Ansible AD Domain Authentication

[Mark Matthews]

Hi

 

Currently I have been connecting to servers to using local server accounts, and therefore my ‘group_vars/winservers.yml’ file has looked like the following:

 

ansible_ssh_user: Administrator

ansible_ssh_pass: PASSWORD

ansible_ssh_port: 5986

ansible_connection: winrm

 

But now I need to authenticate to servers that are connected on the domain. How would I change this file? Is it as simple as…

 

ansible_ssh_user: my.domain\mark.matthews

ansible_ssh_pass: PASSWORD

ansible_ssh_port: 5986

ansible_connection: winrm

 

 

Cheers

[Zacharias Thompson]

You have to setup a kerberos ticket for the user you want to connect with. After which, if you specify the ansible_ssh_user in the format of us...@MY.DOMAIN.COM, Ansible will attempt to use a kerberos ticket before falling back to basic authentication.

See the support site for more details:

http://docs.ansible.com/ansible/intro_windows.html#configuring-kerberos

[Mark Matthews]

Hi Zacharias

I have setup a kerberos ticket and all seems to be working fine. I am able to do a "knit username" and create a ticket.

I then add the following entry into /etc/ansible/hosts file

[win]

servername.COMPANY.COM

I have create the following /etc/ansible/group_vars/win.yml file with the following information

ansible_ssh_user: user...@COMPANY.COM

ansible_ssh_port: 5986

ansible_connection: winrm

Bu when I try run a playbook to the server in 'win' I get the following error:

fatal: [uk-ansible-test02.WINTECH.LOCAL]: FAILED! => {"failed": true, "msg": "ssl: 401 Unauthorized. basic auth failed"}

Any ideas as too what could be causing this?

Cheers

Mark

[Mauricio Tavares]

On Apr 8, 2016 7:27 AM, "Mark Matthews" <mdmat...@gmail.com> wrote:
>
> Hi Zacharias
>
> I have setup a kerberos ticket and all seems to be working fine. I am able to do a "knit username" and create a ticket.
>
> I then add the following entry into /etc/ansible/hosts file
> [win]
> servername.COMPANY.COM
>
> I have create the following /etc/ansible/group_vars/win.yml file with the following information
>
> ansible_ssh_user: user...@COMPANY.COM
> ansible_ssh_port: 5986
> ansible_connection: winrm
>
>
> Bu when I try run a playbook to the server in 'win' I get the following error:
>
> fatal: [uk-ansible-test02.WINTECH.LOCAL]: FAILED! => {"failed": true, "msg": "ssl: 401 Unauthorized. basic auth failed"}
>
>
> Any ideas as too what could be causing this?
>

      Dumb question: how are you running the playbook? And, what do you get if you crank up the debug? You should see it trying the diff auths.

> Cheers
> Mark
>
>
> On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:
>>
>> Hi
>>
>>  
>>
>> Currently I have been connecting to servers to using local server accounts, and therefore my ‘group_vars/winservers.yml’ file has looked like the following:
>>
>>  
>>
>> ansible_ssh_user: Administrator
>>
>> ansible_ssh_pass: PASSWORD
>>
>> ansible_ssh_port: 5986
>>
>> ansible_connection: winrm
>>
>>  
>>
>> But now I need to authenticate to servers that are connected on the domain. How would I change this file? Is it as simple as…
>>
>>  
>>
>> ansible_ssh_user: my.domain\mark.matthews
>>
>> ansible_ssh_pass: PASSWORD
>>
>> ansible_ssh_port: 5986
>>
>> ansible_connection: winrm
>>
>>  
>>
>>  
>>
>> Cheers
>

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0b133188-5ba5-4930-acfe-4b223faefb1c%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Mark Matthews]

Hi

Im just running the playbook as follows:  ansible-playbook test_ping.yml

The playbook looks like this:

- name: Ping Servers

  hosts: win

  tasks:

  - name: ping

    win_ping:

I run the playbook now with -vvvvv, and got the following output:

TASK [setup] *******************************************************************

<uk-ansible-test02.COMPANY.COM> ESTABLISH WINRM CONNECTION FOR USER: markm...@COMPANY.COM on PORT 5986 TO uk-ansible-test02.COMPANY.COM

<uk-ansible-test02.COMPANY.COM> WINRM CONNECT: transport=ssl endpoint=https://uk-ansible-test02.COMPANY.COM:5986/wsman

<uk-ansible-test02.COMPANY.COM> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 138, in _winrm_connect

    protocol.send_message('')

  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message

    return self.transport.send_message(message)

  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 125, in send_message

    raise UnauthorizedError(transport='plaintext', message=ex.msg)

UnauthorizedError: 401 Unauthorized. basic auth failed

Its like its making the connection to the server but not authorized to do anything??

