There's actually a bug in pywinrm for older Pythons (eg, the one in RHEL7) that is triggered by enabling kerberos delegation. It's fixed in pywinrm 0.2.1.
On Saturday, September 17, 2016 at 6:50:01 AM UTC-7, Chandra Pandey wrote: > > > I am getting below message after enable delegation , also pasting my , > playbook ansible settings ... if you can review with yours? > > > ======== > [root@dev-testser-lx01 playbooks]# vi /etc/ansible/hosts > [root@dev-testser-lx01 playbooks]# ansible-playbook win_exchange.yml -vvvv > Using /etc/ansible/ansible.cfg as config file > Loaded callback default of type stdout, v2.0 > > PLAYBOOK: win_exchange.yml > ***************************************************** > 1 plays in win_exchange.yml > > PLAY [install] > ***************************************************************** > > TASK [install exchange] > ******************************************************** > task path: /etc/ansible/playbooks/win_exchange.yml:19 > <dev-ansiblewn01.ads.xyz.com> ESTABLISH WINRM CONNECTION FOR USER: > Chandra [email protected] on PORT 5986 TO dev-ansiblewn01.ads.xyz.com > fatal: [dev-ansiblewn01.ads.xyz.com]: UNREACHABLE! => {"changed": false, > "msg": "kerberos: 'module' object has no attribute 'util'", "unreachable": > true} > to retry, use: --limit @win_exchange.retry > > PLAY RECAP > ********************************************************************* > dev-ansiblewn01.ads.xyz.com : ok=0 changed=0 unreachable=1 > failed=0 > > ==================== > > My hosts setting > > > > > [wintestserverchandra] > dev-ansiblewn01.ads.xyz.com > [wintestserverchandra:vars] > ansible_ssh_user = Chandra [email protected] > #ansible_ssh_user = ADS\Chandra Pandey > #ansible_ssh_pass = password > #ansible_winrm_transport = ntlm > ansible_winrm_transport = kerberos > ansible_winrm_kerberos_delegation = yes > ansible_connection = winrm > ansible_ssh_port = 5986 > ansible_winrm_server_cert_validation = ignore > ~ > ~ > > ================ > > My play book > > --- > - name: install > > hosts: wintestserverchandra > gather_facts: false > tasks: > - name: install exchange > raw: 'D:\install\Exchange2016\.\Setup.exe /mode:Install > /role:Mailbox /TargetDir:D:\Mailbox /IAcceptExchangeServerLicenseTerms' > > ~ > ~ > ~ > ================= > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Chandra [email protected] > > Valid starting Expires Service principal > 09/17/2016 09:12:06 09/17/2016 19:12:06 krbtgt/[email protected] > renew until 09/18/2016 09:12:03 > > > ================================ > > > On Saturday, September 17, 2016 at 4:55:37 AM UTC+5:30, Matt Davis wrote: >> >> Worked fine for me using Kerberos delegation: >> ansible_winrm_transport=kerberos and ansible_winrm_kerberos_delegation=yes. >> The setup takes so ridiculously long that I didn't try it any other way, so >> your mileage may vary. >> >> -Matt >> >> >> On Friday, September 16, 2016 at 12:50:48 AM UTC-7, Chandra Pandey wrote: >>> >>> Hi, Thanks , will wait for your result ... >>> >>> >>> On Friday, September 16, 2016 at 3:53:57 AM UTC+5:30, Matt Davis wrote: >>>> >>>> I'm actually undertaking the same task this week for a PoC demo, so >>>> I'll let you know if I figure out the magic incantations to get it >>>> working. >>>> :) >>>> >>>> -Matt >>>> >>>> On Monday, September 12, 2016 at 12:48:49 PM UTC-7, Chandra Pandey >>>> wrote: >>>>> >>>>> I get error while installing fresh exchange 2016 server using ansible >>>>> --- >>>>> >>>>> >>>>> ExchangeSetup.log Error >>>>> >>>>> Active Directory operation failed on . The supplied credential for >>>>> 'ADS\Chandra Pandey' is invalid. >>>>> [09/12/2016 19:34:45.0055] [0] The supplied credential is invalid >>>>> >>>>> >>>>> Ansible Error: >>>>> >>>>> <dev-01.xyz.com> WINRM RESULT u'<Response code 0, out >>>>> "C:\\Users\\Chandra