Server not found in Kerberos Database

[skinnedknuckles]

Control Node:

• CentOS 7
  
• Ansible 2.1
  
• pywinrm version from May 19th, 2016

Remote Node:

• Windows 7
  
• Powershell 3

I'm having trouble connecting to my remote node with kerberos.  I have carefully followed all the instructions from the Ansible Docs website.  When I run "klist" it shows a kerberos-ticket-getting-ticket so I know it is working that far.  But then when I run win_ping, I get the error message below.  Can I assume all AD accounts are in the Kerberos Database or do they need to be added somehow?  Otherwise how can I fix this?

$ cat windows.yml

---

ansible_user: ads-6999

ansible_password: ******

ansible_port: 5985

ansible_connection: winrm

ansible_winrm_realm: ACME.COM

ansible_winrm_transport: kerberos

ansible_winrm_kerberos_delegation: yes

$ klist

Ticket cache: KEYRING:persistent:1000:1000

Default principal: ads-...@AD.ACME.COM

Valid starting       Expires              Service principal

06/01/2016 17:00:46  06/02/2016 03:00:46  krbtgt/AD.AC...@AD.ACME.COM

    renew until 06/08/2016 17:00:19

$ ansible windows -m win_ping

No config file found; using defaults
Loaded callback minimal of type stdout, v2.0
<ADS-6999> ESTABLISH WINRM CONNECTION FOR USER: ads-6999 on PORT 5985 TO ADS-6999
<ADS-6999> WINRM CONNECT: transport=kerberos endpoint=http://ADS-6999:5985/wsman
<ADS-6999> WINRM CONNECTION ERROR: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))
Traceback (most recent call last):
  File "/etc/ansible/lib/ansible/plugins/connection/winrm.py", line 134, in _winrm_connect
    protocol.send_message('')
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in send_message
    krb_ticket = KerberosTicket(self.krb_service)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in __init__
    kerberos.authGSSClientStep(krb_context, '')
GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))

ADS-6999 | FAILED! => {
    "failed": true,
    "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))"
}

[Trond Hindenes]

Is both your user and your computer named "ADS-6999"?

[skinnedknuckles]

Yes, they are the same.  Is that a problem?  I could make a new account local or domain.

[Trond Hindenes]

Probably not. First, make sure you specify ansible_user: ads-6999 including the realm, so ansible_user: ads-...@acme.com. Not sure if that has any effect, but still. If that fails, I'd create a new user with a different name from the node to see if that helps.

[Alf Normann Klausen]

Hi,

I think I have the exact same problem.
Running ansible 2.1.1.0-1.el7 on CentOS 7.2.1511

Here is an example of ansible command output:

[alfkla@webdmz.no@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file

Loaded callback minimal of type stdout, v2.0

<192.168.4.225> ESTABLISH WINRM CONNECTION FOR USER: alfkla@WEBDMZ.NO on PORT 5985 TO 192.168.4.225
<192.168.4.225> WINRM CONNECT: transport=kerberos endpoint=http://192.168.4.225:5985/wsman
<192.168.4.225>
 WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS

failure.  Minor code may provide more information'

, 851968), ('Server

not found in Kerberos database'

, -1765328377))

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 151, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 170, in send_message
    prepared_request = self.session.prepare_request(request)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 394, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 298, in prepare
    self.prepare_auth(auth, url)
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 500, in prepare_auth
    r = auth(self)
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 318, in __call__
    auth_header = self.generate_request_header(None, host, is_preemptive=True)
  File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 158, in generate_request_header
    raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args)))
KerberosExchangeError:
 authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may
 provide more information', 851968), ('Server not found in Kerberos
database', -1765328377))

TVM-ALF2012R2 | UNREACHABLE! => {
    "changed": false,
 
   "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS

failure.  Minor code may provide more information', 851968), ('Server

not found in Kerberos database', -1765328377))",
    "unreachable": true
}

The kerberos ticket is ok:

[alfkla@webdmz.no@tvm-alfkla ~]$ klist
Ticket cache: KEYRING:persistent:1015602603:1015602603
Default principal: alfkla@WEBDMZ.NO

Valid starting       Expires              Service principal

20. okt. 2016 13:06  20. okt. 2016 23:06  krbtgt/WEBDMZ.NO@WEBDMZ.NO
    renew until 27. okt. 2016 13:06

The inventory is like this:

[alfkla@webdmz.no@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts

TVM-ALF2012R2 ansible_host=192.168.4.225 ansible_user=alfkla@WEBDMZ.NO
ansible_password=xXxXxXxXx ansible_port=5985 ansible_connection=winrm
ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes

Any clue why this happens?

All help will be highly appreciated!  :o)

Vennlig hilsen,

Alf Normann Klausen

[Matt Davis]

Kerberos is highly dependent on DNS and name->realm mapping; you need to use the host's FQDN, not its IP, unless you've hacked up your krb5.conf and DNS infra significantly to support that.

[Alf Normann Klausen]

>> Kerberos is highly dependent on DNS and name->realm mapping; you need to use the host's FQDN, not its IP, unless you've hacked up your krb5.conf and DNS infra significantly to support that.

Wow, I replaced the ip address in variable ansible_host= with the FQDN:

[alfkla@webdmz.no@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts
TVM-

ALF2012R2
 ansible_host=TVM-ALF2012R2.WEBDMZ.NO ansible_user=alfkla@WEBDMZ.NO
ansible_password=xXxXxXx ansible_port=5985 ansible_connection=winrm
ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes
[alfkla@webdmz.no@tvm-alfkla ~]$

And now it works!

[alfkla@webdmz.no@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -

m win_ping
TVM-ALF2012R2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
[alfkla@webdmz.no@tvm-alfkla ~]$

Thanks a million Matt Davis!!! :o)

Kind regards,
Alf Norman Klausen

[Krishan Kant]

Hi skinnedknuckles,

Does it work for you now? I am getting the same error message.

Server_Name | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
    "unreachable": true
}

-Krishan

[skinnedknuckles]

I never got Kerberos to work.  I ended up using SSL instead.

On Wednesday, June 1, 2016 at 5:40:48 PM UTC-5, skinnedknuckles wrote: