Unspecified GSS failure
660 views
Skip to first unread message
Trond Hindenes
Oct 7, 2015, 10:27:51 AM10/7/15
to Ansible Project
Hi all,
I'm getting a new error I've never seen before. Control node is Centos7. When trying to use a domain account I'm getting this error when running ansible:
MSC10051.domain.local | FAILED => Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect
self.active = conn.connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect
self.protocol = self._winrm_connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
protocol.send_message('')
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 190, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 219, in send_message
krb_ticket = KerberosTicket(self.krb_service)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 166, in __init__
kerberos.authGSSClientStep(krb_context, '')
GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('KDC reply did not match expectations', -1765328237))
I've setup kerberos with Ansible lots of times before, but only on Ubuntu. kinit/klist looks fine, so I'm struggling with how to figure this one out. Any pointers appreciated! Installed Ansible using yum, version 1.9.2
Bill Nottingham
Oct 7, 2015, 10:46:50 AM10/7/15
to ansible...@googlegroups.com
Some googling suggests it could mean a case mismatch in the kerberos principal name, if using an AD server, or disagreements about the renewable lifetime of the ticket.
Bill--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/07a6f1c9-62ab-47a6-b162-2dd54e1a2d3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
J Hawkesworth
Oct 7, 2015, 4:15:26 PM10/7/15
to Ansible Project
Hi,
I think I've had this before where the name I had for the domain turned out to be an alias.
If you run kinit -C us...@SOME.DOMAIN
and then do a klist
if the ticket you get back is not for SOME.DOMAIN then that's the issue.
I just changed my config so I was requesting a ticket for the actual domain, but it might be possible to tweak your /etc/krb5.conf to get round this.
Hope this helps,
Jon
I think I've had this before where the name I had for the domain turned out to be an alias.
If you run kinit -C us...@SOME.DOMAIN
and then do a klist
if the ticket you get back is not for SOME.DOMAIN then that's the issue.
I just changed my config so I was requesting a ticket for the actual domain, but it might be possible to tweak your /etc/krb5.conf to get round this.
Hope this helps,
Jon
Reply all
Reply to author
Forward
0 new messages