Pan", err "">' >>>>> <dev-01.xyz.com> PUT "/etc/ansible/playbooks/exch.ps1" TO >>>>> "C:\Users\Chandra >>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1" >>>>> <dev-01.xyz.com> WINRM PUT "/etc/ansible/playbooks/exch.ps1" to >>>>> "C:\Users\Chandra >>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1" >>>>> >>>>> (offset=121 size=121) >>>>> <dev-01.xyz.com> EXEC & 'C:\Users\Chandra >>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1' >>>>> <dev-01.xyz.com> WINRM EXEC 'PowerShell' ['-NoProfile', >>>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', >>>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABDAGgAYQBuAGQAcgBhACAAUABhAG4AZABlAHkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMANwAwADgAOAA0ADYALgA1AC0AMgA4ADAAMwA0ADUANwA3ADkAMwAzADMAMAAyADUAXABlAHgAYwBoAC4AcABzADEAJwA='] >>>>> <dev-01.xyz.com> WINRM RESULT u'<Response code 0, out "\r\nWelcome to >>>>> Microso", err "There is a pending r">' >>>>> <dev-01.xyz.com> EXEC Set-StrictMode -Version Latest >>>>> Remove-Item "C:\Users\Chandra >>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025" >>>>> -Force >>>>> -Recurse; >>>>> <dev-01.xyz.com> WINRM EXEC u'PowerShell' [u'-NoProfile', >>>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', >>>>> u'-EncodedCommand', >>>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEMAaABhAG4AZAByAGEAIABQAGEAbgBkAGUAeQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA3ADAAOAA4ADQANgAuADUALQAyADgAMAAzADQANQA3ADcAOQAzADMAMwAwADIANQAiACAALQBGAG8AcgBjAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwA='] >>>>> <dev-01.xyz.com> WINRM RESULT u'<Response code 0, out "", err "">' >>>>> <dev-01.xyz.com> WINRM CLOSE SHELL: >>>>> 2304FF63-3899-4A5F-AA24-67A3E8DAF0B1 >>>>> changed: [dev-01.xyz.com] => {"changed": true, "invocation": >>>>> {"module_args": {"_raw_params": "exch.ps1"}, "module_name": "script"}, >>>>> "rc": 0, "stderr": "There is a pending reboot from a previous >>>>> installation >>>>> of a Windows Server role or feature. Please restart the computer and then >>>>> run Setup again.\r\nYou must be a member of the 'Organization Management' >>>>> role group or a member of the 'Enterprise Admins' group to >>>>> continue.\r\nYou >>>>> must use an account that's a member of the Organization Management role >>>>> group to install or upgrade the first Mailbox server role in the >>>>> topology.\r\nYou must use an account that's a member of the Organization >>>>> Management role group to install the first Client Access server role in >>>>> the >>>>> topology.\r\nYou must use an account that's a member of the Organization >>>>> Management role group to install the first Client Access server role in >>>>> the >>>>> topology.\r\nYou must use an account that's a member of the Organization >>>>> Management role group to install or upgrade the first Mailbox server role >>>>> in the topology.\r\nYou must use an account that's a member of the >>>>> Organization Management role group to install or upgrade the first Client >>>>> Access server role in the topology.\r\nYou must use an account that's a >>>>> member of the Organization Management role group to install the first >>>>> Mailbox server role in the topology.\r\nSetup encountered a problem while >>>>> validating the state of Active Directory: Active Directory operation >>>>> failed >>>>> on . The supplied credential for 'ADS\\Chandra Pandey' is invalid. See >>>>> the >>>>> Exchange setup log for more information on this error.\r\nEither Active >>>>> Directory doesn't exist, or it can't be contacted.\r\n", "stdout": >>>>> "\r\nWelcome to Microsoft Exchange Server 2016 Unattended >>>>> Setup\r\n\r\nCopying Files...\r\nFile copy complete.\r\nSetup will now >>>>> collect additional information needed for installation.