Error while doing kerbrose connection from Ansible to Windows
1,877 views
Skip to first unread message
manoj kumar
Jul 22, 2016, 8:43:48 AM7/22/16
to Ansible Project
Hi,
I have ansible version
ansible 2.1.0.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
Kerberos is also installled along with request_kerberose and pywinrm0.2.0.
I am getting the error while running a ping module as " "changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
"
Host file is like
[server]
[server:vars]
ansible_user=US...@PAL.COM
ansible_ssh_pass=0987
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_kerberos_delegation=yes
Can you guys please help out what needs to be done to resolve this.
BR
Manoj
J Hawkesworth
Jul 22, 2016, 10:20:34 AM7/22/16
to Ansible Project
Not sure what is wrong but kerberos needs DNS to work fully (both forward and reverse lookups).
Check the hostname can be resolved to an ip from your ansible controller.
Also check you have configured correct domain controllers in your /etc/krb5.conf
Hope this helps,
Jon
manoj kumar
Jul 25, 2016, 4:09:02 PM7/25/16
to Ansible Project
Host name is resolvable to an IP. But while resolving IP back for testing reverse DNS mapping it is not happening.
In /etc/krb5.conf we have the correct configuration as below.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = WEBSITE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] WEBSITE.COM = { kdc = WIN-SA2TXZOTVMV.website.com admin_server = WIN-SA2TXZOTVMV.website.com } [domain_realm] .website.com = WEBSITE.COM website.com = WEBSITE.COM
Also I am getting connected to the domain using kinit.
But the servers are not getting recognized. with the error "traceroute AMATLTDMSWEB00.RECALL.COM
AMATLTDMSWEB00.RECALL.COM: Name or service not known
Cannot handle "host" cmdline arg `AMATLTDMSWEB00.RECALL.COM' on position 1 (argc 1)
"
While using servername/ip in the hosts file and tries to getting conencted the below mentioned error comes up.
J Hawkesworth
Jul 26, 2016, 1:44:29 AM7/26/16
to Ansible Project
Your krb5.conf looks ok, although you might want to add a second kdc machine if you have one. Looks like that side of things is working if you are getting a kerberos ticket ok.
Pretty certain you are going to need to get reverse DNS lookups functioning properly to get kerberos connections working though.
Its worth doing as less than fully functional DNS just makes life difficult for network users. Unfortunately its something I have no experience of fixing so don't know how to help with that.
If you are just using hostnames in your inventory, check that the search suffixes are set up correctly in your resolv.conf
Jon
Pretty certain you are going to need to get reverse DNS lookups functioning properly to get kerberos connections working though.
Its worth doing as less than fully functional DNS just makes life difficult for network users. Unfortunately its something I have no experience of fixing so don't know how to help with that.
If you are just using hostnames in your inventory, check that the search suffixes are set up correctly in your resolv.conf
Jon
Reply all
Reply to author
Forward
0 new messages