pywinrm GSSError: No Kerberos credentials available

[Dan Swartz]

(Sorry, because I know this has been asked a bunch of times, because I've found a bunch of threads on it, but nothing yet has seemed to help.)

I am trying to connect to a Windows Server 2012r2 instance on Rackspace (authed w/ RSA key, in case thats relevant). Since I have a domain account, my understanding is that I must use kerberos authentication. I keep getting the same error, using either port 5985 or 5986:

<!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5985 TO !REMOVED!
<!REMOVED!> WINRM CONNECT: transport=kerberos endpoint=http://!REMOVED!:5985/wsman
!REMOVED! | FAILED => Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line 582, in _executor
    exec_rc = self._executor_internal(host, new_stdin)
  File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line 785, in _executor_internal
    return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
  File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line 964, in _executor_internal_inner
    conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
  File "/usr/lib/pymodules/python2.7/ansible/runner/connection.py", line 52, in connect
    self.active = conn.connect()
  File "/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py", line 140, in connect
    self.protocol = self._winrm_connect()
  File "/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
    protocol.send_message('')
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 190, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 219, in send_message
    krb_ticket = KerberosTicket(self.krb_service)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 166, in __init__
    kerberos.authGSSClientStep(krb_context, '')
GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243))

I was debugging all the Ansible (1.9.2) python code (from runner/__init__.py to connection_plugins/winrm.py) and it was successfully parsing my username like 'USER@DOMAIN' and my realm as "DOMAIN", but, as you can see from the first line of the above, the "vvv" output showed a blank username. I don't know if that's relevant, but it's worth noting. When I opened up the pywinrm file dist-packages/winrm/transport.py, I was alarmed and amused to see:

164     def __init__(self, service):
165         ignored_code, krb_context = kerberos.authGSSClientInit(service)
166         kerberos.authGSSClientStep(krb_context, '')
167         # TODO authGSSClientStep may raise following error:
168         # GSSError: (('Unspecified GSS failure.
169         # Minor code may provide more information', 851968),
170         # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189))

I realize this is not an Ansible issue, at this point, but I am reeling trying to figure out why I cannot connect. I have found a few posted "fixes" and "suggestions", but they have not helped me so far.

Incidentally, I tried changing my ansible_ssh_user from 'USER@DOMAIN' to 'USER' to try connecting without kerberos and got the following:

With ansible_ssh_port: 5985:

<!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER: !REMOVED! on PORT 5985 TO !REMOVED!
<!REMOVED!> WINRM CONNECT: transport=plaintext endpoint=http://!REMOVED!:5985/wsman
<!REMOVED!> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed
<!REMOVED!> WINRM CONNECT: transport=plaintext endpoint=https://!REMOVED!:5985/wsman
<!REMOVED!> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

With ansible_ssh_port: 5986:

<!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER: !REMOVED on PORT 5986 TO !REMOVED!
<!REMOVED!> WINRM CONNECT: transport=plaintext endpoint=https://!REMOVED!:5986/wsman
<!REMOVED!> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 104] Connection reset by peer
!REMOVED! | FAILED => 500 WinRMTransport. [Errno 104] Connection reset by peer

On the target host, I have run the ConfigureRemotingForAnsible.ps1 script, added my domain account to the WinRM group, and get the following winrm command-line output:

C:\Users\!REMOVED!>winrm get winrm/config
Config

    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 1800000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        !REMOVED!
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30

Does anyone have any ideas?? 

[J Hawkesworth]

I think you need to set up your ansible controller as a kerberos client. Your ansible box needs to know how to talk to your windows domain controllers. Assuming you have pykerberos installed, you probably already have the command line kerberos tools installed.

I suggest you configure your /etc/krb5.conf so that your domain is listed and your domain controllers are listed too. Once that's done you can probably test ansible connection again or try the command line like this

kinit domai...@FULLY.QUALIFIED.DOMAIN.NAME

Note that the domain name needs to be in upper case

You can use klist to show if you have any kerberos credentials cached.
Hope that's enough to get you started

Jon

[Dan Swartz]

In fact I did not have pykerberos installed! I had tried installing awhile ago via "pip install kerberos" (no "py") to no avail, and, at some point installed libkrb5-dev, thinking it would suffice. Well, TIL!

Incidentally, now that I have that installed and have run the kinit command, I am at least getting more meaningful error messages like GSSError:...Cannot find KDC for realm "MAIN", which is much better.

I think I can take it from here. Just need to get more info from my company about how to configure my machine to talk to its infrastructure. Thanks a bunch!

[J Hawkesworth]

I should have perhaps made it clear that you'll need to know and use the full domain name, rather than the netbios name  so instead of user@MAIN it probably needs to be something like us...@MAIN.YOURDOMAIN.COM or such.

Ask your administrators for the primary and secondary domain controller names of the domain or domains you need to connect to.

One other thing, you'll need to make sure your ansible controller clock is pretty close to synchronised with your domain controllers, otherwise you'll get 'clock skew too great' messages instead of authorising.

Hope this helps.

Jon

[Dan Swartz]

Thanks again, Jon. I actually did infer that that's what you meant by F.Q.D.N. but it does warrant explicit mention.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/qQWolj-MgDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/56c7111f-0834-454c-a7b6-e101a53d1029%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.