Windows Kerberos Issues
845 views
Skip to first unread message
Jim Heald
Jun 8, 2017, 11:59:34 AM6/8/17
to Ansible Project
I'm trying to use Ansible to log into a Windows host, and I'm having issues logging in.
- My Ansible server is joined to the domain
- DNS lookup works, as well as in reverse
- I can log into the Windows hosts as a local user through Ansible
- Running something like "id <user>@<domain>" works on my Ansible server
The error I am getting is this: "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
I can ping the host, and like I said both DNS and Reverse DNS work. I know for sure the host is joined to the domain, and I'm pretty certain the Linux server is joined to the domain. Any suggestions?
Thanks!
matt...@redhat.com
Jun 8, 2017, 12:49:53 PM6/8/17
to Ansible Project
The domain status of the Ansible controller shouldn't matter. If DNS is working, the typical remaining causes of that error are not using the FQDN of the target host in your Ansible inventory, or that the host's HTTP SPN has been reassigned to another user.
Also, if you don't absolutely need to use Kerberos, NTLM or CredSSP are much easier ways to do domain user auth...
Also, if you don't absolutely need to use Kerberos, NTLM or CredSSP are much easier ways to do domain user auth...
Jim Heald
Jun 8, 2017, 3:41:40 PM6/8/17
to Ansible Project
I would love to use NTLM or CredSSP because Kerberos is a bit of a PITA it seems. Do those transports require host configuration? If I simply change the transport to ntlm I get:
"msg": "ntlm: the specified credentials were rejected by the server"
And with CredSSP I get:
"msg": "credssp: The server did not respond with CredSSP as an available auth method"
J Hawkesworth
Jun 12, 2017, 1:43:04 PM6/12/17
to Ansible Project
There's a command line switch you have to use on the ConfigureRemotingForAnsible.ps1 if you want to use CredSSP I think.
Re your kerberos problem, has the windows box you are trying to hit actually been joined to the domain?
Re your kerberos problem, has the windows box you are trying to hit actually been joined to the domain?
Jordan Borean
Jun 12, 2017, 6:06:20 PM6/12/17
to Ansible Project
The switch to enable CredSSP when running ConfigureRemotingForAnsible.ps1 is
As for your Kerberos I find if your DNS isn't set correctly and you have SPN issues then you are going to have a bad time. You can use
powershell.exe -ExecutionPolicy Bypass -File ConfigureRemotingForAnsible.ps1 -EnableCredSSPYou can also just enable it manually by running
Enable-WSManCredSSP -role server -ForceAs for your Kerberos I find if your DNS isn't set correctly and you have SPN issues then you are going to have a bad time. You can use
setspn -L COMPUTERACCOUNTwhere COMPUTERACCOUNT is the account in AD for the host to see a list of SPN's registered to that host.
Jim Heald
Jun 12, 2017, 7:30:53 PM6/12/17
to Ansible Project
Thank you! I actually just got CredSSP working, so much easier!
Snehit
Feb 26, 2018, 8:03:40 AM2/26/18
to Ansible Project
Reply all
Reply to author
Forward
0 new messages