\r\n\r\n >>>>> Languages\r\n Management tools\r\n Mailbox role: Transport >>>>> service\r\n Mailbox role: Client Access service\r\n Mailbox role: >>>>> Unified Messaging service\r\n Mailbox role: Mailbox service\r\n >>>>> Mailbox role: Front End Transport service\r\n Mailbox role: Client >>>>> Access Front End service\r\n\r\nPerforming Microsoft Exchange Server >>>>> Prerequisite Check\r\n\r\n Configuring Prerequisites ... COMPLETED\r\n >>>>> Prerequisite Analysis\r\n\r\nThe Exchange Server setup operation didn't >>>>> complete. More details can be found in ExchangeSetup.log located in the >>>>> <SystemDrive>:\\ExchangeSetupLogs folder.\r\n", "stdout_lines": ["", >>>>> "Welcome to Microsoft Exchange Server 2016 Unattended Setup", "", >>>>> "Copying >>>>> Files...", "File copy complete.", "Setup will now collect additional >>>>> information needed for installation.", "", " Languages", " >>>>> Management tools", " Mailbox role: Transport service", " Mailbox >>>>> role: Client Access service", " Mailbox role: Unified Messaging >>>>> service", " Mailbox role: Mailbox service", " Mailbox role: Front >>>>> End Transport service", " Mailbox role: Client Access Front End >>>>> service", "", "Performing Microsoft Exchange Server Prerequisite Check", >>>>> "", " Configuring Prerequisites ... COMPLETED", " Prerequisite Analysis", >>>>> "", "The Exchange Server setup operation didn't complete. More details >>>>> can >>>>> be found in ExchangeSetup.log located in the >>>>> <SystemDrive>:\\ExchangeSetupLogs folder."]} >>>>> >>>>> >>>>> ========== >>>>> >>>>> event errors: >>>>> >>>>> The description for Event ID 4027 from source MSExchange ADAccess >>>>> cannot be found. Either the component that raises this event is not >>>>> installed on your local computer or the installation is corrupted. You >>>>> can >>>>> install or repair the component on the local computer. >>>>> >>>>> If the event originated on another computer, the display information >>>>> had to be saved with the event. >>>>> >>>>> The following information was included with the event: >>>>> >>>>> ExSetup.exe >>>>> 7044 >>>>> Get Servers for ads.xyz.com >>>>> TopologyClientTcpEndpoint (localhost) >>>>> 3 >>>>> System.ServiceModel.EndpointNotFoundException: Could not connect to >>>>> net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService. The >>>>> connection attempt lasted for a time span of 00:00:02.0468972. TCP error >>>>> code 10061: No connection could be made because the target machine >>>>> actively >>>>> refused it [::1]:890. ---> System.Net.Sockets.SocketException: No >>>>> connection could be made because the target machine actively refused it >>>>> [::1]:890 >>>>> at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, >>>>> SocketAddress socketAddress) >>>>> at System.Net.Sockets.Socket.Connect(EndPoint remoteEP) >>>>> at >>>>> System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, >>>>> TimeSpan timeout) >>>>> --- End of inner exception stack trace --- >>>>> >>>>> Server stack trace: >>>>> at >>>>> System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, >>>>> TimeSpan timeout) >>>>> at >>>>> System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, >>>>> TimeSpan timeout) >>>>> at >>>>> System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan >>>>> >>>>> timeout) >>>>> at >>>>> System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan >>>>> >>>>> timeout) >>>>> at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan >>>>> timeout) >>>>> at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan >>>>> timeout) >>>>> at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan >>>>> timeout) >>>>> >>>>> Exception rethrown at [0]: >>>>> at >>>>> System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage >>>>> reqMsg, IMessage retMsg) >>>>> at >>>>> System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& >>>>> msgData, Int32 