Kerberos config that works fine with AWX 17.1.0 wouldn't work in version 19.2.2

[Cnu k]

I have multiple AWX instances running fine with AWX 17.10 version for past year or so without any issues with below Kerberos config(/etc/krb5.conf in the task container). As part of the upgrade, I have deployed AWX 19.2.2 in OpenShift cluster, noticed that same krb5.conf is injected into the task container as a ConfigMap and I have compared and verified the contents multiple times, and the content matches exactly with the existing config.

Error:

fatal: [windows_server_name.org.com]: UNREACHABLE! => {
    "changed": false,
    "msg": "Kerberos auth failure for principal windo...@CORP.ORG.COM with pexpect: KDC has no support for encryption type while getting initial credentials",
    "unreachable": true
}

/etc/krb5.conf contents:

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = CORP.ORG.COM
# Added below 2 entries to resolve 'KDC has no support for encryption type while getting initial credentials' error while connecting to Windows Server
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
CORP.ORG.COM = {
    kdc = server1.corp.org.com
    admin_server = server1.corp.org.com
}

[domain_realm]
.corp.org.com = CORP.ORG.COM
corp.org.com = CORP.ORG.COM

Note that authentication is done against Microsoft Active Directory(AD), I see the same error when I tried kinit windo...@CORP.ORG.COM in SSH terminal for the task container. Same command works fine in the old task container terminal(17.2.2).

Could this be due to any missing libraries or other?

Any help is really appreciated as I am unable to proceed further.

Thanks

[Cnu k]

No clue why it's working now versus it didn't work earlier with the default EE images.

Created a custom EE image for adding open ldap utilities, jq, and wget tools, other than that it's pretty much out of box EE image.

 ee_images:
    - name: custom-awx-ee
      image: myorg.private.repo.com:443/awx-ee:0.5.0
  control_plane_ee_image: middleware-docker-local.rtfx.aepsc.com:443/awx-ee:0.5.0

I now have following entries in every AWX instance, verified that Windows WINRM connections with above krb5.conf file are working now.

Here is the content of the above custom-awx-ee image Dockerfile if anyone is interested.

---------------------------------------------------------------------------------------------------------

FROM quay.io/ansible/awx-ee:0.5.0

USER root

RUN dnf install -y jq
RUN dnf install -y wget

RUN dnf install -y openldap \
    openldap-clients \
    openldap-devel

USER 1000

---------------------------------------------------------------------------------------------------------

Thanks