(Sorry, because I know this has been asked a bunch of times, because I've found a bunch of threads on it, but nothing yet has seemed to help.)
I am trying to connect to a Windows Server 2012r2 instance on Rackspace (authed w/ RSA key, in case thats relevant). Since I have a domain account, my understanding is that I must use kerberos authentication. I keep getting the same error, using either port 5985 or 5986: <!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER: on PORT 5985 TO !REMOVED! > <!REMOVED!> WINRM CONNECT: transport=kerberos > endpoint=http://!REMOVED!:5985/wsman > !REMOVED! | FAILED => Traceback (most recent call last): > File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line > 582, in _executor > exec_rc = self._executor_internal(host, new_stdin) > File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line > 785, in _executor_internal > return self._executor_internal_inner(host, self.module_name, > self.module_args, inject, port, complex_args=complex_args) > File "/usr/lib/pymodules/python2.7/ansible/runner/__init__.py", line > 964, in _executor_internal_inner > conn = self.connector.connect(actual_host, actual_port, actual_user, > actual_pass, actual_transport, actual_private_key_file, delegate_host) > File "/usr/lib/pymodules/python2.7/ansible/runner/connection.py", line > 52, in connect > self.active = conn.connect() > File > "/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py", > line 140, in connect > self.protocol = self._winrm_connect() > File > "/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py", > line 96, in _winrm_connect > protocol.send_message('') > File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line > 190, in send_message > return self.transport.send_message(message) > File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line > 219, in send_message > krb_ticket = KerberosTicket(self.krb_service) > File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line > 166, in __init__ > kerberos.authGSSClientStep(krb_context, '') > GSSError: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ('No Kerberos credentials available', -1765328243)) I was debugging all the Ansible (1.9.2) python code (from runner/__init__.py to connection_plugins/winrm.py) and it was successfully parsing my username like 'USER@DOMAIN' and my realm as "DOMAIN", but, as you can see from the first line of the above, the "vvv" output showed a blank username. I don't know if that's relevant, but it's worth noting. When I opened up the pywinrm file dist-packages/winrm/transport.py, I was alarmed and amused to see: 164 def __init__(self, service): 165 ignored_code, krb_context = kerberos.authGSSClientInit(service) 166 kerberos.authGSSClientStep(krb_context, '') 167 # TODO authGSSClientStep may raise following error: 168 # GSSError: (('Unspecified GSS failure. 169 # Minor code may provide more information', 851968), 170 # ("Credentials cache file '/tmp/krb5cc_1000' not found", -1765328189)) I realize this is not an Ansible issue, at this point, but I am reeling trying to figure out why I cannot connect. I have found a few posted "fixes" and "suggestions", but they have not helped me so far. Incidentally, I tried changing my ansible_ssh_user from 'USER@DOMAIN' to 'USER' to try connecting without kerberos and got the following: With ansible_ssh_port: 5985: <!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER: !REMOVED! on PORT 5985 TO > !REMOVED! > <!REMOVED!> WINRM CONNECT: transport=plaintext > endpoint=http://!REMOVED!:5985/wsman > <!REMOVED!> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed > <!REMOVED!> WINRM CONNECT: transport=plaintext > endpoint=https://!REMOVED!:5985/wsman > <!REMOVED!> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] > _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol With ansible_ssh_port: 5986: > <!REMOVED!> ESTABLISH WINRM CONNECTION FOR USER: !REMOVED on PORT 5986 TO > !REMOVED! > <!REMOVED!> WINRM CONNECT: transport=plaintext > endpoint=https://!REMOVED!:5986/wsman > <!REMOVED!> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 104] > Connection reset by peer > !REMOVED! | FAILED => 500 WinRMTransport. [Errno 104] Connection reset by > peer On the target host, I have run the ConfigureRemotingForAnsible.ps1 script, added my domain account to the WinRM group, and get the following winrm command-line output: *C:\Users\!REMOVED!>*winrm get winrm/config Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 1800000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts Service !REMOVED! MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true Winrs AllowRemoteShellAccess = true IdleTimeout = 7200000 MaxConcurrentUsers = 10 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 25 MaxMemoryPerShellMB = 1024 MaxShellsPerUser = 30 Does anyone have any ideas?? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fb1a4f37-93f0-476e-aa26-e94e8e16b17b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
