Kerberos is highly dependent on DNS and name->realm mapping; you need to use the host's FQDN, not its IP, unless you've hacked up your krb5.conf and DNS infra significantly to support that.
On Thursday, October 20, 2016 at 10:00:45 AM UTC-7, Alf Normann Klausen wrote: > > Hi, > > I think I have the exact same problem. > Running ansible 2.1.1.0-1.el7 on CentOS 7.2.1511 > > Here is an example of ansible command output: > > > [[email protected]@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -m > win_ping -vvvvv > Using /etc/ansible/ansible.cfg as config file > Loaded callback minimal of type stdout, v2.0 > <192.168.4.225> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on > PORT 5985 TO 192.168.4.225 > <192.168.4.225> WINRM CONNECT: transport=kerberos endpoint=http:// > 192.168.4.225:5985/wsman > <192.168.4.225> > WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS > failure. Minor code may provide more information', 851968), ('Server > not found in Kerberos database', -1765328377)) > Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", > line 151, in _winrm_connect > self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in > open_shell > res = self.send_message(xmltodict.unparse(req)) > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in > send_message > return self.transport.send_message(message) > File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 170, in > send_message > prepared_request = self.session.prepare_request(request) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 394, > in prepare_request > hooks=merge_hooks(request.hooks, self.hooks), > File "/usr/lib/python2.7/site-packages/requests/models.py", line 298, in > prepare > self.prepare_auth(auth, url) > File "/usr/lib/python2.7/site-packages/requests/models.py", line 500, in > prepare_auth > r = auth(self) > File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > line 318, in __call__ > auth_header = self.generate_request_header(None, host, is_preemptive= > True) > File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > line 158, in generate_request_header > raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error. > args))) > KerberosExchangeError: > authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may > provide more information', 851968), ('Server not found in Kerberos > database', -1765328377)) > > TVM-ALF2012R2 | UNREACHABLE! => { > "changed": false, > > "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS > failure. Minor code may provide more information', 851968), ('Server > not found in Kerberos database', -1765328377))", > "unreachable": true > } > > > > > The kerberos ticket is ok: > [[email protected]@tvm-alfkla ~]$ klist > Ticket cache: KEYRING:persistent:1015602603:1015602603 > Default principal: [email protected] > > Valid starting Expires Service principal > 20. okt. 2016 13:06 20. okt. 2016 23:06 krbtgt/[email protected] > renew until 27. okt. 2016 13:06 > > The inventory is like this: > > [[email protected]@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts > > TVM-ALF2012R2 ansible_host=192.168.4.225 [email protected] > ansible_password=xXxXxXxXx ansible_port=5985 ansible_connection=winrm > ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes > > Any clue why this happens? > > All help will be highly appreciated! :o) > > > Vennlig hilsen, > > Alf Normann Klausen > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55a81803-c4f8-4646-b816-78c39f430df0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