If i run the 'klist' command to view the token, this is the output:

[root@uk-ansible01 windows]# klist

Ticket cache: KEYRING:persistent:0:0

Default principal: us...@COMPANY.COM

Valid starting     Expires            Service principal

08/04/16 13:52:21  08/04/16 23:52:21  krbtgt/COMPA...@COMPANY.COM

        renew until 08/04/16 23:52:21

On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:

[Mark Matthews]

Hi guys

Was doing some digging around and noticed that there were security errors on the test server I was trying to access.

Could it be possible that this could be causing the issue: https://www.winhelp.info/windows/resolve-kerberos-error-0xc000006d-in-windows/

As nothing is defined there on my server....so there is nothing checked.

Cheers

Mark

On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:

[Zacharias Thompson]

Are you running the kinit under the same user you're running ansible as?

What version of Ansible are you running?

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/sajcZOtW2uo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0b133188-5ba5-4930-acfe-4b223faefb1c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Zacharias Thompson

zar...@gmail.com

253.569.7502

[Mauricio Tavares]

I would expect his logs to show ssh trying to do kerberos auth and
then failing back to whatever. The fact it is going straight to plain
auth is odd.

Maybe play around with ansible_ssh_common_args or ansible.cfg to get
ssh more verbose?

> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/CAA%3DyVUYscms%3DTCuPaubG0i4CyU13cTknhzfStGRMR2X3k0J6Yw%40mail.gmail.com.

[J Hawkesworth]

Hi,

My guess would be you haven't got pykerberos installed. on your ansible controller.

If you see

transport=ssl

in the connection information it isn't going via kerberos.

Since you have a ticket set up I think its just that you don't have the pykerberos package installed.

Hope this helps,

Jon

[Anjana Raghavendra P]

I am having similar problem and afterwards used the kerberos for host variable ansible_winrm_transport.

I am using ansible version 2.0.1.0.

The worked configuration:

[Win]

<hostname>.XXXX.XXXX.LOCAL

[Win:vars]

ansible_user='xxx...@XXXX.XXXXX.LOCAL'

ansible_password=......

ansible_port=5986

ansible_connection=winrm

ansible_winrm_server_cert_validation=ignore

#ansible_winrm_transport=ssl

ansible_winrm_transport=kerberos

but the problem with this is subsequent runs on this host first throwing following errors and then giving successful result.

/usr/local/lib/python2.7/dist-packages/winrm/transport.py:283: RuntimeError: kerberos.authGSSClientClean is deprecated.

  krb_ticket.verify_response(response.headers['WWW-Authenticate'])

<hostname>.XXXX.XXXX.LOCAL | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

If anyone can help that would be better.

[J Hawkesworth]

Anjana,

I have not seen this error before but please advise the following:

version of whichever python-kerberos libraries you are using on your ansible controller (see http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos-dependencies)

version of the python kerberos wrapper you are using.

version of pywinrm you are using

which OS you are running ansible controller on.

Many thanks,

Jon

On Monday, April 11, 2016 at 2:51:04 PM UTC+1, Anjana Raghavendra P wrote:

I am having similar problem and afterwards used the kerberos for host variable ansible_winrm_transport.

I am using ansible version 2.0.1.0.

The worked configuration:

[Win]

<hostname>.XXXX.XXXX.LOCAL

[Win:vars]

ansible_user='xxx.xxx@XXXX.XXXXX.LOCAL'

[Mark Matthews]

Hi Anjana

Where exactly on you putting those varibales [win:var]? Are you putting those variables in /etc/ansible/hosts file?

Im still getting the following error: fatal: [server.COMPANY.COM]: FAILED! => {"failed": true, "msg": "ssl: 401 Unauthorized."}

I have changed my groups_vars file (/etc/ansible/group_vars/win.yml) to the following 

ansible_user: us...@COMPANY.COM

ansible_port: 5986

ansible_connection: winrm

ansible_winrm_server_cert_validation: ignore

And the entry on the host file is:

[win]

server.COMPANY.COM

I have double checked that I have a token logged in when I run 'klist'.

No idea what could still be causing this error??

Any ideas would be appreciated.

Cheers

Mark

On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:

[J Hawkesworth]

Hi Mark,

If you run a

(sudo) pip list

on your ansible controller

what version is reported for the 'kerberos' library?

For some reason, ansible is still falling back to using basic auth in your case.  When I've seen that its either that the connection variables aren't getting set up, or there is something up with the python kerberos wrapper (such as it being missing).

