I have only ever used kerberos support with Active Directory servers, not LDAP ones. However, I think from what you have described that your kdc will be fr. ldap-ad.dmsi.corp.com I don't think you need an admin server set up for this purpose ( I don't have one set in my krb5.conf)
You may have a domain alias in place in which case you may not know the canonical name for the domain you are authenticating with. I suggest you try running kinit -C [email protected] and then running klist. This should show the actual domain used to authenticate. That domain what you will need to set up in /etc/krb5.conf and use in ansible. Also I understand it is possible to set up domain trust relationships so that users of domain A are allowed to use machines belonging to domain B. I only tried this briefly and didn't get it working and wound up setting up machines on the same domain as the user. Probably worth talking to your domain administrators to discover if you have domain trust relationships set up. I hope this helps. There is a little more information here: http://docs.ansible.com/ansible/intro_windows.html#troubleshooting-kerberos-connections Jon On Thursday, August 4, 2016 at 7:50:50 AM UTC+1, fanvalt wrote: > > Hello, > > I am new in Windows and in Kerberos, following the > http://docs.ansible.com/ansible/intro_windows.html documentation, I tried > to parameter kerberos and then ping the windows server without success. > > Here is the issue: > - The credentials to connect to the Windows server are controlled by a > ldap server: fr.ldap-ad.dmsi.corp.com > - My Windows server's name is swin02.fr.com > - On the Windows server, my user is in a EMEAD domain > - On Centos, I tried to parameter the /etc/krb5.conf file , I don't > understand if the ldap server can be set in the kbc or admin_server and > what domain has to be set (the one of the user EMEAD, of the server fr.com > ? ): > > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com > admin_server = kerberos.example.com > } > EMEAD.COM = { > kdc = fr.ldap-ad.dmsi.corp.com > } > FR.COM = { > kdc = fr.ldap-ad.dmsi.corp.com > } > > [domain_realm] > example.com = EXAMPLE.COM > emead.com = EMEAD.COM > fr.com = FR.COM > > Thanks for your support > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/269a31f6-1cdb-4275-a9cc-21d4e447cd3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
