[ansible-project] 'No Kerberos credentials available' when executing tasks from a server that is not joined to AD.

[Willem Bos]

Hi all,

I'm trying to use winrm to execute tasks on a windows server (after 
following the steps in http://docs.ansible.com/ansible/intro_windows.html). 
As a test I use the win_ping module. This works only when a Kerberos ticket 
present beforehand.

Is it a requirement to have the Linux server be member of the AD 
infrastructure? If so, then the only way to make this work from a controle 
machine - without joining the domain - would be to run a kinit from my 
playbook first, right? I found several similar cases but none mention if AD 
membership is a 'hard' requirement.


*** INFO ***
rpm -qa | grep -E 
"ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos" 
| sort
ansible-2.0.2.0-1.el7.noarch
krb5-devel-1.13.2-12.el7_2.x86_64
krb5-libs-1.13.2-12.el7_2.x86_64
krb5-workstation-1.13.2-12.el7_2.x86_64
python-devel-2.7.5-34.el7.x86_64
python-kerberos-1.1-15.el7.x86_64

pip list | grep winrm
pywinrm (0.1.1)


*** WORKS ***
kinit domain-user@AD-DOMAIN
...

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: domain-user@AD-DOMAIN

Valid starting       Expires              Service principal
06/07/2016 11:26:20  06/07/2016 21:26:20  krbtgt/AD-DOMAIN@AD-DOMAIN
        renew until 06/14/2016 11:26:20

ansible -m win_ping windows-server.ad-domain
windows-server.ad-domain | SUCCESS => {
    "changed": false,
    "ping": "pong"
}


*** DOESN'T WORK ***
kdestroy -A

ansible -m win_ping windows-server.ad-domain -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER: 
domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain
<windows-server.ad-domain> WINRM CONNECT: transport=kerberos 
endpoint=https://windows-server.ad-domain:5986/wsman
<windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS 
failure.  Minor code may provide more information', 851968), ('No Kerberos 
credentials available', -1765328243))
Traceback (most recent call last):
  File 
"/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
line 134, in _winrm_connect
    protocol.send_message('')
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in 
send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in 
send_message
    krb_ticket = KerberosTicket(self.krb_service)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in 
__init__
    kerberos.authGSSClientStep(krb_context, '')
GSSError: (('Unspecified GSS failure.  Minor code may provide more 
information', 851968), ('No Kerberos credentials available', -1765328243))

windows-server.ad-domain | FAILED! => {
    "failed": true,
    "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide 
more information', 851968), ('No Kerberos credentials available', 
-1765328243))"
}

Regards,
Willem

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/bb484a64-5ab3-45e8-b155-d6bf03572e13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.