Ansible V2.7 - kerberos: authGSSClientStep() failed:

[Sushena Parthasarathy]

Hi Team,

               we`re using Ansible v 2.7, below python modules for kerberos. We have switched from basic to kerberos auth all playbooks are failing with below error

Python (Kerberos) modules:

        kerberos                         1.3.0

        requests-kerberos                0.12.0

Ansible host file:

         ansible_user= Ansible...@NORTHIND.INTERNAL

         ansible_password= '2*S<5q$Vn#]M'

         ansible_connection= winrm

         ansible_winrm_transport= kerberos

        #ansible_winrm_realm= NORTHIND.INTERNAL

        ansible_winrm_scheme= http

        ansible_winrm_server_cert_validation= ignore

        ansible_port= 5985

        ansible_winrm_kerberos_delegation= yes

kinit command succeeds and able to do klist as well. But when we execute win_ping module to the Windows(2012) node which is part of domain (NORTHIND.INTERNAL), failing with below error. Can anyone assists to fix this below error?

Command: ansible -i /home/ansible/hosts win -m win_ping -e="ansible_ssh_port=5985, ansible_connection=winrm"

Error:

gcp-bashost.NORTHIND.INTERNAL | UNREACHABLE! => {

    "changed": false,

    "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",

    "unreachable": true

}

[Jordan Borean]

Part of the Kerberos authentication process is to lookup the remote server in the KDC database (AD database). If it cannot find that server then you will get this error. In this case it will lookup the host using the SPN 'HTTP/gcp-bashost.NORTHIND.INTERNAL' . If you have defined ansible_host for that host then it will be using that hostname as the 2nd part of the SPN.

The fact that you can use kinit to get the credentials shows that your Ansible controller is talking to the domain correctly, this issue is around not being able to lookup your remote host. Make sure;

• You are connecting to the host using the FQDN and not an IP address
• The remote host is part of the domain
• If you need to connect with an IP, you can use 'ansible_winrm_kerberos_hostname_override' to set the host's FQDN so the SPN lookup works
  

Also you should change your password right now and never share it in a public setting again.

Thanks

Jordan

[Sushena Parthasarathy]

Hi Jordan,

         I have tried all the possibilities and your suggestions as well still the same error for windows alone. Is there any work around for this?

N.B: I have modified the password before posting it. 

--

Sushena P

[Piyush Bansal]

Hello Sushena,

Hope you are doing well..!!

I have faced exact same situation and it got resolved.

Please Could u give me following:

-nslookup of the member server fqdn you are pinging from ansible server

-Output of command setspn -l <hostname>

-ansible hosts file section which shows the server names on which u r running this module

-how many network interfaces you have on your ansible server

-are these network interfaces on ansible server in same subnet range or mask ???

Thanks,

Piyush

9650865898

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ef1652f2-00c3-4f4e-9155-e65023da93c9%40googlegroups.com.

[Amal Antony]

Hi Piyush Bansal,


                     Thanks for your response, I work along with Sushena. Below are the technical details

• nslookup working correctly and resolving eachother.
• only one network interface.
• hosts file entry: testhost.NORTHIND.INTERNAL

Thanks,

Amal Antony

To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

[Amal Antony]

Hi Piyush,

Please find below snippet from ansible command for further understanding,

###############################################################################################################

creating Kerberos CC at /tmp/tmpEO9VQo
calling kinit with subprocess for principal Amal...@NORTHIND.INTERNAL
kinit succeeded for principal Amal...@NORTHIND.INTERNAL
<GCP-Bast.northind.internal> WINRM CONNECT: transport=kerberos endpoint=https://GCP-Bast.northhind.internal:5986/wsman
<GCP-Bast.northind.internal> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 8519 68), ('Server not found in Kerberos database', -1765328377))

####################################################################################################################

Please share your thoughts.

Thanks,
Amal

On Tuesday, July 30, 2019 at 9:24:03 PM UTC+5:30, Sushena Parthasarathy wrote:

Hi Team,

               we`re using Ansible v 2.7, below python modules for kerberos. We have switched from basic to kerberos auth all playbooks are failing with below error

Python (Kerberos) modules:

        kerberos                         1.3.0

        requests-kerberos                0.12.0

Ansible host file:

         ansible_user= Ansibleservice@NORTHIND.INTERNAL

[J Hawkesworth]

Server not found in kerberos database means that the domain controller is unaware of the server. You mention using hosts file which suggests to me that the machine you want to connect to has not been joined to the domain. You almost certainly wouldn't need to use hosts file as typically joining a machine to a domain also adds to to your local DNS servers.

Hope this helps,

Jon

[Sushena Parthasarathy]

thanks, Jon

We have SOLVED the issue. The problem was with the NTP service where the Ansible controller and Domain controller wasn't in sync. Post setting ntpd on the controller and changed ntp to UTC format, Service account and playbooks were working as expected.

thanks and everyone for assisting us.