Hi, I think I've had this before where the name I had for the domain turned out to be an alias.
If you run kinit -C [email protected] and then do a klist if the ticket you get back is not for SOME.DOMAIN then that's the issue. I just changed my config so I was requesting a ticket for the actual domain, but it might be possible to tweak your /etc/krb5.conf to get round this. Hope this helps, Jon On Wednesday, October 7, 2015 at 3:46:50 PM UTC+1, Bill Nottingham wrote: > > Some googling suggests it could mean a case mismatch in the kerberos > principal name, if using an AD server, or disagreements about the renewable > lifetime of the ticket. > > Bill > > > > On Wed, Oct 7, 2015 at 10:27 AM, Trond Hindenes <[email protected] > <javascript:>> wrote: > >> Hi all, >> I'm getting a new error I've never seen before. Control node is Centos7. >> When trying to use a domain account I'm getting this error when running >> ansible: >> MSC10051.domain.local | FAILED => Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >> line 582, in _executor >> exec_rc = self._executor_internal(host, new_stdin) >> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >> line 785, in _executor_internal >> return self._executor_internal_inner(host, self.module_name, >> self.module_args, inject, port, complex_args=complex_args) >> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >> line 964, in _executor_internal_inner >> conn = self.connector.connect(actual_host, actual_port, actual_user, >> actual_pass, actual_transport, actual_private_key_file, delegate_host) >> File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", >> line 52, in connect >> self.active = conn.connect() >> File >> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", >> >> line 140, in connect >> self.protocol = self._winrm_connect() >> File >> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", >> >> line 96, in _winrm_connect >> protocol.send_message('') >> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 190, in >> send_message >> return self.transport.send_message(message) >> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 219, >> in send_message >> krb_ticket = KerberosTicket(self.krb_service) >> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 166, >> in __init__ >> kerberos.authGSSClientStep(krb_context, '') >> GSSError: (('Unspecified GSS failure. Minor code may provide more >> information', 851968), ('KDC reply did not match expectations', >> -1765328237)) >> >> I've setup kerberos with Ansible lots of times before, but only on >> Ubuntu. kinit/klist looks fine, so I'm struggling with how to figure this >> one out. Any pointers appreciated! Installed Ansible using yum, version >> 1.9.2 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/07a6f1c9-62ab-47a6-b162-2dd54e1a2d3b%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/07a6f1c9-62ab-47a6-b162-2dd54e1a2d3b%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Bill Nottingham > Director of Product, Ansible > ansible.com > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/671124b2-0479-426a-aeb7-e9cef39674d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
