machine is bound to the same domain as your target Windows VM. After much reading and debugging, I realized my Ubuntu server where I was running Ansible was not bound to the Domain.

Another thing...

I had to run the kinit command with the below flags on the Control Machine to get past the auth failures (according to https://github.com/diyan/pywinrm/issues/36#issuecomment-60175388):
kinit -l 7d -r 7d -pAf us...@MY.DOMAIN.COM

NOTE: I had run the kinit command before, but not with the flags. The forwarding flags of kinit is what got me over the hump.

[Mayur Barge]

I will give it a try and let you know.
Thanks in advance for your help !