I did correct the krb5.conf file, I did install the requests.kerberos package and rerun the kinit command. The klist command shows the EMEAD.COM domain. But when running the ansible win_ping command, I do receive this new message:
ansible windows -i ./win.ini -m win_ping -vvvvvv Using /etc/ansible/ansible.cfg as config file Loaded callback minimal of type stdout, v2.0 <172.17.56.66> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO 172.17.56.66 <172.17.56.66> WINRM CONNECT: transport=kerberos endpoint=https://172.17.56.66:5986/wsman <172.17.56.66> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) I guess because the server is not on the EMEAD.COM domain, there is an issue ? I don't understand how all this works Regards Le jeudi 4 août 2016 09:16:59 UTC+2, J Hawkesworth a écrit : > > I have only ever used kerberos support with Active Directory servers, not > LDAP ones. > However, I think from what you have described that your kdc will be fr. > ldap-ad.dmsi.corp.com > I don't think you need an admin server set up for this purpose ( I don't > have one set in my krb5.conf) > > You may have a domain alias in place in which case you may not know the > canonical name for the domain you are authenticating with. > > I suggest you try running kinit -C [email protected] > and then running klist. > > This should show the actual domain used to authenticate. That domain what > you will need to set up in /etc/krb5.conf and use in ansible. > > Also I understand it is possible to set up domain trust relationships so > that users of domain A are allowed to use machines belonging to domain B. > I only tried this briefly and didn't get it working and wound up setting > up machines on the same domain as the user. Probably worth talking to > your domain administrators to discover if you have domain trust > relationships set up. > > I hope this helps. There is a little more information here: > http://docs.ansible.com/ansible/intro_windows.html#troubleshooting-kerberos-connections > > Jon > > > > On Thursday, August 4, 2016 at 7:50:50 AM UTC+1, fanvalt wrote: >> >> Hello, >> >> I am new in Windows and in Kerberos, following the >> http://docs.ansible.com/ansible/intro_windows.html documentation, I >> tried to parameter kerberos and then ping the windows server without >> success. >> >> Here is the issue: >> - The credentials to connect to the Windows server are controlled by a >> ldap server: fr.ldap-ad.dmsi.corp.com >> - My Windows server's name is swin02.fr.com >> - On the Windows server, my user is in a EMEAD domain >> - On Centos, I tried to parameter the /etc/krb5.conf file , I don't >> understand if the ldap server can be set in the kbc or admin_server and >> what domain has to be set (the one of the user EMEAD, of the server >> fr.com ? ): >> >> [realms] >> EXAMPLE.COM = { >> kdc = kerberos.example.com >> admin_server = kerberos.example.com >> } >> EMEAD.COM = { >> kdc = fr.ldap-ad.dmsi.corp.com >> } >> FR.COM = { >> kdc = fr.ldap-ad.dmsi.corp.com >> } >> >> [domain_realm] >> example.com = EXAMPLE.COM >> emead.com = EMEAD.COM >> fr.com = FR.COM >> >> Thanks for your support >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/605b3a10-a919-4204-ba5b-202c67b5daef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
