Ansible Kerboros authentication

[Nitrous]

Our ansible box isnt domain joined, and we build alot of VMs from a template, that has an account part of the image, that is local admin.

I was reading more into kerboros authentication, and setup my var file as this:

[xx:vars]

ansible_connection=winrm

ansible_user=xx

ansible_password=xx

ansible_port=5986

ansible_ssh_port=5986

ansible_winrm_transport=kerberos

ansible_winrm_scheme=https

ansible_winrm_server_cert_validation=ignore

domain_server=test.local

domain_username=cc

domain_password=cc

wsus_server=cc

When I run my playbook, I get:
fatal: [x.x.x.x]: UNREACHABLE! => {
    "changed": false,
    "msg": "Kerberos auth failure when calling kinit cmd 'kinit': The command was not found or was not executable: kinit.",
    "unreachable": true
}

My host file has the sever entry as below:

hostname ansible_host=IP address of host

Changing the ansible_winrm_transport  to basic works, with no issue.

How can I use my existing config to work with kerberos?

Please help/Suggest?

[Walter Rowe]

Your answer is in the error message.

"Kerberos auth failure when calling kinit cmd 'kinit': The command was not found or was not executable: kinit."

--

Walter Rowe, Chief

Infrastructure Services

Office of Information Systems Management

National Institute of Standards and Technology

United States Department of Commerce

[Nitrous]

Thanks, installed the kinit command, but now getting this error:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 761, in run
    result = self._run_sync(task_vars, module_options, reboot, reboot_timeout)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 834, in _run_sync
    update_result = self._run_updates(task_vars, module_options, poll_script_path, cancel_script_path)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 907, in _run_updates
    output_path, task_pid, cancel_id = self._start_updates(task_vars, module_options)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 951, in _start_updates
    raise _ReturnResultException(msg, exception=result.get('exception', None))
ansible_collections.ansible.windows.plugins.action.win_updates._ReturnResultException: MODULE FAILURE
See stdout/stderr for the exact error
fatal: [ansible_host=x.x.x.x]: FAILED! => {
    "changed": false,
    "failed_update_count": 0,
    "filtered_updates": {},
    "found_update_count": 0,
    "installed_update_count": 0,
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "updates": {}
}
...ignoring
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 761, in run
    result = self._run_sync(task_vars, module_options, reboot, reboot_timeout)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 834, in _run_sync
    update_result = self._run_updates(task_vars, module_options, poll_script_path, cancel_script_path)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 907, in _run_updates
    output_path, task_pid, cancel_id = self._start_updates(task_vars, module_options)
  File "/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py", line 951, in _start_updates
    raise _ReturnResultException(msg, exception=result.get('exception', None))
ansible_collections.ansible.windows.plugins.action.win_updates._ReturnResultException: MODULE FAILURE
See stdout/stderr for the exact error
fatal: [ansible_host=x.x.x.x]: FAILED! => {
    "changed": false,
    "failed_update_count": 0,
    "filtered_updates": {},
    "found_update_count": 0,
    "installed_update_count": 0,
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "updates": {}
}
...ignoring

The same playbook works when using the basic authentication:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1
ok: [hostname] => {
    "changed": false,
    "failed_update_count": 0,
    "filtered_updates": {},
    "found_update_count": 0,
    "installed_update_count": 0,
    "invocation": {
        "module_args": {
            "accept_list": null,
            "category_names": [
                "Application",
                "Connectors",
                "DefinitionUpdates",
                "FeaturePacks",
                "Guidance",
                "ServicePacks",
                "Tools",
                "UpdateRollups",
                "CriticalUpdates",
                "SecurityUpdates",
                "Drivers",
                "Updates"
            ],
            "log_path": "C:\\ansible_wu.txt",
            "reboot": false,
            "reboot_timeout": 1200,
            "reject_list": null,
            "server_selection": "managed_server",
            "skip_optional": false,
            "state": "searched",
            "use_scheduled_task": false
        }
    },
    "reboot_required": false,
    "updates": {}
}

[Игорь Туровский]

It sounds like your ansible host does not have Krb5 library installed -  https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library. 

Also, Kerberos uses FQDNs vs ip addresses, so you will need to have dns names set as hostnames in inventory (or to use ansible_winrm_kerberos_hostname_override variable.)

вт, 16 авг. 2022 г. в 18:14, Nitrous <wassama...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/03d44202-d21d-41e1-b01a-8960faab6c07n%40googlegroups.com.

[Nitrous]

I changed a few things, and now I see this:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1

fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => {
    "changed": false,
    "msg": "Kerberos auth failure for principal x...@XX.LOCAL with pexpect: Cannot find KDC for realm \" XX.LOCAL  \" while getting initial credentials",
    "unreachable": true
}
fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => {
    "changed": false,
     "msg": "Kerberos auth failure for principal x...@XX.LOCAL with pexpect: Cannot find KDC for realm \" XX.LOCAL  \" while getting initial credentials",
    "unreachable": true
}

My vars look like this :

ansible_connection=winrm

ansible_user=x...@XX.LOCAL

ansible_password=xx

ansible_winrm_kerberos_hostname_override

ansible_port=5986

ansible_ssh_port=5986

ansible_winrm_transport=kerberos

ansible_connection=local

ansible_winrm_scheme=https

ansible_winrm_server_cert_validation=ignore

domain_server=xx.local

domain_username=xx.local\xx

domain_password=xx

Host file looks like this:

ansible_host=Ip add of the server

The ansible box isnt domain joined, and we have multiple domains.

[Nitrous]

Even a simple playbook for ping fails, but using basic authentication, works:

TASK [ping] *********************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/multiple.yml:8

fatal: [ansible_host=x.x.x.x]: FAILED! => {
    "changed": false,

    "module_stderr": "/bin/sh: 1: powershell: not found\n",
    "module_stdout": "",
    "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error",
    "rc": 127

[Nitrous]

Also, just checked krb5.conf file :

[libdefaults]
        default_realm = PRIMARYDOMAIN.COM

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

I dont know where the other stuff in the file come from, but we have multiple domains, and the playbook that I am trying to run it against is DOMAINB.COM.

I can ping the machine in domainB via IP from the ansible box, but not by its FQDN.

[Rowe, Walter P. (Fed)]

If you join your Linux machine to AD with SSSD, this all gets filled in for you. Might make life easier.

Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2a485348-a3ee-4074-a7a1-26848488b957n%40googlegroups.com.

[Nitrous]

Yes thanks, we dont want to do that due to some restrictions, so hence asking for help :)

[Luca 'remix_tj' Lorenzetto]

Hello,

without joining to the domain, we added entries to krb5.conf to specify which are the kerberos servers to contact for authentication. So we specified credentials via the command line for ansible and we can authenticate to winrm successfully.

Luca

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com.

--

"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)
 
Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <lorenze...@gmail.com>

[Nitrous]

Thanks, would you mind posting a sample of your krb5.conf file?

We have multiple domains, some domains dont have a trust relationship, so trying to figure out, how to do this in a manner, that works for all our domains.