[ansible-project] Re: 'No Kerberos credentials available' when executing tasks from a server that is not joined to AD.

[Willem Bos]

For people running into the same problem, this is (more or less) the 
playbook I use :

- hosts: all

  tasks:

    - name: Install prerequisite software (using yum)
      yum:
        enablerepo: epel
        update_cache: yes
        name: "{{ item }}"
        state: present
      with_items:
        - python-pip
        - python-ptyprocess
      delegate_to: localhost

    - name: Uninstall old pexpect package (using yum)
      yum:
        name: pexpect
        state: absent
      delegate_to: localhost

    - name: Install prerequisite software (using pip)
      pip:
        name: pexpect
        version: 3.3
        state: present
      delegate_to: localhost

    - name: Check for precense of Kerberos ticket
      command: /usr/bin/klist
      register: klist_result
      changed_when: no
      ignore_errors: yes
      delegate_to: localhost

    - name: Request Kerberos ticket if none present
      expect:
        command: /usr/bin/kinit domain-user@AD-DOMAIN
        responses:
          '(?i)password': domain-user-password
      changed_when: no
      when: klist_result.rc != 0
      delegate_to: localhost


The first task installs prerequisite software for the expect module using 
rpm's from EPEL <https://fedoraproject.org/wiki/EPEL>. The version of 
pexpect (another prerequisite) that the Red Hat and CentOS rpm's provide is 
too old for Ansible, so we uninstall this in the second task. The third 
task installs the required version of pexpect using pip. The third and 
fourth tasks actually deal with requesting a Kerberos ticket granting 
ticket when it is not present.

Regards,
Willem.



On Tuesday, June 7, 2016 at 1:51:25 PM UTC+2, Willem Bos wrote:
>
> Hi all,
>
> I'm trying to use winrm to execute tasks on a windows server (after 
> following the steps in http://docs.ansible.com/ansible/intro_windows.html). 
> As a test I use the win_ping module. This works only when a Kerberos ticket 
> present beforehand.
>
> Is it a requirement to have the Linux server be member of the AD 
> infrastructure? If so, then the only way to make this work from a controle 
> machine - without joining the domain - would be to run a kinit from my 
> playbook first, right? I found several similar cases but none mention if AD 
> membership is a 'hard' requirement.
>
>
> *** INFO ***
> rpm -qa | grep -E 
> "ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos" 
> | sort
> ansible-2.0.2.0-1.el7.noarch
> krb5-devel-1.13.2-12.el7_2.x86_64
> krb5-libs-1.13.2-12.el7_2.x86_64
> krb5-workstation-1.13.2-12.el7_2.x86_64
> python-devel-2.7.5-34.el7.x86_64
> python-kerberos-1.1-15.el7.x86_64
>
> pip list | grep winrm
> pywinrm (0.1.1)
>
>
> *** WORKS ***
> kinit domain-user@AD-DOMAIN
> ...
>
> klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: domain-user@AD-DOMAIN
>
> Valid starting       Expires              Service principal
> 06/07/2016 11:26:20  06/07/2016 21:26:20  krbtgt/AD-DOMAIN@AD-DOMAIN
>         renew until 06/14/2016 11:26:20
>
> ansible -m win_ping windows-server.ad-domain
> windows-server.ad-domain | SUCCESS => {
>     "changed": false,
>     "ping": "pong"
> }
>
>
> *** DOESN'T WORK ***
> kdestroy -A
>
> ansible -m win_ping windows-server.ad-domain -vvvvv
> Using /etc/ansible/ansible.cfg as config file
> Loaded callback minimal of type stdout, v2.0
> <windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER: 
> domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain
> <windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint=
> https://windows-server.ad-domain:5986/wsman
> <windows-server.ad-domain> WINRM CONNECTION ERROR: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('No Kerberos 
> credentials available', -1765328243))
> Traceback (most recent call last):
>   File 
> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
> line 134, in _winrm_connect
>     protocol.send_message('')
>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in 
> send_message
>     return self.transport.send_message(message)
>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in 
> send_message
>     krb_ticket = KerberosTicket(self.krb_service)
>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in 
> __init__
>     kerberos.authGSSClientStep(krb_context, '')
> GSSError: (('Unspecified GSS failure.  Minor code may provide more 
> information', 851968), ('No Kerberos credentials available', -1765328243))
>
> windows-server.ad-domain | FAILED! => {
>     "failed": true,
>     "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide 
> more information', 851968), ('No Kerberos credentials available', 
> -1765328243))"
> }
>
> Regards,
> Willem
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9c9c9bed-d3d4-4457-854f-e49320ee7eab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.