type) >>>>> at System.ServiceModel.ICommunicationObject.Open() >>>>> at Microsoft.Exchange.Net.ServiceProxyPool`1.GetClient(Int32 retry, >>>>> Boolean& doNotReturnProxyAfterRetry, Boolean useCache) >>>>> at >>>>> Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 >>>>> >>>>> action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 >>>>> numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception) >>>>> >>>>> the message resource is present but the message is not found in the >>>>> string/message table >>>>> >>>>> >>>>> ====================== >>>>> >>>>> The description for Event ID 106 from source MSExchange Common cannot >>>>> be found. Either the component that raises this event is not installed on >>>>> your local computer or the installation is corrupted. You can install or >>>>> repair the component on the local computer. >>>>> >>>>> If the event originated on another computer, the display information >>>>> had to be saved with the event. >>>>> >>>>> The following information was included with the event: >>>>> >>>>> 1 >>>>> Base for Average Latency >>>>> MSExchange ServiceProxyPool >>>>> The exception thrown is : System.InvalidOperationException: The >>>>> requested Performance Counter is not a custom counter, it has to be >>>>> initialized as ReadOnly. >>>>> at System.Diagnostics.PerformanceCounter.InitializeImpl() >>>>> at System.Diagnostics.PerformanceCounter.IncrementBy(Int64 value) >>>>> at >>>>> Microsoft.Exchange.Diagnostics.ExPerformanceCounter.IncrementBy(Int64 >>>>> incrementValue) >>>>> Last worker process info : Last worker process info not available! >>>>> Processes running while Performance counter failed to update: >>>>> 6300 TrustedInstaller >>>>> 1176 svchost >>>>> 2548 vmtoolsd >>>>> 4912 csrss >>>>> 380 csrss >>>>> 1364 inetinfo >>>>> 5892 winrshost >>>>> 5692 WMSvc >>>>> 1948 svchost >>>>> 1220 nsd >>>>> 2336 SMSvcHost >>>>> 6664 svchost >>>>> 1152 svchost >>>>> 560 lsass >>>>> 6860 taskhostex >>>>> 1740 rdpinput >>>>> 1396 mqsvc >>>>> 2132 vmtoolsd >>>>> 752 LogonUI >>>>> 944 svchost >>>>> 4292 taskhostex >>>>> 548 services >>>>> 872 svchost >>>>> 1728 splunkd >>>>> 7044 ExSetup >>>>> 4224 cmd >>>>> 4084 splunk-winevtlog >>>>> 5264 conhost >>>>> 728 TabTip >>>>> 4272 ccSvcHst >>>>> 4456 dwm >>>>> 1696 snmp >>>>> 6616 VSSVC >>>>> 1096 spoolsv >>>>> 2868 unsecapp >>>>> 2472 svchost >>>>> 1940 conhost >>>>> 5424 powershell >>>>> 2860 WmiPrvSE >>>>> 760 svchost >>>>> 3248 svchost >>>>> 484 winlogon >>>>> 5800 taskhost >>>>> 5404 AeXAgentUIHost >>>>> 1660 ccSvcHst >>>>> 3504 dllhost >>>>> 4092 splunk-winprintmon >>>>> 6576 WmiApSrv >>>>> 2240 svchost >>>>> 2040 uptmagnt >>>>> 4776 AeXMetricProv >>>>> 656 svchost >>>>> 5184 AeXSMAppDetector >>>>> 6364 TiWorker >>>>> 452 csrss >>>>> 252 smss >>>>> 2368 setup >>>>> 2020 svchost >>>>> 2412 TabTip32 >>>>> 440 wininit >>>>> 3196 svchost >>>>> 2200 svchost >>>>> 4376 AeXNSAgentHostSurrogate32 >>>>> 1420 SMSvcHost >>>>> 6540 powershell >>>>> 432 svchost >>>>> 3780 splunk-perfmon >>>>> 6536 conhost >>>>> 624 svchost >>>>> 1604 NPSrvHost >>>>> 788 dwm >>>>> 2192 putty >>>>> 812 svchost >>>>> 6524 conhost >>>>> 4944 winlogon >>>>> 2184 serversetup >>>>> 4812 explorer >>>>> 3364 splunk-wmi >>>>> 3336 WmiPrvSE >>>>> 2376 AeXNSAgent >>>>> 4320 rdpclip >>>>> 5128 AeXSMLogUpload >>>>> 3748 msdtc >>>>> 4 System >>>>> 3484 NPSrvWatchdog >>>>> 5212 conhost >>>>> 0 Idle >>>>> Performance Counters Layout information: FileMappingNotFoundException >>>>> for category MSExchange ServiceProxyPool : >>>>> Microsoft.Exchange.Diagnostics.FileMappingNotFoundException: Cound not >>>>> open >>>>> File mapping for name Global\netfxcustomperfcounters.1.0msexchange >>>>> serviceproxypool. Error Details: 2 >>>>> at >>>>> Microsoft.Exchange.Diagnostics.FileMapping.OpenFileMapping(String