Jon

[Mark Matthews]

Hi Jon

If I do a pip list I get the followining:

ansible (2.0.1.0)

ansible-tower (2.4.4)

Babel (0.9.6)

backports.ssl-match-hostname (3.4.0.2)

chardet (2.2.1)

configobj (4.7.2)

decorator (3.4.0)

ecdsa (0.13)

httplib2 (0.9.2)

iniparse (0.4)

IPy (0.75)

isodate (0.5.4)

Jinja2 (2.8)

kitchen (1.1.1)

langtable (0.0.31)

MarkupSafe (0.23)

meld3 (0.6.10)

mercurial (2.6.2)

paramiko (1.16.0)

perf (0.1)

pip (8.1.1)

policycoreutils-default-encoding (0.1)

psycopg2 (2.6.1)

pyasn1 (0.1.6)

pycrypto (2.6.1)

pycurl (7.19.0)

pygobject (3.14.0)

pygpgme (0.3)

pyliblzma (0.5.3)

python-augeas (0.5.0)

python-dmidecode (3.10.13)

python-keyczar (0.71rc0)

pyudev (0.15)

pywinrm (0.1.1)

pyxattr (0.5.1)

PyYAML (3.11)

seobject (0.1)

sepolicy (1.1)

setuptools (20.6.7)

six (1.9.0)

slip (0.4.0)

slip.dbus (0.4.0)

supervisor (3.1.3)

urlgrabber (3.10)

xmltodict (0.10.1)

yum-langpacks (0.4.2)

yum-metadata-parser (1.1.4)

I then ran through the following directions again: http://docs.ansible.com/ansible-tower/latest/html/administration/kerberos_auth.html

yum install krb5-workstation
yum install krb5-devel
yum install krb5-libs

All three of those said that they were already installed and up to date. But when I ran the following:

pip install kerberos

I get the following error:

[root@ie-ansible01 group_vars]# sudo pip install kerberos

Collecting kerberos

  Using cached kerberos-1.2.4.tar.gz

Installing collected packages: kerberos

  Running setup.py install for kerberos ... error

    Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-bTccYY/kerberos/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-H50rsj-record/install-record.txt --single-version-externally-managed --compile:

    running install

    running build

    running build_ext

    building 'kerberos' extension

    creating build

    creating build/temp.linux-x86_64-2.7

    creating build/temp.linux-x86_64-2.7/src

    gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c src/base64.c -o build/temp.linux-x86_64-2.7/src/base64.o

    unable to execute gcc: No such file or directory

    error: command 'gcc' failed with exit status 1

    ----------------------------------------

Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-bTccYY/kerberos/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-H50rsj-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-bTccYY/kerberos/

Is this the reason that authentication is not working? Because kerberos has not been installed properly?

Any ideas what could be causing this kerberos not to install?

Cheers

Mark

On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:

[Mark Matthews]

I got it working!!

I needed to install 'gcc'.

So I ran the following:   sudo yum -y install gcc

I was then able to run:  sudo yum -y install kerberos

After that was all installed successfully I was able to run a playbook using AD credentials.

Jon - thanks all your help!!!

Cheers

Mark

On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:

[Anjana Raghavendra P]

Hi,

Sorry it took so long to respond. I actually followed the same document and installed everything as suggested.

As per AMI I am using AWS ubuntu image and python version 2.7.6.

my sudo pip list output

ansible (2.0.1.0)

ansible-tower (2.4.4)

apt-xapian-index (0.45)

argparse (1.2.1)

awscli (1.10.20)

boto (2.39.0)

boto3 (1.3.0)

botocore (1.4.11)

chardet (2.0.1)

Cheetah (2.4.4)

cloud-init (0.7.5)

colorama (0.2.5)

configobj (4.7.2)

docutils (0.12)

futures (3.0.5)

html5lib (0.999)

httplib2 (0.8)

isodate (0.5.4)

Jinja2 (2.7.2)

jmespath (0.9.0)

jsonpatch (1.3)

jsonpointer (1.0)

kerberos (1.2.4)

Landscape-Client (14.12)

MarkupSafe (0.18)

meld3 (0.6.10)

mercurial (2.8.2)

oauth (1.0.1)

PAM (0.4.2)

paramiko (1.10.1)

passlib (1.5.3)

pip (1.5.4)

prettytable (0.7.2)

psycopg2 (2.4.5)

pyasn1 (0.1.9)

pycrypto (2.6.1)

pycurl (7.19.3)

pyOpenSSL (0.13)

pyserial (2.6)

python-apt (0.9.3.5ubuntu2)

python-dateutil (2.5.2)

python-debian (0.1.21-nmu2ubuntu2)

pywinrm (0.1.1)

PyYAML (3.10)

requests (2.2.1)

rsa (3.3)

s3transfer (0.0.1)

setuptools (3.3)

six (1.5.2)

ssh-import-id (3.21)

supervisor (3.0b2)

Twisted-Core (13.2.0)

Twisted-Names (13.2.0)

Twisted-Web (13.2.0)

urllib3 (1.7.1)

wheel (0.24.0)

wsgiref (0.1.2)

xmltodict (0.10.1)

zope.interface (4.0.5)

As this is simply a warning, right now I am not taking it as high priority. We are starting new and exploring ansible as of now.