Failing to connect to Windows clients with 1.9.0 -- No credentials cache file found

[Peter Loron]

Hello. I'm trying to get going with managing some Windows servers using Ansible. I've got Ansible 1.9.0.1 installed on a OS X 10.10 machine. On my Windows client (2012R2), I have run the suggested "ConfigureRemotingForAnsible.ps1" script and I can telnet to 5986 on that machine from my control machine. I have the client defined in a [windows] section in the hosts file, and there is a "group_vars/windows/settings" file that has the following:

ansible_ssh_user: Administrator

ansible_ssh_pass: <password>

ansible_ssh_port: 5986

ansible_connection: winrm

When I try to do a win_ping, I get this error: "No credentials cache file found". I see that it is attempting to use Kerberos to connect, and the control machine is NOT connected to the domain. The client machine is. I'm thinking I need to tell Ansible to not use Kerberos, but I'm not sure how. Full command output below:

> ansible windows -m win_ping -vvvv

<srbos1build02> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5986 TO srbos1build02

<srbos1build02> WINRM CONNECT: transport=kerberos endpoint=https://srbos1build02:5986/wsman

srbos1build02 | FAILED => Traceback (most recent call last):

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor

    exec_rc = self._executor_internal(host, new_stdin)

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal

    return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/__init__.py", line 960, in _executor_internal_inner

    conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect

    self.active = conn.connect()

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 147, in connect

    self.protocol = self._winrm_connect()

  File "/usr/local/Cellar/ansible/1.9.0.1/libexec/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 101, in _winrm_connect

    protocol.send_message('')

  File "build/bdist.macosx-10.10-intel/egg/winrm/protocol.py", line 190, in send_message

    return self.transport.send_message(message)

  File "build/bdist.macosx-10.10-intel/egg/winrm/transport.py", line 219, in send_message

    krb_ticket = KerberosTicket(self.krb_service)

  File "build/bdist.macosx-10.10-intel/egg/winrm/transport.py", line 166, in __init__

    kerberos.authGSSClientStep(krb_context, '')

GSSError: ((' Miscellaneous failure (see text)', 851968), ('No credentials cache file found', -1765328189))

[J Hawkesworth]

If I recall, if you have pykerberos installed, winrm will attempt kerberos connection.

I guess your options are to remove pykerberos or use knit to acquire a kerberos ticket and connect as a domain user.

Hope that helps.

Jon

[Peter Loron]

As far as I know, I do not have pykerberos installed. If I start the default python and do "import kerberos", it fails.

Regardless, there should be an option to force the connection type.

[Peter Loron]

Well, apparently there's *some* kind of python glue installed. I did kinit to acquire a ticket for the appropriate user, and I was able to get it to work.

There still needs to be a switch. I don't want to muck about with kinit every time I want to run playbooks.

[J Hawkesworth]

I'm not sure there's a one-size fits all solution to this.

Personally I use a callback plugin to call kinit and acquire the necessary kerberos ticket whenever I start running a playbook.  This works for me as I want my ansible controller to be able to work with > 1 domain. Its not ideal as it will only work for ansible-playbook and not ansible commands.  

I've read that others use a local action to call kinit as their first task and I believe others are happy to have an ansible controller per domain and have kinit set up the kerberos ticket when you log in.  

Jon

[Chris Church]

A fix has been merged via https://github.com/ansible/ansible/pull/10664 (similar to Jon's changes in https://github.com/ansible/ansible/pull/10644) and pending docs changes in https://github.com/ansible/ansible/issues/10665.

The winrm connection will only try kerberos if it is installed and the username contains @.  Anything after the @ would be used to specify the kerberos realm (if pywinrm didn't ignore the realm at the moment).

Let me know if it makes sense, gets rid of the error you are experiencing, and/or breaks things horribly.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd6a5785-650d-46f5-a0cf-40706787025a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.