Hi,
I posted a similar question over on Stack Overflow but without any helpful
replies so I thought I'd try this group too... I don't think it is an
Ansible question per se but has arisen from our use of Ansible
We have Windows servers with two NICs, two separate IPs and two FQDNs in
DNS, e.g.
> SERVER01.ADdomain.company.corp [10.0.0.1]
SERVER01.management.company.corp [192.168.0.1]
Both are configured in Windows and I can RDP, Telnet, HTTP or whatever to
both names and both IPs (assuming firewalls & routing are configured
correctly and there is something listening on the relevant ports). This
set-up is primarily to enable our management traffic (e.g. Backups) to
communicate over an alternative NIC to the primary traffic.
WinRM has been configured (using the ConfigureRemotingForAnsible.ps1
script) and I can prove that it works if I use Ansible or PowerShell on the
AD name:
> $ ansible -m win_ping SERVER01.ADdomain.company.corp
> SERVER01.ADdomain.company.corp | SUCCESS => {
> "changed": false,
> "ping": "pong"
> }
PS> Invoke-Command -scriptblock{hostname} -ComputerName
> SERVER01.ADdomain.company.corp
SERVER01
My problems come when I try to use the other FQDN. Ansible returns:
> SERVER01.management.company.corp | UNREACHABLE! => {
> "changed": false,
> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS
> failure. Minor code may provide more information', 851968), ('Server not
> found in Kerberos database', -1765328377)), ssl: the specified credentials
> were rejected by the server",
> "unreachable": true
> }
And PowerShell sayeth:
> [SERVER01.management.company.corp] Connecting to remote server
> SERVER01.management.company.corp failed with the following error message :
> WinRM cannot process the request. The following error occurred while using
> Kerberos authentication: Cannot find the computer
> SERVER01.management.company.corp. Verify that the computer exists on the
> network and that the name provided is spelled correctly. For more
> information, see the about_Remote_Troubleshooting
> Help topic.
> + CategoryInfo : OpenError:
> (SERVER01.management.company.corp:String) [], PSRemotingTransportException
> + FullyQualifiedErrorId : NetworkPathNotFound,PSSessionStateBroken
>From reading about this I think it is because the Kerberos Authentication
that WinRM uses only works on the AD name but my question is this: Is there
any way to get the Ansible/WinRM/PowerShell working using the second FQDN?
If not, why not? Any documents (particularly from Ansible and/or Microsoft)
to back this up would be appreciated.
Cheers
Phil
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/709b1fc3-0995-4743-9b92-f32817db48f9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
