Ansible 2.2.1.0 failing while connecting to Windows using AD credentials.

[Siva-Ansile]

HI Team,

I have a new requirement to install an agant in 1500 windows machines, all these machine are Domain managed VMs. When i try to connect using local user, i am able to connect the windows box, But when i use AD credentials its not working. Let me share my current Setup here. Please help.

Windows VM settings:-

1.     Enabled WINRM
   
2.     Ran the script in the remote Windows VM

   ConfigureRemotingForAnsible.ps1 

     

Ansible Host:(Linux RHEL 7.2)

Installed packages:

1.  Ansible 2.2.1.0
   
2.  Python 2.7.5
   
3.  krb5-workstation-1.14.1-27.el7_3.x86_64
   
4.  krb5-devel-1.14.1-27.el7_3.x86_64
   
5.  krb5-libs-1.14.1-27.el7_3.x86_64
   
6. kerberos

Krb5.conf entry as below:

 [logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[realms]

 UAT.INTRA.COM = {

 kdc = winad23987.uat.intra.com

 admin_server = winad23987.uat.intra.com

 }

[domain_realm]

 .uat.intra.com = UAT.INTRA.COM

==============

Kinit and Klist as below:-

[root@liuatasans01 ~]# kinit ans...@UAT.INTRA.COM

Password for ans...@UAT.INTRA.COM:

[root@liuatasans01 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: ans...@UAT.INTRA.COM

Valid starting       Expires              Service principal

04/20/2017 18:31:59  04/21/2017 04:31:59  krbtgt/UAT.IN...@UAT.INTRA.COM

        renew until 04/21/2017 18:31:55

[root@liuatasans01 ~]#

============================

Inventory file as below:-

/etc/ansible/hosts

[windows]

172.45.17.182

[windows:vars]

  ansible_ssh_user=ans...@UAT.INTRA.COM

  ansible_password="P@$$wo6d"

  ansible_port=5985

  ansible_connection=winrm

=====================================

Error as below:-(while trying to connect the AD user)

  [root@liuatasans01 ~]# ansible windows -m win_ping

172.45.17.182 | UNREACHABLE! => {

    "changed": false,

    "msg": "kerberos: __init__() got an unexpected keyword argument 'hostname_override', plaintext: auth method plaintext requires a password",

    "unreachable": true

}

====================================

Working when connecting as windows local user:-

[root@liuatasans01 ~]# ansible windows -m win_ping

172.45.17.182 | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

=================================

Please help to fix the issue:

While connecting as AD user, getting the below error in the windows Audit log

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account: ans...@UAT.INTRA.COM

Source Workstation: winvmuatiis7202

Error Code: 0xC0000064 

================================

Appreciate your help on this

[Jordan Borean]

Looks like you are on the right track where you can get a valid Kerberos ticket using kinit but your Ansible config needs a few more settings so it runs through Kerberos. Looking at the error message it is still trying to authenticate using Basic auth "plaintext" and not Kerberos. Also ansible_ssh_user has been deprecated in favour of ansible_user which is probably why it doesn't detect to use Kerberos.

Try setting the following vars in your inventory

ansible_user=ans...@UAT.INTRA.COM

ansible_password=password here

ansible_port=5985

ansible_connection=winrm

ansible_winrm_transport=kerberos

3 things to say though when looking at your seting;

* If you upgrade to Ansible 2.3 you don't have to manually get a ticket beforehand using kinit, Ansible will do this for you which is a massive plus around automating this all

* You can also use NTLM and CredSSP auth with domain accounts but Kerberos is definitely the most secure out of the 3

* You should be using HTTPS instead of HTTP as your messages and headers are in plaintext with HTTP which is a big no no in security.

The ConfigureRemotingForAnsible.ps1 script will set up a HTTPS listener with a self signed cert for testing, You should use a proper cert if running this in production, my workplaces environment uses ADCS to set up a host certificate on each Windows box making it quite easy for us.

