I'd recommend using the hostname, rather than the ip address of the windows machine you want to connect to in your inventory. Kerberos/Active Directory seems to be intended to work with host and domain names.
I would also check that ping yourhost and ping yourhost.mycloud.local return the correct ip for the host (this is what I meant by dns working 'both ways'). Also I'd suggest trying without setting ansible_winrm_scheme=http - if only because I have it working without this, although I believe it should work either way. One last thought, have you run the https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 script on the remote host? You can check if kerberos support is on if you run winrm get winrm/config and look for keberos under Serivce -> Auth Hope this helps, Jon On Friday, 4 March 2016 15:08:57 UTC, mateusz.b...@intel.com wrote: > > Hi, > > I'm struggling with 401 authentication error. I've got Windows Server 2012 > R2 and Ubuntu 14.04 machine (with Ansible v2.0.0.2). I'm trying to > authenticate as test user (who belongs to Domain Admins group). This is my > inventory_windows.yml file: > > [windows] > 10.91.96.60 ansible_user=test@MYCLOUD.LOCAL ansible_port=5986 > ansible_connection=winrm > > And the way I execute Ansible: > > ansible windows -i inventory_windows.yml -m win_ping -vvvvvv > > Using /etc/ansible/ansible.cfg as config file > Loaded callback minimal of type stdout, v2.0 > <10.91.96.60> ESTABLISH WINRM CONNECTION FOR USER: test@MYCLOUD.LOCAL on > PORT 5986 TO 10.91.96.60 > <10.91.96.60> WINRM CONNECT: transport=kerberos endpoint= > https://10.91.96.60:5986/wsman > <10.91.96.60> WINRM CONNECTION ERROR: the username/password specified for > this server was incorrect > Traceback (most recent call last): > File "/usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py", > line 138, in _winrm_connect > protocol.send_message('') > File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line > 193, in send_message > return self.transport.send_message(message) > File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line > 301, in send_message > raise WinRMTransportError('kerberos', error_message) > WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was > failed. Code 401 > > > I know that I should acquire a ticket first. Here's how I do this: > > kinit test@MYCLOUD.LOCAL > Password for test@MYCLOUD.LOCAL: > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: test@MYCLOUD.LOCAL > > > > Valid starting Expires Service principal > 03/04/2016 16:29:19 03/05/2016 02:29:19 > krbtgt/MYCLOUD.LOCAL@MYCLOUD.LOCAL > renew until 03/05/2016 16:29:20 > > I thought that if I acquired a ticket, than there should be no > authentication errors, but apparently I'm wrong. > > Note that I've already (as described here: > troubleshooting-kerberos-connections > <http://docs.ansible.com/ansible/intro_windows.html#troubleshooting-kerberos-connections> > ): > 1. Synchronized the time between Linux and Windows machine. > 2. Verified that my forward and reverse DNS lookups are working fine. > nslookup 10.91.96.60 returns the correct FQDN: > nslookup 10.91.96.60 > Server: 10.91.97.101 > Address: 10.91.97.101#53 > > 60.96.91.10.in-addr.arpa name = winhost.mycloud.local. > > 3. Enabled `AllowUnencrypted` option on Windows machine and tried with > ansible_winrm_scheme=http. > > > One of the things I'm not sure is this: > "Ensure that the Ansible controller has a properly configured computer > account in the domain." > > Could someone explain this? I've created 'azure' computer account in AD > ('azure' is the hostname of my Ubuntu machine). Is this enough? > > Any help would be much appreciated! > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/45d4b4d5-9431-4150-ad6a-99569fefaeef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
