Hi Willem, this is (for now) by design. Matt is working on (or at least planning to work on) automatically invoking kinit behind the scenes to automatically get a Kerberos ticket if needed, but for now, that has to be present. You could probably use a local_action to make sure one exists on the control node before executing the windows part of your playbook.
On Tuesday, June 7, 2016 at 1:51:25 PM UTC+2, Willem Bos wrote: > > Hi all, > > I'm trying to use winrm to execute tasks on a windows server (after > following the steps in http://docs.ansible.com/ansible/intro_windows.html). > As a test I use the win_ping module. This works only when a Kerberos ticket > present beforehand. > > Is it a requirement to have the Linux server be member of the AD > infrastructure? If so, then the only way to make this work from a controle > machine - without joining the domain - would be to run a kinit from my > playbook first, right? I found several similar cases but none mention if AD > membership is a 'hard' requirement. > > > *** INFO *** > rpm -qa | grep -E > "ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos" > | sort > ansible-2.0.2.0-1.el7.noarch > krb5-devel-1.13.2-12.el7_2.x86_64 > krb5-libs-1.13.2-12.el7_2.x86_64 > krb5-workstation-1.13.2-12.el7_2.x86_64 > python-devel-2.7.5-34.el7.x86_64 > python-kerberos-1.1-15.el7.x86_64 > > pip list | grep winrm > pywinrm (0.1.1) > > > *** WORKS *** > kinit domain-user@AD-DOMAIN > ... > > klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: domain-user@AD-DOMAIN > > Valid starting Expires Service principal > 06/07/2016 11:26:20 06/07/2016 21:26:20 krbtgt/AD-DOMAIN@AD-DOMAIN > renew until 06/14/2016 11:26:20 > > ansible -m win_ping windows-server.ad-domain > windows-server.ad-domain | SUCCESS => { > "changed": false, > "ping": "pong" > } > > > *** DOESN'T WORK *** > kdestroy -A > > ansible -m win_ping windows-server.ad-domain -vvvvv > Using /etc/ansible/ansible.cfg as config file > Loaded callback minimal of type stdout, v2.0 > <windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER: > domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain > <windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint= > https://windows-server.ad-domain:5986/wsman > <windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS > failure. Minor code may provide more information', 851968), ('No Kerberos > credentials available', -1765328243)) > Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", > line 134, in _winrm_connect > protocol.send_message('') > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in > send_message > return self.transport.send_message(message) > File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in > send_message > krb_ticket = KerberosTicket(self.krb_service) > File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in > __init__ > kerberos.authGSSClientStep(krb_context, '') > GSSError: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ('No Kerberos credentials available', -1765328243)) > > windows-server.ad-domain | FAILED! => { > "failed": true, > "msg": "kerberos: (('Unspecified GSS failure. Minor code may provide > more information', 851968), ('No Kerberos credentials available', > -1765328243))" > } > > Regards, > Willem > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/339267f8-5990-4e94-a9d3-e2279b5b7643%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
