Great, I'm glad this is working. Setting up kerberos is fiddly but once it's done you probably won't have to touch it again and you can immediately start doing a lot of things with a lot of windows boxes.
JOn On Thursday, August 4, 2016 at 10:01:52 AM UTC+1, fanvalt wrote: > > Oh the win_ping command did work, I did replace the IP address in the > inventory file with the server name and I did comment in the krb5.conf file > all descriptions that were not about EMEAD.COM (so many tests !!!). > > Thanks a lot, Jon, for your support > Regards > > Le jeudi 4 août 2016 10:27:29 UTC+2, fanvalt a écrit : >> >> I did correct the krb5.conf file, I did install the requests.kerberos >> package and rerun the kinit command. >> The klist command shows the EMEAD.COM domain. >> But when running the ansible win_ping command, I do receive this new >> message: >> >> ansible windows -i ./win.ini -m win_ping -vvvvvv >> Using /etc/ansible/ansible.cfg as config file >> Loaded callback minimal of type stdout, v2.0 >> <172.17.56.66> ESTABLISH WINRM CONNECTION FOR USER: [email protected] >> <javascript:> on PORT 5986 TO 172.17.56.66 >> <172.17.56.66> WINRM CONNECT: transport=kerberos endpoint= >> https://172.17.56.66:5986/wsman >> <172.17.56.66> WINRM CONNECTION ERROR: authGSSClientStep() failed: >> (('Unspecified GSS failure. Minor code may provide more information', >> 851968), ('Server not found in Kerberos database', -1765328377)) >> >> I guess because the server is not on the EMEAD.COM domain, there is an >> issue ? I don't understand how all this works >> >> Regards >> >> Le jeudi 4 août 2016 09:16:59 UTC+2, J Hawkesworth a écrit : >>> >>> I have only ever used kerberos support with Active Directory servers, >>> not LDAP ones. >>> However, I think from what you have described that your kdc will be fr. >>> ldap-ad.dmsi.corp.com >>> I don't think you need an admin server set up for this purpose ( I don't >>> have one set in my krb5.conf) >>> >>> You may have a domain alias in place in which case you may not know the >>> canonical name for the domain you are authenticating with. >>> >>> I suggest you try running kinit -C [email protected] >>> and then running klist. >>> >>> This should show the actual domain used to authenticate. That domain what >>> you will need to set up in /etc/krb5.conf and use in ansible. >>> >>> Also I understand it is possible to set up domain trust relationships so >>> that users of domain A are allowed to use machines belonging to domain B. >>> I only tried this briefly and didn't get it working and wound up >>> setting up machines on the same domain as the user. Probably worth >>> talking to your domain administrators to discover if you have domain >>> trust relationships set up. >>> >>> I hope this helps. There is a little more information here: >>> http://docs.ansible.com/ansible/intro_windows.html#troubleshooting-kerberos-connections >>> >>> Jon >>> >>> >>> >>> On Thursday, August 4, 2016 at 7:50:50 AM UTC+1, fanvalt wrote: >>>> >>>> Hello, >>>> >>>> I am new in Windows and in Kerberos, following the >>>> http://docs.ansible.com/ansible/intro_windows.html documentation, I >>>> tried to parameter kerberos and then ping the windows server without >>>> success. >>>> >>>> Here is the issue: >>>> - The credentials to connect to the Windows server are controlled by a >>>> ldap server: fr.ldap-ad.dmsi.corp.com >>>> - My Windows server's name is swin02.fr.com >>>> - On the Windows server, my user is in a EMEAD domain >>>> - On Centos, I tried to parameter the /etc/krb5.conf file , I don't >>>> understand if the ldap server can be set in the kbc or admin_server and >>>> what domain has to be set (the one of the user EMEAD, of the server >>>> fr.com ? ): >>>> >>>> [realms] >>>> EXAMPLE.COM = { >>>> kdc = kerberos.example.com >>>> admin_server = kerberos.example.com >>>> } >>>> EMEAD.COM = { >>>> kdc = fr.ldap-ad.dmsi.corp.com >>>> } >>>> FR.COM = { >>>> kdc = fr.ldap-ad.dmsi.corp.com >>>> } >>>> >>>> [domain_realm] >>>> example.com = EXAMPLE.COM >>>> emead.com = EMEAD.COM >>>> fr.com = FR.COM >>>> >>>> Thanks for your support >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/637532e9-3e08-41bd-9b41-d2de13eee920%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