name, >>>>> Boolean writable) >>>>> at >>>>> Microsoft.Exchange.Diagnostics.PerformanceCounterMemoryMappedFile.Initialize(String >>>>> >>>>> fileMappingName, Boolean writable) >>>>> at >>>>> Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetAllInstancesLayout(String >>>>> >>>>> categoryName) >>>>> >>>>> >>>>> >>>>> the message resource is present but the message is not found in the >>>>> string/message table >>>>> >>>>> >>>>> ============================ >>>>> >>>>> Login Successfull on system >>>>> >>>>> >>>>> An account was successfully logged on. >>>>> >>>>> Subject: >>>>> Security ID: NULL SID >>>>> Account Name: - >>>>> Account Domain: - >>>>> Logon ID: 0x0 >>>>> >>>>> Logon Type: 3 >>>>> >>>>> Impersonation Level: Impersonation >>>>> >>>>> New Logon: >>>>> Security ID: ADS\Chandra Pandey >>>>> Account Name: Chandra Pandey >>>>> Account Domain: ADS >>>>> Logon ID: 0xD475400 >>>>> Logon GUID: {10046cb6-9f06-048b-d251-f66c2878fa16} >>>>> >>>>> Process Information: >>>>> Process ID: 0x0 >>>>> Process Name: - >>>>> >>>>> Network Information: >>>>> Workstation Name: >>>>> Source Network Address: - >>>>> Source Port: - >>>>> >>>>> Detailed Authentication Information: >>>>> Logon Process: Kerberos >>>>> Authentication Package: Kerberos >>>>> Transited Services: - >>>>> Package Name (NTLM only): - >>>>> Key Length: 0 >>>>> >>>>> This event is generated when a logon session is created. It is >>>>> generated on the computer that was accessed. >>>>> >>>>> The subject fields indicate the account on the local system which >>>>> requested the logon. This is most commonly a service such as the Server >>>>> service, or a local process such as Winlogon.exe or Services.exe. >>>>> >>>>> The logon type field indicates the kind of logon that occurred. The >>>>> most common types are 2 (interactive) and 3 (network). >>>>> >>>>> The New Logon fields indicate the account for whom the new logon was >>>>> created, i.e. the account that was logged on. >>>>> >>>>> The network fields indicate where a remote logon request originated. >>>>> Workstation name is not always available and may be left blank in some >>>>> cases. >>>>> >>>>> The impersonation level field indicates the extent to which a process >>>>> in the logon session can impersonate. >>>>> >>>>> The authentication information fields provide detailed information >>>>> about this specific logon request. >>>>> - Logon GUID is a unique identifier that can be used to correlate this >>>>> event with a KDC event. >>>>> - Transited services indicate which intermediate services have >>>>> participated in this logon request. >>>>> - Package name indicates which sub-protocol was used among the NTLM >>>>> protocols. >>>>> - Key length indicates the length of the generated session key. This >>>>> will be 0 if no session key was requested. >>>>> >>>>> =================== >>>>> >>>>> Special privileges assigned to new logon. >>>>> >>>>> Subject: >>>>> Security ID: ADS\Chandra Pandey >>>>> Account Name: Chandra Pandey >>>>> Account Domain: ADS >>>>> Logon ID: 0xD475400 >>>>> >>>>> Privileges: SeSecurityPrivilege >>>>> SeBackupPrivilege >>>>> SeRestorePrivilege >>>>> SeTakeOwnershipPrivilege >>>>> SeDebugPrivilege >>>>> SeSystemEnvironmentPrivilege >>>>> SeLoadDriverPrivilege >>>>> SeImpersonatePrivilege >>>>> SeEnableDelegationPrivilege >>>>> >>>>> ===================================================== >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I am part of "Organization Management role group" in AD >>>>> >>>>> I am able to run ansible commands for dev-01 server with same >>>>> ads\chandra pandey credentails but can't install exchange >>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5054cc18-06f7-48e5-8251-9c2cc43e4a5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