Thanks

Jordan

[Matt Davis]

Also, I think the EPEL packages for python kerberos and/or pywinrm may be horribly outdated (you'd think that working for Red Hat, I'd know who to bug about that, but alas...). That's the likely cause of the error messages you're seeing. Install via pip (as specified by the docs) to ensure you've got the latest.

04/20/2017 18:31:59  04/21/2017 04:31:59  krbtgt/UAT.INTRA.COM@UAT.INTRA.COM

        renew until 04/21/2017 18:31:55

[root@liuatasans01 ~]#

============================

Inventory file as below:-

/etc/ansible/hosts

[windows]

172.45.17.182

[windows:vars]

  ansible_ssh_user=ansible@UAT.INTRA.COM

  ansible_password="P@$$wo6d"

  ansible_port=5985

  ansible_connection=winrm

[Siva-Ansile]

Thank you so much Jordan and Matt. Issue has been resolved now. I really appreciate your help on this, i was struggling to fix this for long time..!! Happy week end...!

I just followed both of your steps to fix the issue:-

Changed the hosts file as below:-

ansible_user=ans...@UAT.INTRA.COM

ansible_password=password

ansible_port=5986

ansible_connection=winrm

ansible_winrm_transport=kerberos

ansible_winrm_server_cert_validation = ignore

after that updated the pywinrm[kerberos] :-

[root@liuatasans01 windows]# pip install pywinrm[kerberos]

Requirement already satisfied: pywinrm[kerberos] in /usr/lib/python2.7/site-packages

Requirement already satisfied: xmltodict in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])

Requirement already satisfied: requests>=2.9.1 in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])

Requirement already satisfied: requests_ntlm>=0.3.0 in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])

Requirement already satisfied: six in /usr/lib/python2.7/site-packages (from pywinrm[kerberos])

Collecting requests-kerberos>=0.10.0 (from pywinrm[kerberos])

  Downloading requests_kerberos-0.11.0-py2.py3-none-any.whl

Requirement already satisfied: python-ntlm3 in /usr/lib/python2.7/site-packages (from requests_ntlm>=0.3.0->pywinrm[kerberos])

Requirement already satisfied: pykerberos<2.0.0,>=1.1.8; sys_platform != "win32" in /usr/lib64/python2.7/site-packages (from requests-kerberos>=0.10.0->pywinrm[kerberos])

Installing collected packages: requests-kerberos

  Found existing installation: requests-kerberos 0.7.0

    Uninstalling requests-kerberos-0.7.0:

      Successfully uninstalled requests-kerberos-0.7.0

Successfully installed requests-kerberos-0.11.0

[root@liuatasans01 ~]# ansible windows -m win_ping

172.45.17.182 | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

Thanks

Siva Subramaniyan

04/20/2017 18:31:59  04/21/2017 04:31:59  krbtgt/UAT.INTRA.COM@UAT.INTRA.COM

        renew until 04/21/2017 18:31:55

[root@liuatasans01 ~]#

============================

Inventory file as below:-

/etc/ansible/hosts

[windows]

172.45.17.182

[windows:vars]

  ansible_ssh_user=ansible@UAT.INTRA.COM

  ansible_password="P@$$wo6d"

  ansible_port=5985

  ansible_connection=winrm

[Tom Paschenda]

This helped me as well, thanks :-)

04/20/2017 18:31:59  04/21/2017 04:31:59  krbtgt/UAT.IN...@UAT.INTRA.COM

        renew until 04/21/2017 18:31:55

[root@liuatasans01 ~]#

============================

Inventory file as below:-

/etc/ansible/hosts

[windows]

172.45.17.182

[windows:vars]

  ansible_ssh_user=ans...@UAT.INTRA.COM

  ansible_password="P@$$wo6d"

  ansible_port=5985

  ansible_connection=winrm

[Siva Subramaniyan]

Nice to Hear...!! Have a good one...!